0% found this document useful (0 votes)

27 views67 pages

Radio Frequency Identification System Security RFIDsec 13 Asia Workshop Proceedings 1st Edition C. Ma Ebook All Chapters PDF

Proceedings

Uploaded by

norinludka0t

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

27 views67 pages

Radio Frequency Identification System Security RFIDsec 13 Asia Workshop Proceedings 1st Edition C. Ma Ebook All Chapters PDF

Proceedings

Uploaded by

norinludka0t

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 67

Visit https://ebookfinal.

com to download the full version and

explore more ebook

Radio Frequency Identification System Security

RFIDsec 13 Asia Workshop Proceedings 1st Edition C.
Ma

_ Click the link below to download _

https://ebookfinal.com/download/radio-frequency-
identification-system-security-rfidsec-13-asia-
workshop-proceedings-1st-edition-c-ma/

Explore and download more ebook at ebookfinal.com

Here are some recommended products that might interest you.
You can download now and explore!

Radio Frequency Integrated Circuits and Systems 1st

Edition Hooman Darabi

https://ebookfinal.com/download/radio-frequency-integrated-circuits-
and-systems-1st-edition-hooman-darabi/

ebookfinal.com

Radio frequency circuit design 2nd ed Edition W Alan

Davis

https://ebookfinal.com/download/radio-frequency-circuit-design-2nd-ed-
edition-w-alan-davis/

ebookfinal.com

Radio Frequency Electronics Circuits and Applications 2nd

Edition Jon B. Hagen

https://ebookfinal.com/download/radio-frequency-electronics-circuits-
and-applications-2nd-edition-jon-b-hagen/

ebookfinal.com

Radio Frequency Transistors Principles and Practical

Applications 2nd Edition Norman Dye

https://ebookfinal.com/download/radio-frequency-transistors-
principles-and-practical-applications-2nd-edition-norman-dye/

ebookfinal.com
Radio Frequency and Microwave Communication Circuits
Analysis and Design Second Edition Devendra K.
Misra(Auth.)
https://ebookfinal.com/download/radio-frequency-and-microwave-
communication-circuits-analysis-and-design-second-edition-devendra-k-
misraauth/
ebookfinal.com

Control System Documentation Applying Symbols And

Identification 2nd Edition Thomas Mcavinew

https://ebookfinal.com/download/control-system-documentation-applying-
symbols-and-identification-2nd-edition-thomas-mcavinew/

ebookfinal.com

Power System Load Frequency Control Classical and Adaptive

Fuzzy Approaches 1st Edition Hassan A. Yousef

https://ebookfinal.com/download/power-system-load-frequency-control-
classical-and-adaptive-fuzzy-approaches-1st-edition-hassan-a-yousef/

ebookfinal.com

Lepton Scattering Hadrons and QCD Proceedings 1st Edition

Hadrons And Qcd Workshop On Lepton Scattering

https://ebookfinal.com/download/lepton-scattering-hadrons-and-qcd-
proceedings-1st-edition-hadrons-and-qcd-workshop-on-lepton-scattering/

ebookfinal.com

Autism and the Environment Challenges and Opportunities

for Research Workshop Proceedings 1st Edition Institute Of
Medicine
https://ebookfinal.com/download/autism-and-the-environment-challenges-
and-opportunities-for-research-workshop-proceedings-1st-edition-
institute-of-medicine/
ebookfinal.com
Radio Frequency Identification System Security RFIDsec
13 Asia Workshop Proceedings 1st Edition C. Ma Digital
Instant Download
Author(s): C. Ma; J. Weng
ISBN(s): 9781614993285, 1614993289
Edition: 1
File Details: PDF, 2.25 MB
Year: 2013
Language: english
RADIO FREQUENCY IDENTIFICATION
SYSTEM SECURITY
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
Cryptology and Information Security Series
The Cryptology & Information Security Series (CISS) presents the latest research results in the
theory and practice, analysis and design, implementation, application and experience of
cryptology and information security techniques. It covers all aspects of cryptology and
information security for an audience of information security researchers with specialized
technical backgrounds.

Coordinating Series Editors: Raphael C.-W. Phan and Jianying Zhou

Series editors
Feng Bao, Institute for Infocomm Research, Singapore Nasir Memon, Polytech University, USA
Kefei Chen, Shanghai Jiaotong University, China Chris Mitchell, RHUL, United Kingdom
Robert Deng, SMU, Singapore David Naccache, École Normale Supérieure, France
Yevgeniy Dodis, New York University, USA Gregory Neven, IBM Research, Switzerland
Dieter Gollmann, TU Hamburg-Harburg, Germany Phong Nguyen, CNRS / École Normale Supérieure, France
Markus Jakobsson, Indiana University, USA Andrew Odlyzko, University of Minnesota, USA
Marc Joye, Thomson R&D, France Adam Young, MITRE Corporation, USA
Javier Lopez, University of Malaga, Spain Moti Yung, Columbia University, USA

Volume 11
Recently published in this series

Vol. 10. M.M. Prabhakaran and A. Sahai (Eds.), Secure Multi-Party Computation
Vol. 9. S.G. Weber, Multilaterally Secure Pervasive Cooperation – Privacy Protection,
Accountability and Secure Communication for the Age of Pervasive Computing
Vol. 8. N.-W. Lo and Y. Li (Eds.), Radio Frequency Identification System Security –
RFIDsec’12 Asia Workshop Proceedings
Vol. 7. P. Junod and A. Canteaut (Eds.), Advanced Linear Cryptanalysis of Block and Stream
Ciphers
Vol. 6. T. Li, C.-H. Chu, P. Wang and G. Wang (Eds.), Radio Frequency Identification
System Security – RFIDsec’11 Asia Workshop Proceedings
Vol. 5. V. Cortier and S. Kremer (Eds.), Formal Models and Techniques for Analyzing
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Security Protocols
Vol. 4. Y. Li and J. Zhou (Eds.), Radio Frequency Identification System Security –
RFIDsec’10 Asia Workshop Proceedings
Vol. 3. C. Czosseck and K. Geers (Eds.), The Virtual Battlefield: Perspectives on Cyber
Warfare
Vol. 2. M. Joye and G. Neven (Eds.), Identity-Based Cryptography
Vol. 1. J. Lopez and J. Zhou (Eds.), Wireless Sensor Network Security

ISSN 1871-6431 (print)

ISSN 1879-8101 (online)

Edited by
Changshe Ma
South China Normal University, China
and
Jian Weng
Jinan University, China
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Amsterdam • Berlin • Tokyo • Washington, DC

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
© 2013 The authors and IOS Press.

All rights reserved. No part of this book may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, without prior written permission from the publisher.

ISBN 978-1-61499-327-8 (print)

ISBN 978-1-61499-328-5 (online)
Library of Congress Control Number: 2013952824

Publisher
IOS Press BV
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
fax: +31 20 687 0019
e-mail: [email protected]

Distributor in the USA and Canada

IOS Press, Inc.
4502 Rachael Manor Drive
Fairfax, VA 22032
USA
fax: +1 703 323 3668
e-mail: [email protected]
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

LEGAL NOTICE
The publisher is not responsible for the use which might be made of the following information.

PRINTED IN THE NETHERLANDS

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
Radio Frequency Identification System Security v
C. Ma and J. Weng (Eds.)
IOS Press, 2013
© 2013 The authors and IOS Press. All rights reserved.

Preface
This volume contains the papers presented at the 2013 Workshop on Radio Frequency
Identification/Internet of Things Security (RFIDsec’13 Asia) held in Guangzhou, China
on November 27, 2013. The workshop was co-hosted by South China Normal Univer-
sity and Jinan University. The General Chairs were Yingjiu Li, from Singapore Man-
agement University, and Yong Tang from South China Normal University.
RFIDsec’13 Asia is aligned with the RFID security workshop (RFIDsec) which
addresses security and privacy issues in Radio Frequency Identification (RFID). Since
its inception in 2005, RFIDsec has been organized as a series of workshops held in
Graz (2005/06), Malaga (2007), Budapest (2008), Leuven (2009), Istanbul (2010),
Amherst (2011), Nijmegen (2012) and Graz (2013). RFIDsec’13 Asia is the fifth edi-
tion of this series of workshops to be held in Asia, following RFIDsec’09 Asia in Tai-
pei (2009), RFIDsec’10 Asia in Singapore (2010), RFIDsec’11 Asia in Wuxi (2011)
and RFIDsec’12 Asia in Taipei (2012).
RFIDsec’13 Asia provides an international forum to address the fundamental is-
sues in theory and practice related RFID/IoT technologies and applications. This year’s
excellent program consists of 10 high-quality papers, selected after a rigorous review
process by both members of the Program Committee and external reviewers. Many
interesting topics are covered, including RFID authentication, mutual authentication
and ownership transfer, security of RFID applications, NFC and the Internet of Things,
and side channel attacks. All RFIDsec’13 Asia papers are published by IOS Press in the
Cryptology and Information Security Series.
RFIDsec’13 Asia was made possible thanks to the contributions of many individu-
als and organizations. First, we would like to thank all those authors who submitted
their scientific papers. We would also like to thank the Program Committee members
and external reviewers for reviewing and commenting on the submitted papers. Fur-
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

thermore, we thank the Organization Committee for organizing this workshop. Last but
not least, we are grateful to South China Normal University and Jinan University for
hosting the workshop.

Changshe Ma and Jian Weng

November 2013

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
This page intentionally left blank
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
vii

Organization of the 2013 Workshop

on RFID and IoT Security (RFIDsec’13 Asia)
27 Nov, 2013, Guangzhou, China
Hosted by South China Normal University, China
Co-hosted by Jinan University, China
Supported by RFIDsec

General Chairs
Yingjiu Li (SMU, Singapore)
Yong Tang (SCNU, China)

Program Chairs
Jianying Zhou (I2R, Singapore)
Changshe Ma (SCNU, China)
Jian Weng (JNU, China)

Program Committee
Zhong Chen (PKU, China)
Hung-Yu Chien (NCNU, Taiwan)
Chao-Hsien Chu (PSU, US; SMU, Singapore)
Xinxin Fan (University of Waterloo, Canada)
Gerhard Hancke (Royal Holloway, UK)
Miroslaw Kutylowski (Wroclaw UT, Poland)
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Tieyan Li (Huawei, Singapore)

Nai-Wei Lo (NTUST, Taiwan)
Di Ma (UM-Dearborn, US)
Rodrigo Roman (I2R Singapore)
Jörn-Marc Schmidt (TU-Graz, Austra)
Kouichi Sakurai (Kyushu University, Japan)
Huiping Sun (PKU, China)
Shaohua Tang (SCUT, China)
Yanjiang Yang (I2R, Singapore)
Chan Yeob Yeun (KUSTAR, UAE)
Yunlei Zhao (Fudan University, China)

Publication and Publicity Chairs

Anyi Liu (IPFW, US)
Jie Shi (SMU, Singapore)

Local Organization Committee

Dehua Zhou (JNU, China)

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
ix

Contents
Preface v
Changshe Ma and Jian Weng
Organization of the 2013 Workshop on RFID and IoT Security (RFIDsec’13 Asia)
27 Nov, 2013, Guangzhou, China vii

Regular Papers

On RFID Authentication Protocols with Wide-Strong Privacy 3

Nan Li, Yi Mu, Willy Susilo, Fuchun Guo and Vijay Varadharajan
Chameleon RFID and Tracking Prevention 17
Marek Klonowski, Mirosław Kutyłowski and Piotr Syga
A Secure Elliptic Curve Based RFID Ownership Transfer Scheme with
Controlled Delegation 31
Shu Cheng, Vijay Varadharajan, Yi Mu and Willy Susilo
IBIHOP: Proper Privacy Preserving Mutual RFID Authentication 45
Roel Peeters, Jens Hermans and Junfeng Fan
A Framework to Securing RFID Transmissions by Varying Transmitted
Reader’s Power 57
Fei Huo, Chouchang Yang, Guang Gong and Radha Poovendran
SSL Usage in Commercial Internet of Things Platforms 69
Roy Fisher and Gerhard Hancke
A Comparative Study of Stream Ciphers and Hash Functions for RFID
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Authentications 83
Shugo Mikami, Dai Watanabe and Kazuo Sakiyama

Short Papers

Securing NFC with Elliptic Curve Cryptography – Challenges and Solutions 97

Xinxin Fan and Guang Gong
Remote Attestation Mechanism for Embedded Devices Based on Physical
Unclonable Functions 107
Raja Naeem Akram, Konstantinos Markantonakis and Keith Mayes
A Survey of Side Channel Attacks on MPKCs Potential for RFID 123
Weijian Li, Shaohua Tang and Daojing He

Subject Index 133

Author Index 135

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
Regular Papers
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
Radio Frequency Identification System Security 3
C. Ma and J. Weng (Eds.)
IOS Press, 2013
© 2013 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-61499-328-5-3

On RFID Authentication Protocols with

Wide-Strong Privacy 1
Nan Li a , Yi Mu a , Willy Susilo a,2 , Fuchun Guo a and Vijay Varadharajan b
a
Centre for Computer and Information Security Research, School of Computer
Science and Software Engineering, University of Wollongong, Wollongong,
Australia
e-mail: {nl864,ymu,wsusilo,fuchun}@uow.edu.au
b
Information and Networked Systems Security Research, Department of
Computing, Faculty of Science, Macquarie University, Sydney,Australia
e-mail: [email protected]

Abstract. Radio frequency identiﬁcation (RFID) tag privacy is an im-

portant issue to RFID security. To date, there have been several at-
tempts to achieve the wide-strong privacy by using zero-knowledge pro-
tocols. In this paper, we launch an attack on the recent zero-knowledge
based identification protocol for RFID, which was claimed to capture
wide-strong privacy, and show that this protocol is flawed. Subsequently,
we propose two zero-knowledge based tag authentication protocols and
prove that they offer wide-strong privacy.

1. Introduction
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Radio frequency identification (RFID) tags have very limited computation and
storage resources and are usually not tamper-resistant. For example, an attacker
could physically access the RFID tag and collect its internal state. The RFID tag
communicates with the RFID reader via a wireless interaction, and hence, there
is a security concern. The attacker could be able to identify a tag by using the
information collected from tag-reader communication. Therefore, the privacy of
RFID tags has become an issue in RFID applications.
Vaudenay [22] introduced the strong privacy model which captures a number
of RFID privacy cases, which are corresponding to eight classes with respect to
eight different privacy levels from weak to strong. The strongest level is the wide-
strong privacy. Later, Ng, Susilo, Mu and Safavi-Naini [16] refined the Vaudenay’s
model and claimed that the wide-strong privacy is possible. Based on the Bohli-
Pashalidis’ model [2,3] and Vaudenay’s model, Hermans, Pashalidis, Vercautern
and Preneel [10] proposed a new practical RFID privacy model which relies on
the indistinguishability of tags.
1 This work is supported by the Australian Research Council Discovery Project DP110101951.
2 This work is supported by ARC Future Fellowship FT0991397.
Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
4 N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

Wide-strong privacy is achievable by using the public key cryptography

(PKC) [22,16]. An RFID authentication protocol based on the IND-CCA2 secure
public key encryption scheme is strong private for wide adversaries [10]. Deursen
and Radomirović [7] proposed the wide-strong private authentication protocol by
employing the Cramer-Shoup encryption scheme.
The digital signature is an alternative cryptographic primitive in PKC. How-
ever, a traditional digital signature is hard to preserve the tag’s privacy as the
signature is publicly verifiable. Fortunately, we found that digital signatures, such
as strong designated verifier signatures [11], can be obtained by applying IND-
CCA2 encryption schemes. Thus, it is possible to construct a wide-strong private
identification protocol based on strong designated verifier signature schemes. The
elliptic curve cryptography (ECC) based RFID authentication protocols are ac-
ceptable by low-cost RFID tags [9,15]. Many ECC based RFID authentication
protocols [21,12,13,14,14,1] were proposed. Most of them are the variants of the
Schnorr signature scheme. However, these schemes have been unfortunately bro-
ken later in [8,12,5,6,4]. Recently, a new and interesting protocol was proposed
by Peeters and Hermans [18]. They claimed that the protocol achieves the wide-
strong privacy.

Our Contributions
The contribution of this paper is twofold. First, in contrast to the claim made in
[18], we demonstrate that Peeters and Hermans’ [18] protocol is vulnerable to our
attack, which makes the tag traceable. Second, we propose two wide-strong private
protocols based on zero-knowledge. The proposed protocols oﬀer provable wide-
strong privacy in the model described in [10]. As features of our protocols, the
reader can convince a third party, such as a client in the supply chain, the presence
of the tag by signature which is extracted from a successful authentication and
our (second) optimized protocol eliminates the modular operations in the prime
ﬁeld.

Paper Organizations
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

The rest of this paper is organized as follows. In Section 2, we describe some

mathematical preliminaries and review the underlying privacy model. Section 3
demonstrates an attack launched by the wide-strong adversary against Peeters
and Hermans’ protocol. We proposed a basic protocol and prove the privacy
in Section 4 and Section 5, respectively. An optimized protocol is presented in
Section 6. Section 7 concludes the paper.

2. Preliminaries

In this section, we give the deﬁnitions of some mathematical preliminaries and

present the adopted privacy model of this paper.

2.1. Bilinear Maps

Let G1 , G2 and GT be three additive cyclic groups of same prime order q. P and
V are generators of group G1 and G2 , respectively. The map e : G1 × G2 → GT

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy 5

is a bilinear mapping (pairing) and (P, V, q, e, G1 , G2 , GT ) is a bilinear group.

Let ψ be a computable isomorphism from G2 to G1 that ψ(V ) = P . We say it
is a symmetric bilinear group if G1 = G2 = G. A bilinear pairing satisfies the
properties as follows:
• Bilinearity: for all P ∈ G1 , V ∈ G2 and a, b ∈ Z∗q , we have the equation
e(P a , V b ) = e(P, V )ab .
• Non-Degeneracy: for all P ∈ G1 , V ∈ G2 , if P, V are generators respec-
tively, we have e(P, V ) = 1 is a generator of GT .
• Efficiency: There is an efficient algorithm to calculate e(P, V ) for all P ∈
G1 , V ∈ G2 .

2.2. Complexity Assumptions

Deﬁnition 1 (Computational Diﬃe-Hellman (CDH) assumption) Given a tuple

< P, aP, bP >, where a, b ∈R Z∗q , P is a generator of the group G, there is no
PPT adversary can ﬁnd abP with advantage at least .

2.3. Privacy Model

In this paper, we use the privacy model defined in [10]. The oracles defined in the
model are as follows.
• CreateTag(ID) → Ti : Taking as input a tag’s identifier ID, the oracle sets
up and registers a new tag to server. Then, it outputs the reference Ti of
the tag.
• Launch() → π, m: It launches a new session π and returns the first message
m sent by the reader.
• DrawTag(Ti , Tj ) → vtag: Taking as input a pair of tag references (Ti , Tj ),
it outputs vtag which is a virtual tag reference linked to either Ti or Tj
according to the value of g, where g ∈ {0, 1}. The oracle outputs ⊥, if Ti
or Tj is already drawn.
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

• Free(vtag): Taking as input a virtual tag vtag, it retrieves the tuple

(vtag, Ti , Tj ) and moves (Ti , Tj ) to the set of free tags and resets Ti ’s (if
g = 0) or Tj ’s (if g = 1) volatile memory.
• SendTag(vtag, m) → m : Taking as input a virtual tag vtag and a message
m, the oracle retrieves (vtag, Ti , Tj ) and sends m to the tag Ti (if g = 0)
or Tj (if g = 1). It outputs the tag’s response m .
• SendReader(π, m) → m : Taking as input an instance π and a message m,
the oracle sends m to the reader in session π and outputs the reader’s
response m . If the session π is not activated, the oracle outputs ⊥.
• Result(π) → c: Taking as input an instance π, the oracle outputs the result
c of the authentication if π exists, otherwise outputs ⊥.
• Corrupt(Ti ) → s: Taking as input a reference Ti of the tag, the oracle
outputs the state s of the tag if Ti is not drawn, otherwise outputs ⊥.

The model deﬁned eight diﬀerent classes of privacy and adversary. In each
class, the adversary is restricted by the capability of oracle access. The strongest

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
6 N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

adversary in the model is the wide-strong adversary who can access the all above
oracles as many times as he needs in polynomial time. The privacy experiment
Expws−private
A,S for the wide-strong adversary is as follows:

1. Setup: The system S sets up the system depending on the security param-
eter k and chooses a random bit g ∈ {0, 1}.
2. Learning: The adversary A can interact with S in polynomial time and
queries all above oracles.
3. Guess: The adversary outputs a bit g . If g = g, the experiment outputs
1, 0 otherwise.

We say that the adversary A wins the wide-strong privacy game if and only
if the experiment outputs 1.

Deﬁnition 2 A RFID authentication protocol is privacy-preserving if there is no

adversary A who wins the wide-strong privacy game in polynomial time t with the
advantage AdvA at least , where

1
AdvA = Pr[Expws−privacy = 1] − ≥ .
A,S
2

3. A Simple Attack
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

In RFID privacy models [22,10], the adversary is classiﬁed to “narrow” and “wide”
according to whether allowed to query Result oracle during the simulation. A wide
adversary can query the Result oracle to check whether a session is valid. Our
attack exploits the capabilities of wide-strong adversaries where they can forge
new sessions by using the tag’s private key and verify the validity of the forgery.
In the attack, the adversary can query all oracles deﬁned in Section 2.3. He
chooses two tags T0 and T1 and queries the Corrupt oracle to both of them. Upon
receiving the internal state of T0 and T1 , the adversary issues SendTag query to a
virtual tag Tg which is either linked to T0 or T1 . The adversary generates a new
response I ∗ by using the tag’s state and I ∗ which is the response of the tag.
Then, the adversary submits I ∗ to the Result oracle. Based on the output of the
Result oracle, the adversary can output a correct link between the virtual tag and
the target tag. The attack is depicted as in Fig.1.

V irtual T ag Adversary Challenger

Corrupt(T0 ),Corrupt(T1 )
−−−−−−−−−−−→
state(T0 ),state(T1 )
←−−−−−−−−−−−
SendTag
←−−−−−−−−−−−
Tg ∈R {T0 , T1 }
I∗
−−−−−−−−−−−→
Generate I ∗
Result(I ∗ )
−−−−−−−−−−−→
Accept or Reject
←−−−−−−−−−−−
Guess Tg = T0 or T1

Figure 1. Our attack.

3.1. Peeters and Hermans’ Protocol

Recently, Peeters and Hermans [18] proposed an interesting RFID identiﬁcation

protocol based on zero-knowledge. They presented two protocols where the second
one is an eﬃcient optimized version. Here, we review their improved protocol. In
the protocol, both tag and reader have a pair of public/private keys (x, X = xP )
and (y, Y = yP ), respectively. The public keys X and Y are mutually known to
the reader and the tag. The protocol initiated with the tag generating a random
number r ∈ Z∗q . The tag sends the reader R = rP and receives the reader’s
response e, where e ∈ Z∗q . The tag computes

d = xcoord(rY ), s = x + er + d,

where xcoord is a function which returns the value of x-coordinate of the input
point, and sends s to the reader. Upon receiving the response, the reader computes
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

d = xcoord(yR), X = (s − d )P − eR,

and accepts the tag if X appears in the database. The protocol is depicted as in
Fig. 2.
The authors claimed that their protocol is wide-strong private, while we show
that the protocol is vulnerable to our attack.

Theorem 1 In Peeters and Hermans’ protocol (Figure 2), a wide-strong adversary

is able to break the tag’s private with advantage Pr[Ē] = 1 − nq .

Proof 1 Suppose that the public system parameters (P, Y ), where P is a generator
of a goup G and Y is the reader’s public key, are known to the adversary. Given
an instance of the protocol execution of the tag T0 or the tag T1 , the wide-strong
adversary A aims to decide which tag involves the session.
The adversary A issues two oracle calls, which are Corrupt(T0 ) and Corrupt(T1 )
to the challenger. The challenger respectively returns T0 and T1 ’s private keys x0

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
8 N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

Reader(y, DB{Xi }) T ag(x, Y )

r ∈ Z∗q , R = rP
R
←−−−−−−−−−
e ∈ Z∗q
e
−−−−−−−−−→
d = xcoord(rY )
s = x + er + d
s
←−−−−−−−−−

d = xcoord(yR)
X = (s − d )P − eR ∈ DB?

Figure 2. Peeters and Hermans’ protocol.

and x1 to the adversary. In the challenge phase, the challenger gives an instance
I ∗ of the protocol execution, where I ∗ = (R∗ , e∗ , s∗ ). The instance is generated
by using the tag T ∗ ’s private key x∗ , where x∗ = x0 or x∗ = x1 . Hence, we have

s ∗ = x∗ + e ∗ r ∗ + d ∗ ,

where d∗ = xcoord(r∗ Y ). Then, A generates a new instance I ∗ = (R∗ , e∗ , s∗ )

as follows,

R∗ = R∗ , e∗ = e∗ , s∗ = s∗ − x0 + x1 .

Since A is a wide adversary, it queries the Result oracle on input a session I ∗ .

The challenger then returns whether it accepts the session. If the challenger’s
output is 1, it means that I ∗ is valid and A has
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

s∗ = s∗ − x0 + x1 = (x∗ − x0 + x1 ) + e∗ r∗ + d∗ .

Then, we have three cases:

• Case 1 (x∗ − x0 + x1 = x0 ): With the new session wrt tag T0 , A has the
solution that x∗ = 2x0 − x1 .
• Case 2 (x∗ − x0 + x1 = x1 ): With the new session wrt tag T1 , A has the
solution that x∗ = x0 .
• Case 3 (x∗ − x0 + x1 = x2 ): With the new session wrt another tag T2 , where
x2 is the private key of T2 , A has the solution x∗ = x2 + x0 − x1 .
According to the knowledge that x∗ is either x0 or x1 and assuming tags have
individual keys, Case 1 is impossible as it indicates x0 = x1 . A can deduce from
Case 2 and Case 3 that

x∗ = x0 or x∗ = x2 + x0 − x1 = x1 .

Then, A can guess the session I ∗ is related to the tag T0 with a high probability.
If the challenger rejects the session I ∗ , A can decide I ∗ is related to the tag T1 .
Therefore, the protocol is vulnerable to our attack.
Let E be the event that there exists the tag T2 with the private key

x2 = 2x1 − x0 .

Since a tag’s private key is randomly chosen from Z∗q , it can be considered that
2x1 − x0 is also a random value. Event E occurs with a negligible probability nq ,
where n is the number of tags except T0 and T1 . Hence, the adversary outputs a
correct guess with the probability
n
Pr[Ē] = 1 − .
q
2

4. Proposed Protocol

Many ECC-based RFID identiﬁcation protocols employ Diﬃe-Hellman keys to

preserve the privacy of the tag. Usually, there are two approaches to generate the
Diﬃe-Hellman key: 1) The tag uses its private key and the nonce(s) to compute
with the reader’s public key (e.g., [1,12,13]); 2) The tag chooses a random number
to compute with the reader’s public key (e.g., [18]). However, a strong adversary
can compromise the tag and obtain the tag’s private key. Hence, the two ways
provide the equal level of privacy protection under the strong attack. In this
paper, we adopt the second approach.
To withstand the attack described in Section 3, the tag’s response should
not be transferable to another valid response even if the tag’s private key is
known to the adversary. In our protocol, we protect the tag’s private key by using
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

two random values. Given a valid tag’s response, anyone who does not have the
tag’s temporary key or the reader’s private key cannot output a new valid tag’s
response.
Our protocol is a variant of the Schnorr identification protocol [19]. The
identification process consists of two passes where the reader initiates the session.
Prior to identifying the tag, both of the reader and the tag are required to store
particular states. Let G is an additive group with the prime order p and P is a
generator of the group. The public/private key pairs of the tag and the reader
are (x, X = xP ) and (y, Y = yP ), respectively, where x, y ∈R Z∗q . Initially, the
backend server inserts the tag’s public key X into the database DB as the tag’s
identifier. The server sets the tuple (x, Y, P ) as the tag’s state and stores it into
the tag. The reader receives its pair of public/private keys and it is allowed to
access the database.
To identify a tag, the reader randomly chooses C ∈ G and sends C as a
challenge to the tag. Upon receiving the challenge, the tag firstly picks a random
number r ∈ Z∗q and computes R = rP . Let h : G×G×G → Z∗q be a cryptographic
hash function. The tag generates a signing message

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
10 N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

v = h(R, rY, C),

where rY is a temporary Diﬃe-Hellman key. The signing message is computable

if and only if either the tag’s choice r or the reader’s private key y is known. It is
signiﬁcant to preserve the tag’s privacy. Then the tag computes

s = xv + r (mod q),

and sends (R, s) to the reader. On receiving the tag’s response, the reader extracts
the tag’s identity as
−1
v = h(R, yR, C), X = (sP − R)v .

If X exists in the database, the tag is identiﬁed, otherwise it is rejected. The

proposed basic RFID identiﬁcation protocol is depicted as in Fig. 3.

Reader(y, X) T ag(x, Y )

Choose c ∈R Z∗q , C = cP
C
−−−−−−−−−−→
r ∈R Z∗q , R = rP
v = h(R, rY, C)
s = xv + r (mod q)
R,s
←−−−−−−−−−−
Compute v = h(R, yR, C))
−1
X = (sP − R)v

check if X is in the database

Figure 3. Baisc protocol.

The reader can extract the tag’s signature after a successful tag authentica-
tion. Given yR and C, anyone who has the tag’s public key X can verify the va-
lidity of the signature (R, s). It is an important diﬀerence between the encryption
based protocols and the zero-knowledge based protocols.

5. Privacy Analysis

We analyse the privacy of the proposed basic protocol and show that it is wide-
strong private under the model [10].

Theorem 2 The proposed basic RFID authentication protocol is private against

the wide-strong attack if the CDH problem is hard.

Proof 2 Suppose that there is an adversary A who can (, qh , t)-distinguish the
‘left’ and ‘right’ world in the wide-strong privacy experiment. Let A has an ad-
vantage to solve the CDH problem. We can construct an algorithm B run by

the challenger to solve the CDH problem using the adversary A. Given the CDH
instance (P, aP, bP ), algorithm B aims to output abP . On behalf of the system S,
B interacts with the adversary A as follows.

• Setup: B sets P as the generator of the additive cyclic group G. Let the
public key of the reader be Y = aP and the private key of the reader be
y = a, which is unknown to B. B maintains the lists Lh = {< R, rY, C, v >
}, LRef = {< vtag, Ti , Tj >}, LS = {< T, π, z >} and a database of tags
T = {< ID, T, X, x >}, which are initially empty. B tosses a coin and sets
g = 0 or g = 1, where Pr[g = 0] = Pr[g = 1] = 12 . The virtual tag reference
vtag is an incremental counter starts from 0.
• h Query: A issues hE query on input (Ri , ri Y, Ci ) at most qh times. B
outputs vi if (Ri , ri Y, Ci ) is in the list Lh . Otherwise, B randomly se-
lects vi ∈ Z∗q and sets h(Ri , ri Y, Ci ) = vi . Then, B outputs vi and adds
< Ri , ri Y, Ci , vi > into the list Lh .
• CreateTag Query: A issues the oracle query on input a tag identity IDi . If
IDi is not in T , B sets up a new tag Ti and generates the tag’s pubic/private
key pair (xi , Xi ), where xi ∈ Z∗q , Xi = xi P . B outputs the reference Ti and
adds < IDi , Ti , Xi , xi > into the database T . If IDi exists, B ignores the
query.
• DrawTag Query: A issues the oracle query on input a pair of tag references
(Ti , Tj ). If any of the issued tags is not free, which is currently referenced,
the oracle outputs ⊥. If g = 0, B references vtag to Ti , Tj otherwise. B
outputs vtag and adds < vtag, Ti , Tj > into the list LRef .
• Free Query: A issues the oracle query on input a reference vtag. If vtag is
in the list LRef , B deletes the entry < vtag, Ti , Tj > and erases the volatile
memory of the referenced tag, which is Ti or Tj .
• Corrupt Query: A issues the oracle query on input a tag reference Ti . If Ti
is not in T , B ﬁrstly creates a new tag by using CreateTag Query. B then
outputs the tag’s secret key xi .
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

• SendTag Query: A issues the oracle query on input vtag and a message Ci .
If the entry < vtag, Ti , Tj > is not in the list LRef , B outputs ⊥. Other-
wise, B retrieves the the referenced tag Tg ’s secret key xg and computes as
follows.
∗ Randomly selects zi ∈ Z∗q and let ri = b + zi . Then, B computes Ri =
bP + zi P .
∗ B randomly picks wi ∈ Z∗q and lets vi = wi − xbg .
∗ Computes si = xg wi + zi and sets mi = (Ri , si ), πi = (Ci , mi ).
B outputs mi and adds < Ti , πi , zi > into the list LS . We show that the
simulation is perfect as
si = xg wi + zi
b
= xg (wi − ) + (b + zi )
xg
= x g v i + ri

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
12 N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

• SendReader Query: Since there is no reply message from the reader, B ig-
nores the query to this oracle.
• Result Query: A issues the oracle query on input a session πi . B responses
as follows.
∗ If πi is in the list LS , B accepts the session and outputs 1.
∗ If πi ,is not in the list LS , B looks up the list Lh . If < Ri , ·, Ci , vi > is
not in Lh , B outputs 0 and rejects the session.
∗ B Computes Xi = (si P − Ri )vi−1 and verifies it by checking if Xi in the
the database T . B outputs 1 if it exists, 0 otherwise.
Eventually, the adversary has to output a bit g ∈ {0, 1} in the guess phase.
That is, to determine which world (‘left’ or ‘right’) the simulation has encoun-
tered. If the adversary successfully outputs g = g, he wins the experiment and
B can use it to solve the CDH problem. Since A has to query the hash oracle
to determine which tag is referenced during the experiment, there is at least one
query input (Ri , ri Y, ci ) to the Hash Query is correct. B retrieves ri Y from the list
Lh and computes abP = ri Y − zi Y , where zi ∈ LS , to be a solution of the given
CDH problem.
The simulation fails when B rejects a valid session. It occurs when A issued
a valid session π to Result while < Ri , ·, Ci , vi > is not in the list Lh . A valid
session which is not generated by B implies that the adversary could find the Diffie-
Hellman key ri Y or guess the correct si . Let the event E be that the simulation
fails. We have the negligible probability Pr[E] ≤ + nq , where n is the number of
tags in T .

6. Optimisation

RFID tags are resource-constrained devices which have limited gates to imple-
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

ment protocols. The increase of the tag’s gates costs more in production. In terms
of the hardware implementation of our basic protocol, the tag is required to do
the modular in both of the prime field and the binary field. Although the modular
is an efficient operation, it consumes large number of gates for the hardware im-
plementation [17,20]. Unfortunately, most of RFID identification protocols which
are based on public key cryptography need modular calculations in both of the
prime field and the binary field.
In this section, we propose an optimized protocol and show that the number
of required gates are reduced. As a feature, there is no modular operation in the
prime filed required to the tag. Instead, only the modular in the binary field is
needed.

6.1. Protocol 2

The optimized protocol also consists of two passes where the reader initiates the
session. Let G be an additive group with the prime order q and e be a bilinear
pairing, where e : G × G → GT . P1 and P2 are two generators of the group G.

The public/private key pairs of the tag and the reader are (xP2 , X = e(P1 , xP2 ))
and (y, Y = yP2 ), respectively, where x, y ∈R Z∗q . The backend server inserts the
entry of the tag into the databse and stores the tuple (xP2 , Y, P1 , P2 ) into the tag.
The reader receives its pair of public/private keys and it is allowed to access the
database.
To identify a tag, the reader randomly selects C ∈ G and sends C as a
challenge to the tag. Upon receiving the challenge, the tag chooses a random
number r ∈ Z∗q and computes R = rP1 . Then, the tag generate a signing message
v as in the basic protocol, where v = h(R, rY, C). The tag computes

S = vxP2 + rP2 ,

and sends (R, S) to the reader. On receiving the tag’s response, the reader extracts
the tag’s identity as
v −1
e(P1 , S)
v = h(R, yR, C), X = .
e(R, P2 )

If X exists in the database, the tag is identiﬁed, otherwise it is rejected. The

optimized RFID identiﬁcation protocol is depicted as in Fig.4.

Reader(X = e(P1 , xP2 ), y, Y = yP2 ) T ag(xP2 , Y )

Choose c ∈R Z∗q , C = cP2

C
−−−−−−−−−−→
r ∈R Z∗q , R = rP1
v = h(R, rY, C)
S = vxP2 + rP2
R,S
←−−−−−−−−−−

Compute v = h(R, yR, C)
v −1
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

e(P1 ,S)
X = e(R,P 2)
check if X is in the database

Figure 4. Optimized protocol.

6.2. Privacy Analysis

Theorem 3 The proposed optimized RFID identiﬁcation protocol is private against

the wide-strong adversary if the CDH problem is hard.

Proof 3 Suppose that there is an adversary A who can (, qh , t)-distinguish the
‘left’ and ‘right’ world in the wide-strong privacy experiment. Let A has an advan-
tage to solve the CDH problem. Given an instance (P, aP, bP ), we can construct
an algorithm B to ﬁnd the solution abP of CDH problem using the adversary A.
B interacts with the adversary A as follows.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
14 N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

• Setup: B selects k, where k ∈ Z∗q and sets P1 , P2 , where P1 = kP, P2 =

P , as two generators of the additive cyclic group G. Let the public key
of the reader be Y = aP and the private key of the reader be y = a,
which is unknown to B. B maintains the lists Lh = {< R, rY, C, v >},
LRef = {< vtag, Ti , Tj >}, LS = {< T, π, z >} and a database of tags
T = {< ID, T, X, xP >}, which are initially empty. B tosses a coin and
sets g = 0 or g = 1, where Pr[g = 0] = Pr[g = 1] = 12 . The virtual tag
reference vtag is an incremental counter starts from 0.
• h Query: A issues hE query on input (Ri , ri Y, Ci ) at most qh times. B
outputs vi if (Ri , ri Y, Ci ) is in the list Lh . Otherwise, B picks vi ∈ Z∗q and
sets h(Ri , ri Y, Ci ) = vi . Then, B outputs vi and adds < Ri , ri Y, Ci , vi >
into the list Lh .
• CreateTag Query: A issues the oracle query on input a tag’s identity IDi . B
ignores the query if IDi exists. Otherwise, B randomly chooses xi ∈ Z∗q and
computes Xi = e(kP, xi P ). Then, B creates a new tag and sets (Xi , xi P )
as its public and private key pair. B outputs the reference Ti and adds
< IDi , Ti , Xi , xi P > into the database T .
• DrawTag Query: A issues the oracle query on input a pair of tag references
(Ti , Tj ). If any of the issued tags is not free, the oracle outputs ⊥. Depending
on the value of g, B references vtag to Ti (if g = 0) or Tj (if g = 1). B
outputs vtag and adds < vtag, Ti , Tj > into the list LRef .
• Free Query: A issues the oracle query on input a reference vtag. If vtag
is in the list LRef , B removes the entry < vtag, Ti , Tj > and erases the
volatile memory of the referenced tag.
• Corrupt Query: A issues the oracle query on input a tag reference Ti . If
Ti is not in T , B creates a new tag by running CreateTag Query. B then
outputs the tag’s secret key xi P .
• SendTag Query: A issues the oracle query on input vtag and a message
Ci . B outputs ⊥ If < vtag, Ti , Tj > is not in the list LRef . Otherwise, B
retrieves the the referenced tag Tg ’s secret key xg P and randomly selects
zi , wi ∈ Z∗q . Then, B computes
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Ri = kbP + zi kP, Si = wi xg P + zi P,

and sets mi = (Ri , Si ), πi = (Ci , mi ). B outputs mi and adds < Ti , πi , zi >

into the list LS .
• SendReader Query: Since there is no reply message from the reader, B ig-
nores the query to this oracle.
• Result Query: A issues the oracle query on input a session πi . B outputs 1
if πi is in the list LS , otherwise B outputs 0 if < Ri , ·, Ci , vi > is not in
e(P1 ,Si ) v −1
the list Lh . If < Ri , ·, Ci , vi > exists, B computes Xi = ( e(R i ,P2 )
) i and
outputs 1 if Xi appears in T , 0 otherwise.
Eventually, if the adversary outputs a guess g , where g = g, B has at least
one correct value of ri Y in the list Lh . B can ﬁnd the solution of CDH problem
as abP = ri Y − zi Y , where zi ∈ LS . The simulation fails when B outputs a false
rejection with the negligible probability at most + nq , where n is the number of
tags in T . 2

7. Conclusion

In this paper, we demonstrated an attack which is launched by the wide-strong

adversary on the Peeters and Hermans’ identiﬁcation protocol. Given a valid
session, the adversary can make a new session and distinguish the tag based on
the output of the result oracle. We proposed two zero-knowledge based RFID
authentication protocols which are wide-strong private. The proposed protocols
have been formally proved to be wide-strong private. Moreover, the reader can
obtain the tag’s signature after a successful tag authentication. The optimized
protocol eliminates the modular computations in the prime ﬁeld.

Acknowledgments
We thank the anonymous reviewers for their fruitful comments of improving this
work.

References

[1] Batina, L., Seys, S., Singelée, D., Verbauwhede, I.: Hierarchical ecc-based RFID authen-
tication protocol. In: Juels, A., Paar, C. (eds.) RFIDSec. LNCS, vol. 7055, pp. 183–201.
Springer (2011)
[2] Bohli, J.M., Pashalidis, A.: Relations among privacy notions. In: Dingledine, R., Golle, P.
(eds.) Financial Cryptography. LNCS, vol. 5628, pp. 362–380. Springer (2009)
[3] Bohli, J.M., Pashalidis, A.: Relations among privacy notions. ACM Trans. Inf. Syst. Secur.
14(1), 4 (2011)
[4] Bringer, J., Chabanne, H., Icart, T.: Cryptanalysis of ec-rac, a RFID identiﬁcation pro-
tocol. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS. LNCS, vol. 5339, pp.
149–161. Springer (2008)
[5] van Deursen, T., Radomirović, S.: Untraceable RFID protocols are not trivially compos-
able: Attacks on the rvision of ec-rac. IACR Cryptology ePrint Archive 2009, 332 (2009)
[6] van Deursen, T., Radomirović, S.: Ec-rac: Enriching a capacious RFID attack collection.
In: Yalcin, S.B.O. (ed.) RFIDSec. LNCS, vol. 6370, pp. 75–90. Springer (2010)
[7] van Deursen, T., Radomirović, S.: Insider attacks and privacy of RFID protocols. In:
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds.) EuroPKI. LNCS, vol. 7163, pp. 91–
105. Springer (2011)
[8] Fan, J., Hermans, J., Vercauteren, F.: On the claimed privacy of ec-rac iii. In: Yalcin,
S.B.O. (ed.) RFIDSec. LNCS, vol. 6370, pp. 66–74. Springer (2010)
[9] Hein, D.M., Wolkerstorfer, J., Felber, N.: Ecc is ready for RFID - a proof in silicon. In:
Avanzi, R.M., Keliher, L., Sica, F. (eds.) Selected Areas in Cryptography. LNCS, vol.
5381, pp. 401–413. Springer (2008)
[10] Hermans, J., Pashalidis, A., Vercauteren, F., Preneel, B.: A new RFID privacy model. In:
Atluri, V., Dı́az, C. (eds.) ESORICS. LNCS, vol. 6879, pp. 568–587. Springer (2011)
[11] Jakobsson, M., Sako, K., Impagliazzo, R.: Designated veriﬁer proofs and their applications.
In: Maurer, U.M. (ed.) EUROCRYPT. LNCS, vol. 1070, pp. 143–154. Springer (1996)
[12] Lee, Y.K., Batina, L., Verbauwhede, I.: Ec-rac (ecdlp based randomized access control):
Provably secure RFID authentication protocol. In: RFID, 2008 IEEE International Con-
ference on. pp. 97 –104 (2008)
[13] Lee, Y.K., Batina, L., Verbauwhede, I.: Untraceable RFID authentication protocols: Re-
vision of ec-rac. In: RFID, 2009 IEEE International Conference on. pp. 178 –185 (2009)
[14] Lee, Y.K., Batina, L., Singelée, D., Verbauwhede, I.: Wide-weak privacy-preserving RFID
authentication protocols. In: Chatzimisios, P., Verikoukis, C.V., Santamarı́a, I., Laddo-
mada, M., Hoﬀmann, O. (eds.) MOBILIGHT. LNCS, Social Informatics and Telecommu-
nications Engineering, vol. 45, pp. 254–267. Springer (2010)

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
16 N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

[15] Lee, Y.K., Sakiyama, K., Batina, L., Verbauwhede, I.: Elliptic-curve-based security pro-
cessor for RFID. IEEE Trans. Computers 57(11), 1514–1527 (2008)
[16] Ng, C.Y., Susilo, W., Mu, Y., Safavi-Naini, R.: RFID privacy models revisited. In: ES-
ORICS. LNCS, vol. 5283, pp. 251–266. Springer (2008)
[17] Oren, Y., Feldhofer, M.: A low-resource public-key identification scheme for RFID tags
and sensor nodes. In: Basin, D.A., Capkun, S., Lee, W. (eds.) WISEC. pp. 59–68. ACM
(2009)
[18] Peeters, R., Hermans, J.: Wide strong private RFID identification based on zero-
knowledge. IACR Cryptology ePrint Archive 2012, 389 (2012)
[19] Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.)
CRYPTO. LNCS, vol. 435, pp. 239–252. Springer (1989)
[20] Shamir, A.: SQUASH - a new MAC with provable security properties for highly constrained
devices such as RFID tags. In: Nyberg, K. (ed.) FSE. LNCS, vol. 5086, pp. 144–157.
Springer (2008)
[21] Tuyls, P., Batina, L.: RFID-tags for anti-counterfeiting. In: Pointcheval, D. (ed.) CT-RSA.
LNCS, vol. 3860, pp. 115–131. Springer (2006)
[22] Vaudenay, S.: On privacy models for RFID. In: ASIACRYPT. LNCS, vol. 4833, pp. 68–87.
Springer (2007)
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
Radio Frequency Identification System Security 17
C. Ma and J. Weng (Eds.)
IOS Press, 2013
© 2013 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-61499-328-5-17

Chameleon RFID and Tracking

Prevention
Marek Klonowski, Mirosław Kutyłowski 1 , Piotr Syga 2
Wrocław University of Technology,
Faculty of Fundamental Problems of Technology, Poland

Abstract. We propose a method for prevention of tracking RFID tags. We consider

the model in which the adversary may eavesdrop a large fraction of interactions,
but not all of them.
We propose a scheme that we call Chameleon RFID. It is based on dynamic
changes of identity during each interaction - ﬂipping half of bits at random posi-
tions. The scheme is not based on any secrets shared by the systems and the tags
but on their continuous interaction.
We prove privacy properties of the scheme with means of rapid mixing of
Markov chains and provide concrete estimations and experimental evaluation of
the rate of convergence to the uniform distribution. We also present some speciﬁc
applications of the method proposed. The most important one is leaving traces of
unauthorized tag activation.
Keywords. RFID identity management, traceability, privacy, limited view adversary,
Markov chain, rapid mixing, coupling

1. Introduction
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Today one of the most important concerns about usage of RFID tags are potential privacy
violations via tracing people holding the tags. Equally alarming are possibilities of trac-
ing trafﬁc of items, e.g. in case of business espionage. For this reason, quite frequently
RFID tags are not deployed despite of potential economic gains.
In this paper we propose a new approach to management of RFID tags that may help
to overcome the above mentioned problems. Our protocol, called Chameleon RFID, can
be also effectively used in some non-standard application scenarios not discussed so far.

1.1. Main Assumptions

Our target is to provide an efﬁcient framework for privacy protection and untraceability
for RFID based systems. Unlike most authors, we do not assume that an adversary is able
to eavesdrop globally all interactions with an RFID tag. Instead, we assume that a certain
number of interactions is not observed by the adversary. This is motivated by the fact
1 Corresponding Author: Wrocław University of Technology, Wybrzeże Wyspiańskiego 27, 50-370 Wrocław,

Poland; E-mail: [email protected].

2 Author was supported by NCN project, decision number DEC-2012/07/N/ST6/02203

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
18 M. Klonowski et al. / Chameleon RFID and Tracking Prevention

that while it is possible to spy at many locations, it is rather infeasible to spy everywhere
for a long time. We feel that this is more realistic, just as in the case of anonymous
communication protocols where this model has been introduced [1]. The point is that
this realistic approach makes design of schemes substantially easier.
The second assumption is that the RFID tags are not tamper resistant. This is moti-
vated by the fact that tamper resistance increases the fabrication costs substantially, while
the most important advantage of RFID tags should be their low cost. On the other hand,
majority of solutions from the literature is based on secrets stored by tags. Consequently,
the tags may be exposed to attacks by adversaries with appropriate technical equipment.
This motivates us to propose RFID tags that do not hold any secret keys.

Draft of the Scheme

Below we describe main idea of the scheme; details of the construction are given in
Sect. 2 . The basic element of our approach is to change rapidly identifiers of the tags.
Such approach has been already exploited by many authors, but usually the changes are
determined by a common secret shared by the system database and the tag (see e.g. [2]).
However, we propose that the identifier’s change is random and determined by the tag
itself and not with a secret shared with the system’s database.
Unlike [3] we assume that the changes occur at many positions. Namely, after send-
ing the current identifier:
• the tag chooses at random n out of 2n bit positions of the tag’s identifier,
• each bit on a chosen position is flipped.
Despite the fact that the number of flipped bits is large, there is a strong link between
the old identifier and a new one stored by the tag, as the Hamming distance of exactly
n is rather unlikely. For recognizing a tag, the system stores the last identifier seen from
the tag together with its permanent ID stored only in the database. If the current identifier
ID is sent by the tag, the systems searches in the database for an identifier ID such that
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Hamming distance between ID and ID is exactly n. When found, ID overwrites ID in

the database. A single round of the scheme is depicted on Fig. 1.
On the other hand, we shall see that if we perform two transitions of this kind, then
we may reach an arbitrary identiﬁer with positive probability. This means that if just
a single interaction is not observed by an adversary, then the identiﬁer of the tag may
become any sequence of bits. Indeed, one transition occurs during the last interaction
with the adversary (the result is not observed by the adversary), the second one during
the interaction not observed by the adversary.
We may consider a graph G over all strings of length 2n and say that there is an edge
between nodes a and b if the Hamming distance between a and b is exactly n. Note that
2n
the number of neighbors of each node on G is n which is (n + 1)Cn , where Cn is the
n
n-th Catalan number. As Cn ∼ √4 3 the neighbors of a node make a fraction of about
n π
√1 . For concrete small values of n the fraction of neighbors of a given node in G is:
nπ

2n 10 20 30 40 50 60
fraction of all 2n bit strings 0.246 0.176 0.144 0.125 0.112 0.103

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
M. Klonowski et al. / Chameleon RFID and Tracking Prevention 19

Note that the probability of assigning a random tag as a transformed tag of a given tag
is quite large if the length of the tags is small. Such case may lead to ambiguities. The
way to allude this problem is to split the binary string into smaller substrings and in each
of them execute the procedure separately and independently. Thereby, if we split the se-
quence of 60 bits into 6 parts, 10 bit each, we get the chance of coincidental neighbor-
hood as ≈ 2−12 . For sequences of length 160 partitioned into subsequences of length 10
we get probability ≈ 2−32 . Such a collision can be treated manually (inspection of the
serial number printed on the item).

2. Chameleon Scheme

In this section we give more precise algorithmic description of the Chameleon protocol
outlined in the previous section.

Setup of the System

The system consist of two basic components:

RFID - tags: each RFID has its permanentID. However, it is not stored in the tag. In-
stead, the RFID stores two identifiers: previousID and currentID. Both identifiers
are at the beginning a random bit strings of the length 2n with an even number of
ones. Identifiers of RFID-tags are chosen independently.
DB-System: this part of the system contains a central database and RFID readers ca-
pable of the remote communication with RFID-tags. For each RFID registered in
the system there are two identifiers in a single record stored in a database of the
system namely presentedID and permanentID.

The identiﬁer permanentID of an RFID tag is never changed. The identiﬁers previousID,
currentID and presentedID are dynamic and changed at each successful interaction with
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

the reader. At regular situation previousID = presentedID. That is, the temporary identi-
ﬁer stored by the system is one step behind the tag. However, in some fault circumstances
it may happen that currentID = presentedID. Namely, it may happen that the system
makes an update, but the RFID tag receives no authentication message from the reader.

Description of a Round
After each scanning the DB-system tries to recognize the tag (i.e. to match the value
received from the scanned RFID to the proper ID kept in the database). On the side of
the RFID-tag the identiﬁers are changed. In Fig. 1 we describe a single interaction of a
reader with an RFID tag.
In the procedure UPDATE the random subset of n bits is chosen out of 2n bits and
ﬂipped, i.e. the bits on chosen positions are negated. An example of several rounds of
update procedure is shown in Fig. 2 . In order to convince that after just several iterations
of the update procedure, the distribution of achievable IDs (i.e. ID with even number of
1’s) is close to uniform, we performed an experiment. Starting from an ID with all bits
equal to 1 we performed 8 iterations of the update function. We repeated this procedure

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
20 M. Klonowski et al. / Chameleon RFID and Tracking Prevention

RFID DB-System
SETUP
(currentID, previousID) (presentedID, permanentID)
where presentedID = previousID
ROUND
1. z := currentID
z
2. −−−−−−−−−→

3. ﬁnd a record
(presentedID, permanentID) where
Hamming distance between z and
presentedID is exactly n

4. choose at random k positions where

z and presentedID differ, let L be the
list of these positions
L
5. ←−−−−−−−−−

6. check that on positions from L the update: presentedID := z

strings currentID and previousID
disagree
7. if result negative then abort

8. previousID := currentID

9. currentID := UPDATE(currentID)

Figure 1. Ideal case when the system and the RFID are synchronized

20000 times. Fig. 3 depicts results of the experiment for n = 6.

One can learn the probability distribution of obtaining given a ID starting from ID0
after t rounds of the update procedure. Namely, let us identify the IDs as a binary repre-
sentation of a number in range [0, 22n − 1]. Let v0 be a vector of length 22n consisting of
22n − 1 0’s and a 1 on the position corresponding to ID0 . Vector v0 represents probability
distribution of the starting ID. The update is represented by a transition matrix U = [ui, j ]
of the size 22n × 22n , where ui, j represents the probability of transition from IDx = i to
IDx+1 = j. Clearly

1
if HD(i, j) = n ,
ui, j = (2nn)
0 otherwise.

where HD(x, y) denotes Hamming distance between x and y. Probability distribution of

IDs after t updates is calculated as vt = v0U t .

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
M. Klonowski et al. / Chameleon RFID and Tracking Prevention 21

0 0 0 1 0 1 0 0
bits to be ﬂipped

0 0 0 1 0 1 0 0
after ﬂipping

1 0 1 0 0 1 1 0
bits to be ﬂipped

0 0 0 1 0 1 0 0
after ﬂipping

1 1 0 1 0 0 0 1
bits to be ﬂipped

0 0 0 1 0 1 0 0
after ﬂipping

0 1 0 0 1 1 1 0

Figure 2. Example of update procedure for 2n = 8 in 3 rounds (grey boxes mark bits to be ﬂipped).

0.0010

0.0008

0.0006

0.0004

0.0002

Figure 3. Histogram of different IDs’ frequency during 8 iterations of update procedure within 20000 trials,
starting from ID0 = 111111111111.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
22 M. Klonowski et al. / Chameleon RFID and Tracking Prevention

3. Protocol Modeling and Security Analysis

We identify each RFID tag T with a bit string of length 2n denoted ID(T ). We also
assume that n is even. According to the definition the Hamming weight of each ID is
even. Apart from simplification of the analysis this enables us to say that the last bit of
the ID is the parity bit added for error detection.
First note that in two steps we can reach any ID of even Hamming weight. Indeed,
let ID is a starting ID, and ID be an arbitrary ID of even Hamming weight. Let L denote
the set of positions on which ID and ID differ. Obviously, L contains an even number
of elements – otherwise ID would contain an odd number of 1’s. Let L1 and L2 be a
partition of L into two sets of equal cardinality. Then we choose two sets of positions A1
and A2 such that L1 = A1 \ A2 , L2 = A2 \ A1 , and A1 ∩ A2 as an arbitrary set of n − |L|/2
positions disjoint with L (note that there are 2n − |L| such positions and that n − |L|/2 ≤
2n − |L|). It is easy to see that applying transitions with sets A1 and A2 leads to transition
from ID to ID .
Possibility to reach any ID in just two updates does not mean that we can reach
them with the same probability – in fact the probabilities are quite different. However,
intuitively after a sufficient number of updates the probabilities of all possible IDs be-
come almost the same and the adversary that is not capable of observing this tag for
these updates is unable to find any link between the IDs. For this reason the adversary
cannot trace the tag. The main question however, is to determine the number of transi-
tions which are necessary until the probability distribution of the resulting IDs (of even
weight) becomes almost uniform.
Below we present a formal proof that this process of equalizing probabilities of
different IDs is very fast. Consequently, the adversary looses linking possibility when it
skips a few updates for a given RFID-tag.

3.1. Notation

Let E be the set of all bit strings of the length 2n with even number of ones. Let IDt ∈ E
be the bit string on RFID tag after performing t transitions. Note that IDt is a random
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

variable. Let [n] = {1, 2, . . . , n}. For a bit string s let s(i) be the ith bit of s. By b̄ we
denote the bit b flipped, i.e. b̄ = 1 − b.
Clearly, {IDt }t≥0 is a homogeneous Markov chain. Indeed, one can observe that the
state IDt+1 depends only on IDt . For a bit string s and a subset A ⊆ [2n] we define T (s, A)
as a bit string obtained from s by flipping bits on positions from A. That is, if T (s, A) = s ,
then s (i) = s(i) if and only if i ∈ A. Let H(s, s ) denote the Hamming distance between s
and s . From now on we use notation Xt instead of {Xt }t≥0 , if it is clear from the context
that we are talking about a Markov chain.
Transition probabilities of the Markov chain IDt are as follows:
1
, if H(s, s ) = n ,
Pr[IDt+1 = s |IDt = s] = (2nn)
0, otherwise.

Note that if ID0 ∈ E , then IDt ∈ E for each t > 0 as well. Indeed, flipping a single bit
changes the Hamming weight by +2 or −2, so a set of flips must change the Hamming
weight by an even number. Thereby we see that the chain IDt over E is properly defined.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
M. Klonowski et al. / Chameleon RFID and Tracking Prevention 23

Fact 1. {IDt }t≥0 is an ergodic Markov chain that converges to uniform distribution over
E.

Proof. Since probability of transition from state a to state b is the same as the probability
of transition from state b to state a, it is easy to see that the chain IDt is irreducible.
One can also easily construct a cycle of 2n + 1 states such that transitions between
consecutive states have positive probability. Existence of odd length cycles implies ape-
riodicity3 . Each aperiodic and irreducible chain converges to its unique stationary dis-
tribution. Since Pr[IDt+1 = s|IDt = s ] = Pr[IDt+1 = s |IDt = s], the uniform distribution
is the only stationary distribution of this chain.
The remaining (and most difﬁcult) problem is to show that IDt converges to uniform
distribution in a fast way. Let us recall some standard deﬁnitions regarding convergence
of Markov chains to stationary distribution.

Deﬁnition 2. For two discrete random variables X, Y we deﬁne total variation distance
metrics as

1
2∑
TVD(X, Y ) = | Pr[X = x] − Pr[Y = x]| .
x

Deﬁnition 3. Let {Xt }t≥0 be an ergodic Markov chain converging to stationary proba-
bility distribution U. Let S be the space of possible states. We deﬁne the mixing time τ(ε)
as follows:

τ(ε) = max min{t ∈ N : TVD(Xt , U) ≤ ε ∧ X0 = s} .

s∈S t

In other words, mixing time is the number of steps t so that after t steps the probability
distribution is ε-close to its limit distribution independently of the initial state.
One of the most efﬁcient methods for proving mixing time bounds is so called cou-
pling technique recalled below.
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Deﬁnition 4. A coupling for a Markov chain Mt is a joint process (Xt , Xt∗ ) such that
each of its marginal processes, i.e. Xt and Xt∗ , is a faithful copy of Mt (which means that
the transition probabilities are the same as for Mt ).

Clearly processes of Xt and Xt∗ from a coupling can be dependent (and in all proofs for
convergence of Markov chains they are dependent). The fundamental coupling lemma
recalled below shows that by constructing a coupling for a Markov chain we can get an
upper bound on its mixing time.

Lemma 5. (Coupling lemma) Let Mt be an ergodic Markov chain converging to U. Let

(Xt , Xt∗ ) be any coupling for Mt and X0 is distributed according to U. Then

TVD(Xt , Xt∗ ) ≤ Pr[Xt = Xt∗ ] .

3 To be completely correct we need to assume that the process is lazy – i.e., with some ﬁxed (possibly

small) probability the state does not change in some rounds. Such assumption does not substantially change
the protocol.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
24 M. Klonowski et al. / Chameleon RFID and Tracking Prevention

Corollary 6. If (Xt , Xt∗ ) is a coupling for Mt such that Pr[XT = XT∗ ] ≤ ε for any initial
states X0 = s and X0∗ = s , then τ(ε) ≤ T .

3.2. Coupling construction

We follow coupling approach to prove that our process IDt is very close to uniform
distribution after a few rounds.
Let us construct a coupling for IDt denoted as (IDt , IDt∗ ). We call IDt the free process
and IDt∗ the dependent process. For the sake of clarity let us assume that being in a given
state IDt , the free process chooses the next state first. Then the dependent process tries to
approach to IDt without violating the rule that the transition probabilities must the same
as for the basic process.
∗ (i)} and Z̄ = [2n] \ Z . Let k = |Z̄ | = 2n − |Z |
Let Zt = {i ∈ [2n] : IDt−1 (i) = IDt−1 t t t t t
denote the number of bits that are different in both processes. In round t process IDt
chooses a subset At of cardinality n according to the probability distribution defining the
marginal process IDt . Let lt = |At ∩ Z̄t | denote the number of bits that are different in
both processes after the step t − 1 and have been selected for flipping in round t by the
free process.
For the dependent process IDt∗ , we define the subset of bits to be changed as At∗ =
(At ∩ Zt ) ∪ Bt , where:

kt
random subset of cardinality lt from Z̄t \ At if lt ≤ 2,
Bt = kt
whole set Z̄t \ At and a random subset of cardinality 2lt − kt of At ∩ Z̄t if lt > 2.

One can easily notice that each subset of [2n] of cardinality n is chosen with the same
probability by At∗ . Thus (IDt , IDt∗ ) is well deﬁned coupling process.
Some example steps of the coupling are depicted on Fig. 4 .

3.3. Rapid mixing

probability at least 1 − 2n
1
, i.e. for what T we have IDT = ID∗T with probability at least
1 − 2n . Note that by the deﬁnition of the coupling process, if IDT = ID∗T , then IDt = IDt∗
1

for each t ≥ T .

Deﬁnition 7. Random variable X has a hypergeometric distribution H (N, n, m) if

mN−m
x
Pr[X = x] = Nn−x
.
n

The hypergeometric distribution describes the number of black balls obtained when we
draw n balls out of N − m white and m black balls without replacement. One can see that
D
kt+1 ∼ 2|H (2n, n, kt ) − k2t |. Indeed, the positions in Zt chosen for flipping play the role
of chosen “black balls”. If their number h if lower than k2t , then kt+1 = 2( k2t − h), as we
are able to couple the processes on 2h positions. In the opposite case, each position is
flipped by at least one process, however 2h − kt = 2(h − k2t ) positions are flipped by both
processes and thereby the processes still differ there.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
M. Klonowski et al. / Chameleon RFID and Tracking Prevention 25

0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 0
choice of bits for ﬂipping choice of bits for ﬂipping

0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 0
state after round 1 state after round 1

1 0 1 1 0 0 0 1 1 1 1 1 0 1 0 1
choice of bits for ﬂipping choice of bits for ﬂipping

1 0 1 1 0 0 0 1 1 1 1 1 0 1 0 1
state after round 2 state after round 2

1 0 0 1 1 0 1 0 1 1 0 1 1 1 1 0
choice of bits for ﬂipping choice of bits for ﬂipping

1 0 0 1 1 0 1 0 1 1 0 1 1 1 1 0
state after round 3 state after round 3

1 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0

Figure 4. Coupling example for 2n = 8, the free process on the left and dependent process on the right (grey
boxes mark bits to be ﬂipped in current round, black boxes mark matching bits).

D
Fact 8. Let X ∼ H (2n, n, k) and k be an even integer. Then

Pr |X − 2k | ≥ k
4 ≤ 2 exp − 8k .

2
Proof. From the Sect. 2.1 in [5] we know that Pr[X ≤ EX − t] ≤ exp(− 2σ t
2 ) for t ≥ 0,
where EX denotes expected value of X and σ denotes its variance. We need to notice
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

2
k(2n−k)
that EX = 2k and σ 2 = 4(2n−1) ≤ 4k . Moreover, Pr[X = 2k + f ] = Pr[X = 2k − f ] for any
f.

Fact 9. For every 2n ≥ kt ≥ 2 following inequality holds

kt
Pr[kt+1 ≤ 2] > 1
2 .

Proof. From the Fact 8 let us note that 2 exp − 8k < 12 if k ≥ 11. Thus for every kt > 11
we have Pr[kt+1 ≤ k2t ] > 12 . The case kt < 11 can be checked easily by direct calculations
of probabilities.

Please be reminded that possible initial IDs and method of updating IDs assures that
in every round we have 2|kt . We say that round t is successful if kt+1 ≤ k2t . Since k0 ≤ 2n
we need at most log n + 1 successful steps to have all bits matched. Each round of the
protocol is successful with probability at least 12 , independently of others. By Fact 9,
the number of successful rounds in m consecutive rounds stochastically dominates the

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
26 M. Klonowski et al. / Chameleon RFID and Tracking Prevention

Nr of rounds
14

n
200 400 600 800
Mean
1
1 Quantile
n

Figure 5. Number of rounds needed to ﬁnish coupling process for a tag with |ID| = 2n on average (blue) and
in most cases (violet) in 14000 trials.

binomial distribution Bin(m, 12 ). Using a standard version of the Chernoff bound from
[5] (Formula 2.14) we can ﬁnd the number of steps necessary for having at least log n + 1
successful steps and consequently the protocol coupled.

Fact 10. After T > 3.6 log n + 1.6 steps of the coupling process ID∗T = IDT with proba-
bility at least 1 − 2n
1
.

following theorem:

Theorem 11. Let us consider a tag with ID of the length 2n starting from an arbitrary
state with even number of ones. After 3.6 log n + 2 rounds its distribution differs from
1
uniform distribution over 2n bit strings with even number of ones, by no more than 2n .

Fig. 5 depicts result of a numeric experiment on described coupling process.

While Theorem 11 is based on general estimation method, for concrete n we can
proceed in a different way. For example let us consider n = 4. We say that the coupling
process is in state Si , if there are differences on i positions between the free process and
the dependent process. Please note that due to protocol properties only even values of
i are possible. So for n = 4 the possible states are S0 , S2 , S4 , S6 , S8 . We may build a
directed weighted graph with vertices S0 , S2 , S4 , S6 , S8 , where an edge between Si and S j
with weight p means that in state Si executing one round leads to state S j with probability
p.
Let Z̄ denote the set of positions where the free process and the dependent process
have different values. For the case n = 4 one can see that:

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
M. Klonowski et al. / Chameleon RFID and Tracking Prevention 27

• from state S8 the coupling always gets into state S0 ,

• from state S6 there are the following cases concerning the number z of positions
from Z̄ which are flipped by the free process:
15
z = 2: the next state is S2 , this case occurs with probability 70 ;
40
z = 3: the next state is S0 , this case occurs with probability 70 ;
15
z = 4: the next state is S2 , this case occurs with probability 70 ;
• from state S4 there are the following cases concerning the number z of positions
from Z̄ which are flipped by the free process:
1
z = 0: the next state is S4 , this case occurs with probability 70 ;
16
z = 1: the next state is S2 , this case occurs with probability 70 ;
36
z = 2: the next state is S0 , this case occurs with probability 70 ;
16
z = 3: the next state is S2 , this case occurs with probability 70 ;
1
z = 4: the next state is S4 , this case occurs with probability 70 ;
• from state S2 there are the following cases concerning the number z of positions
from Z̄ which are flipped by the free process:
15
z = 0: the next state is S2 , this case occurs with probability 70 ;
40
z = 1: the next state is S0 , this case occurs with probability 70 ;
15
z = 2: the next state is S2 , this case occurs with probability 70 ;

Following the above we get worst case mixing time bound (for n = 4) τ = 32 17 , that occurs
if we begin in S4 .
Based on the above derivations we get the transition matrix T for this graph. Then we
may derive T t for any t and use the fact that T t deﬁnes probabilities of reaching nodes
in a walk consisting of t steps. Note that S0 is an accumulating point, and we are looking
for the probability of successful coupling after t steps, that is the probability of reaching
S0 in t steps.
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

4. Applications

Apart from the basic application of the protocol mentioned before, i.e. identifying objects
immune against a passive adversary that may monitor only a fraction of the trafﬁc, this
protocol can be particularly efﬁciently used in some other scenarios that we describe
below.

Presence in Restricted Area

Assume that the systems consists of a number of mobile units u1 , . . . uk that move within
some restricted area S. Apart from location control within S run by the system, it must
guarantee that any unit leaving S looses its status as a unit entitled to move within S. So
we have to do with a friend-or-foe system, where leaving S immediately means that the
unit is contaminated and should be considered as a foe.
With Chameleon scheme, once a unit gets out of S and authentication is performed,
then the scheme inside S will not recognize it as a “friend”. For this purpose the identiﬁers
are administered by two separate databases of the system: the ﬁrst database is kept inside

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
28 M. Klonowski et al. / Chameleon RFID and Tracking Prevention

S, while the second one is a global one. Security policy is that there is a unidirectional
ﬂow of updates: from the local to the global database but not vice versa.
It is easy to see that one can build a hierarchical system described by a tree, where
each node is labeled by a area. We assume that if node with label S has a children node
with label S , then S is a subset of S. In this scenario, if an update occurs within an area
S, then information about the update is delivered to the parent node of S and an update is
performed recursively at the parent node. It guarantees that if tag’s location corresponds
to a node A with label S, then the tag will be recognized in all areas which are labels of
the nodes on the path P from A to the root of the tree, except for the areas that are labels
of sibling for the nodes of P and of the children nodes of A.

Unauthorized Access Detection

One of the basic threats for some high security systems is inspection of the items by
unauthorized readers run by malicious parties. Alone the fact that the item has been
inspected by such a party should be enough to exclude it from the further processing - a
good example is delivery of access codes, passwords, PIN numbers etc.
One solution of the problem are electronic artifacts that are authenticated with strong
protocols based on asymmetric cryptography and including prior authentication of the
verifiers (an example of this approach is [4]). However, this requires a complicated PKI
infrastructure, attribute handling and special cryptographic hardware.
Chameleon scheme is a lightweight solution to this problem: once an unauthorized
party inspects the RFID tag, it becomes “corrupted”. As change of the identifier is auto-
matic and irreversible, it cannot be prevented by the intruder. In the scenario concerned
the RFID tags should contain two fields: the first one with a permanent ID, the second
one modified via Chameleon scheme. Also, the protocol should be slightly changed: the
transition of the ID of the tag should be performed after tag initialization and before
presenting the currentID.

RFID Ownership Transfer

method. Once a tag is transferred to a new owner, a few interactions make it purely ran-
dom for the previous owner. This is true even if the previous owner has access to all
secrets from the tag (in fact, for Chameleon scheme there are no such secrets).

5. Conclusion

In our paper we presented new privacy preserving protocol for RFID tag immune against
an eavesdropping adversary that misses several communication rounds between the tag
and the reader. Such an adversary model is justiﬁed as the communication between tags
and the system takes place on multiple locations, so it is infeasible to eavesdrop the
whole communication. The protocol is suitable even for very cheap tags as it requires
only ability to choose a random subset of bits and bit negation, it does not require any
secret that could be intercepted by the adversary, which would lead to corrupting whole
system.
We provided formal security analysis using total variation distance as a security
measure. We also provide some numeric experiments depicting proven result.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
M. Klonowski et al. / Chameleon RFID and Tracking Prevention 29

References

[1] Ron Berman, Amos Fiat, and Amnon Ta-Shma. Provable unlinkability against trafﬁc analysis. In Ari
Juels, editor, Financial Cryptography, volume 3110 of Lecture Notes in Computer Science, pages 266–
280. Springer, 2004.
[2] Mike Burmester and Jorge Munilla. Lightweight RFID authentication with forward and backward secu-
rity. ACM Trans. Inf. Syst. Secur., 14(1):11, 2011.
[3] Jacek Cichoń, Marek Klonowski, and Mirosław Kutyłowski. Privacy protection in dynamic systems based
on RFID tags. In PerCom Workshops, pages 235–240. IEEE Computer Society, 2007.
[4] Lucjan Hanzlik, Kamil Kluczniak, Łukasz Krzywiecki, and Mirosław Kutyłowski. Mutual restricted
identiﬁcation. In EuroPKI (to appear), 2013.
[5] S. Janson, T. Łuczak, and A. Ruciński. Random Graphs. Wiley Series in Discrete Mathematics and
Optimization. Wiley, 2011.
Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,
Exploring the Variety of Random
Documents with Different Content
performing selections from Louis Ganne's operetta, Les
Saltimbanques. On the terrasse, each little table, covered with its
white cloth, was lighted by a tiny lamp with a roseate shade, over
which faces glowed. The bottles and dishes and silver all contributed
their share to the warmth of the scene, and heaping bowls of
peaches and pears and apples and little wood strawberries,
ornamenting the sideboards, gave the place an almost sumptuous
appearance. Later I learned that fruit was expensive in Paris and not
to be tasted lightly. Victor Maurel has told me how, dining one night
with the composer of The Barber, he was about to help himself to a
peach from a silver platter in the centre of the table when the frugal
Madame Rossini expostulated. Those are to look at, not to eat!
While we lingered on the outer sidewalk, a little comedy was
enacted, through the dénouement of which we secured places. A
youth, with wine in his head and love in his eyes, caressed the warm
lips of an adorable girl. Save for the glasses of apéritifs from which
they had been drinking, their table was bare. They had not yet dined.
He clasped her tightly in his arms and kissed her, kissed her for what
seemed to be a very long time but no one, except me, appeared to
take any notice.
Look! I whispered to Albert. Look!
O! that's all right. You'll get used to that, he replied negligently.
Now the kiss was over and the two began to talk, very excitedly and
rapidly, as French people are wont to talk. Then, impulsively, they
rose from their chairs. The man threw a coin down on his napkin. I
caught the glint of gold. He gathered his arms about the woman, a
lovely pale blue creature, with torrid orange hair and a hat abloom
with striated petunias. They were in the middle of the street when the
waiter appeared, bearing a tray, laden with plates of sliced
cucumbers, radishes and butter, and tiny crayfish, and a bottle of
white wine. He stared in mute astonishment at the empty table, and
then picked up the coin. Finally, he glanced towards the street and,
observing the retreating pair, called after them:
Mais vous n'avez pas diné!
The man turned and shot his reply over his shoulder, Nous rentrons!
The crowd on the terrasse shrieked with delight. They applauded.
Some even tossed flowers from the tables after the happy couple
and we ... we sat down in the chairs they had relinquished. I am not
certain that we did not eat the dinner they had ordered. At any rate
we began with the cucumbers and radishes and écrevisses and a
bottle of Graves Supérior.
That night in Paris I saw no Americans, at least no one seemed to be
an American, and I heard no English spoken. How this came about I
have no idea because it never occurred again. In fact, one meets
more Americans in Paris than one does in New York and most of the
French that I manage to speak I have picked up on the Island of
Manhattan. During dinner I began to suspect a man without a beard,
in a far corner, but Albert reassured me.
He is surely French, he said, because he is buttering his radishes.
It would be difficult to exaggerate my emotion: the white wine, the
bearded French students, the exquisite women, all young and
smiling and gay, all organdie and lace and sweet-peas, went to my
head. I have spent many happy evenings in the Café d'Harcourt
since that night. I have been there with Olive Fremstad, when she
told me how, dressed as a serpent in bespangled Nile green, she
had sung the finale of Salome to Edward VII in London, and one
memorable Mardi-Gras night with Jane Noria, when, in a long
raincoat which covered me from head to foot, standing on our table
from time to time, I shouted, C'est l'heure fatale! and made as if to
throw the raincoat aside but Noria, as if dreading the exposure,
always dragged me down from the table, crying, No! No! until the
carnival crowd, consumed with curiosity, pulled me into a corner, tore
the raincoat away, and everything else too! There was another night,
before the Bal des Quat'z Arts, when the café was filled with
students and models in costume, and costume for the Quat'z Arts in
those days, whatever it may be now, did not require the cutting out of
many handkerchiefs. But the first night was the best and every other
night a more or less pale reflection of that, always, indeed, coloured
a little by the memory of it. So that today, when sometimes I am
asked what café I prefer in Paris and I reply, the d'Harcourt, there are
those who look at me a little pityingly and some even go so far as to
ejaculate, O! that! but I know why it is my favourite.
Even a leisurely dinner ends at last, and I knew, as we sipped our
coffee and green chartreuse and smoked our cigarettes, that this
one must be over. After paying our very moderate addition, we
strolled slowly away, to hop into an empty fiacre which stood on the
corner a block down the boulevard. I lay back against the seat and
gazed at the stars for a moment as the drive began through the
warm, fragrant Paris air, the drive back to the right bank, this time
across the Pont Neuf, down the Rue de Rivoli, through the Place de
la Concorde, where the fountains were playing, and up the Champs-
Elysées. The aroma of the chestnuts, the melting grey of the
buildings, the legions of carriages and buses, filled with happy,
chattering people, the glitter of electricity, all the mystic wonder of
this enchanting night will always stay with me.
We drove to the Théâtre Marigny where we saw a revue; at least we
were present at a revue; I do not remember to have seen or heard
anything on the stage. Between the acts, we walked in the open
foyer, at this theatre a sort of garden, and admired the cocottes,
great ladies of some distant epoch, they seemed to me, in their
toilets from Redfern and Doucet and Chéruit and Callot Sœurs, their
hats from the Rue de la Paix and the Place Vendôme, their
exceedingly elaborate and decoratively artificial complexions. Later,
we sipped cassis on the balcony. It was Spring in Paris and I was
young! The chestnut trees were heavy with white blossoms and the
air was laden with their perfume. I gazed down the Champs-Elysées,
surely the true Elysian Fields, a myriad of lights shining through the
dark green, the black, leaved branches. I do not think I spoke many
words and I know that Albert did not. He may have been bored, but I
think he derived some slight pleasure from my juvenile enthusiasm
for, although Paris was old hat to him, he loved this particular old hat.
We must have stopped somewhere for more drinks on the way
home, perhaps at Weber's in the Rue Royale, where there was a
gipsy band. I do not remember, but I am sure that it was nearly four
in the morning when we drove up before the little hotel in the Place
de l'Odéon and when, after we had paid the driver and dismissed
him, I discovered to my astonishment that the door was locked.
Albert assured me that this was the custom and that I must ring for
the concierge. So I pulled the knob, and even outside we could hear
the distant reverberations of the bell, but no reply came, and the
door remained closed. It was Joseph's job to open the door and
Joseph was asleep and refused to awaken. Again and again we
pulled the cord, the bell tinkling in the vast silence, for the street was
utterly deserted, but still no one came. At last we desisted, Albert
suggesting that I go home with him. We walked a few paces until we
came to the iron fence surrounding the Luxembourg Gardens and
there, lying beside it, I espied a ladder, left by some negligent
workman.
But my room is on the first floor. The window is open; it looks over
the Place. I can enter with the ladder, I cried.
Albert, amused, helped me carry it back. Set up, it just reached the
window and I swiftly scaled it and clambered into the room, waving
my hand back to Albert, who hoisted the ladder to his shoulder as he
started up the street trying to whistle, Viens Poupoule! but laughing
to himself all the time, so that the tune cracked. As for me, I lighted
one of my candles, undressed, threw the feather-bed off to the floor,
and climbed into bed. Then I blew out the candle and soon fell
asleep. It was the tenth of May, 1907, that I spent my first night in
Paris.
Chapter II
It must have been nearly noon when I awakened and drew back the
heavy curtains to let the sunlight into my room, as I have since seen
so many French actresses do on the stage. I rang the bell, and when
Joseph appeared, I asked for hot water, chocolate and rolls.
Presently, he returned with a little can of tepid water and my
breakfast on a tray. While I sponged myself, I listened to the
cacophony of the street, the boys calling vegetables, the heavy
rumbling of the buses on the rough pavement, the shrieking and
tooting of the automobile sirens. Then I sipped my chocolate and
munched my croissant, feeling very happy. My past had dropped
from me like a crustacean's discarded shell. I was in Paris and it still
seemed possible to live in Paris as I had been told that one lived
there. It was exactly like the books.
After my breakfast, I dressed slowly, and wandered out, past the
peristyle of the Odéon, where I afterwards spent so many contented
hours searching for old plays, on through the now open gate of the
Luxembourg Gardens, gaily sprinkled with children and their
nounous, students and sweet girls, charming old ladies with lace
caps on their heads and lace scarfs round their shoulders, and
painters, working away at their canvases on easels. In the pool in
front of the Senate, boys were launching their toy sloops and
schooners and, a little further away on the gravel walk, other boys
were engaged in the more active sport of diabolo. The gardens were
ablaze with flowers but a classic order was maintained for which the
stately rows of clipped limes furnished the leading note. The place
seemed to have been created for pleasure. Even the dingy statues
of the queens smiled at me. I sat on a bench, dreaming, until an old
crone approached and asked me for a sou. I thought her a beggar
until she returned the change from a fifty centimes piece which I had
given her, explaining that one sou was the price of my seat. There
were free seats too, I discovered after I had paid.
The Luxembourg Gardens have always retained their hold over my
imagination. I never visit Paris without spending several hours there,
sometimes in the bright morning light, sometimes in the late
afternoon, when the military band plays dolent tunes, usually by
Massenet, sometimes a spectator at one of the guignols and, very
often in the autumn, when the leaves are falling, I sit silently on a
bench before the Medici fountain, entirely unconscious of the
passing of time. The Luxembourg Gardens always envelop me in a
sentimental mood. Their atmosphere is softly poetic, old-fashioned,
melancholy. I am near to tears now, merely thinking of them, and I
am sure the tears came to my eyes even on that bright May morning
fourteen years ago.
Did I, attracted by the strange name, lunch at the Deux-Magots? It is
possible. I know that later I strolled down the Rue de Seine and
along the quais, examining eighteenth century books, buying old
numbers of l'Assiette au Beurre, and talking with the quaint vendors,
most of them old men. Then I wandered up the Rue de Richelieu,
studying the examples of fine bindings in the windows of the shops
on either hand. About three o'clock, I mounted the impériale of a bus,
not even asking where it was going. I didn't care. I descended before
the gate of the Parc Monceau and passed a few happy moments in
the presence of the marble lady in a dress of the nineties, who reads
Guy de Maupassant in the shadow of his bust, and a few more by
the Naumachie, the oval pool, flanked by a semi-circular Corinthian
colonnade in a state of picturesque ruin.
At a quarter before four, I left the parc and, hailing a fiacre, bade the
driver take me to Martha Baker's studio in the Avenue Victor Hugo,
where I had an appointment. Martha was painting my portrait. She
had begun work on the picture in Chicago the year before but when I
went to New York, she went to Paris. So it was still unfinished and I
had promised to come to her for more sittings. Now, in Chicago,
Martha noted that I grew restless on the model-stand and she had
found it expedient to ask people in to talk to me, so that my face
would not become dead and sullen. There, I usually knew the people
she would ask, but it occurred to me, as I was driving to her door,
that in Paris I knew no one, so that, if she followed her habit, I would
see new faces.
The cocher stopped his horse before an old stone house and I
entered. Challenged by the concierge, I asked for Mademoiselle
Bahker, and was directed to go through the courtyard into a back
passageway, up the stairs, where I would find Mademoiselle Bahker,
troisième à gauche. I followed these instructions and knocked at the
door. Martha, herself, opened it.
Oh, Carl, it's you! I'm so glad to see you!
Martha had not changed. She and even her studio were much as
they had been in Chicago. She is dead now, dead possibly of a
broken heart; certainly she was never happy. Her Insouciance, the
portrait of Elizabeth Buehrmann, in a green cloth dress trimmed with
fur, and a miniature or two hang in the Art Institute in Chicago, but
during her lifetime she never received the kind of appreciation she
really craved. She had an uncanny talent for portraiture, a talent
which in some respects I have never seen equalled by any of her
coevals. Artists, as a matter of fact, generally either envied or
admired her. Her peculiar form of genius lay in the facility with which
she caught her sitters' weaknesses. Possibly this is the reason she
did not sell more pictures, for her models were frequently
dissatisfied. It was exasperating, doubtless, to find oneself caught in
paint on canvas against an unenviable immortality. Her sitters were
exposed, so to speak; petty vices shone forth; Martha almost
idealized the faults of her subjects. It would be impossible for the
model to strut or pose before one of her pictures. It told the truth.
Sargent caught the trick once. I have been informed that a physician
diagnosed the malady of an American lady, his patient, after studying
Sargent's portrait of her.
Martha should have painted our presidents, our mayors, our
politicians, our authors, our college presidents, and our critics.
Posterity might have learned more from such portraits than from
volumes of psychoanalytic biography. But most of her sitters were
silly Chicago ladies, not particularly weak because they were not
particularly strong. On the few occasions on which in her capacity as
an artist she had faced character, her brushes unerringly depicted
something beneath the surface. She tore away men's masks and,
with a kind of mystic understanding, painted their insides. How it was
done, I don't know. Probably she herself didn't know. Many an artist
is ignorant of the secret of his own method. If I had ascribed this
quality to Martha during her lifetime, which I never did, she might not
have taken it as praise. It may not, indeed, have been her ambition,
although truth was undoubtedly her ambition. Speculation aside, this
was no art for Chicago. I doubt, indeed, if it would have been popular
anywhere, for men the world over are alike in this, that they not only
prefer to be painted in masks, they even want the artist to flatter the
mask a bit.
The studio, I observed at once, was a little arty, a little more arty than
a painter's studio usually is. It was arranged, of that there could be
no doubt. There were, to be sure, canvases stacked against the wall
in addition to those which were hanging, but they had been stacked
with a crafty hand, one indubious of its effect. For the rest, the tables
and couches were strewn with brocades and laces, and lilacs and
mimosa bloomed in brown and blue and green earthenware bowls
on the tables. Later, I knew that marigolds and zinnias would replace
these and, later still, violets and gardenias. On an easel stood my
unfinished portrait and a palette and a box of paints lay on a stool
nearby.
Martha herself wore a soft, clinging, dark-green woolen dress,
almost completely covered by a brown denim painter's blouse. Her
hair was her great glory, long, reddish gold Mélisande hair which,
when uncoiled, hung far below her knees, but today it was knotted
loosely on top of her head. Her face, keen and searching, wore an
expression that might be described as wistful; discontent lurked
somewhere between her eyes and her mouth. Her complexion was
sallow and she wore eye-glasses.
There was some one else present, a girl, sitting in a shadowy corner,
who rose as I entered. A strong odour of Cœur de Jeannette
hovered about her. She was an American. She was immediately
introduced as Miss Clara Barnes of Chicago, but I would have known
she was an American had she not been so introduced. She wore a
shirt-waist and skirt. She had very black hair, parted in the middle, a
face that it would have been impossible to remember ten minutes
and which now, although I have seen her many times since, I have
completely forgotten, and very thick ankles. I gathered presently that
she was in Paris to study singing as were so many girls like her. Very
soon, I sized her up as the kind of girl who thinks that antimacassars
are ottomans, that tripe is a variety of fish, that Così Fan Tutte is an
Italian ice cream, that the pope's nose is a nasal appendage which
has been blessed by the head of the established church, that The
Beast in the Jungle is an animal story, and that when one says
Arthur Machen one means Harry Mencken.
Well, we'd best begin, said Martha. It's late.
Isn't it too late? I was rather surprised when you asked me to come
in the afternoon.
Martha smiled but there was a touch of petulance in her reply: I knew
you wouldn't get up very early the morning after your first night in
Paris, and I knew if I didn't get you here today there would be small
chance of getting you here at all. If you come again, of course it will
be in the morning.
I climbed to the model-chair, seated myself, grasped the green book
that was part of the composition, and automatically assumed that
woebegone expression that is worn by all amateurs who pose for
their portraits.
That won't do at all, said Martha. I asked Clara to come here to
amuse you.
Clara tried. She told me that she was studying Manon and that she
had been to the Opéra-Comique fifteen times to hear the opera.
Garden is all wrong in it, all wrong, she continued. In the first place
she can't sing. Of course she's pretty, but she's not my idea of
Manon at all. I will really sing the part and act it too.
A month or two later, while we munched sandwiches and drank beer
between the acts of Tristan und Isolde in the foyer of the
Prinzregenten Theater in Munich, Olive Fremstad introduced me to
an American girl, who informed me that a new Isolde had been born
that day.
I shall be the great Isolde, she remarked casually, and her name, I
gathered, when I asked Madame Fremstad to repeat it, was Minnie
Saltzmann-Stevens.
But on the day that Clara spoke of her future triumphs in Manon, I
had yet to become accustomed to this confidence with which
beginners in the vocal art seem so richly endowed, a confidence
which is frequently disturbed by circumstances for, as George Moore
has somewhere said, our dreams and our circumstances are often in
conflict. Later, I discovered that every unsuccessful singer believes,
and asserts, that Geraldine Farrar is instrumental in preventing her
from singing at the Metropolitan Opera House. On this day, I say, I
was unaware of this peculiarity in vocalists but I was interested in the
name she had let slip, a name I had never before heard.
Who is Garden? I asked.
You don't know Mary Garden! exclaimed Martha.
There! shrieked Clara. There! I told you so. No one outside of Paris
has ever even heard of the woman.
Well, they've heard of her here, said Martha, quietly, pinching a little
worm of cobalt blue from a tube. She's the favourite singer of the
Opéra-Comique. She is an American and she sings Louise and
Manon and Traviata and Mélisande and Aphrodite, especially
Aphrodite.
She's singing Aphrodite tonight, said Miss Barnes.
And what is she like? I queried.
Well, Clara began dubiously, she is said to be like Sybil Sanderson
but, of course, Sanderson had a voice and, she hurried on, you know
even Sanderson never had any success in New York.
I recalled, only too readily, how Manon with Jean de Reszke, Pol
Plançon, and Sybil Sanderson in the cast had failed in the nineties at
the Metropolitan Opera House, and I admitted as much to Clara.
But would this be true today? I pondered.
Certainly, advanced Clara. America doesn't want French singers.
They never know how to sing.
But you are studying in Paris.
The girl began to look discomfited.
With an Italian teacher, she asseverated.
It delighted me to be able to add, I think Sanderson studied with
Sbriglia and Madame Marchesi.
Your face is getting very hard, cried Martha in despair.
I think he is very rude, exclaimed the outraged and contumacious
Miss Barnes, with a kind of leering acidity. He doesn't seem to know
the difference between tradition and impertinent improvisation. He
doesn't see that singing at the Opéra or the Opéra-Comique with a
lot of rotten French singers would ruin anybody who didn't have
training enough to stand out against this influence, singing utterly
unmusical parts like Mélisande, too, parlando rôles calculated to ruin
any voice. Maeterlinck won't even go to hear the opera, it's so rotten.
I wonder how much Mr. Van Vechten knows about music anyway?
Very little, I remarked mildly.
O! wailed Martha, you're not entertaining Carl at all and I can't paint
when you squabble. Carl's very nice. Why can't you be agreeable,
Clara? What is the matter?
Miss Barnes disdained to reply. She drew herself into a sort of sulk,
crossing her thick ankles massively. The scent of Cœur de Jeannette
seemed to grow heavier. Within bounds, I was amused by her
display of emotion but I was also bored. My face must have showed
it. Martha worked on for a moment or two and then flung down her
brushes.
It's no good, no good at all, she announced. You have no expression
today. I can't get behind your mask. Your face is completely empty.
And, I may add, as this was the last day that Martha ever painted on
this portrait, she never did get behind the mask. To that extent I
triumphed, and the picture still exists to confuse people as to my real
personality. It is as empty as if it had been painted by Boldini or
McEvoy. Fortunately for her future reputation in this regard, Martha
had already painted a portrait of me which is sufficiently revealing.
I must have stretched and yawned at this point, for Martha looked
cross, when a welcome interruption occurred in the form of a knock
at the door. Martha walked across the room. As she opened the
door, directly opposite where I was sitting, I saw the slender figure of
a young man, perhaps twenty-one years old. He was carefully
dressed in a light grey suit with a herring-bone pattern, and wore a
neck-scarf of deep blue. He carried a stick and buckskin gloves in
one hand and a straw hat in the other.
Why, it's Peter! cried Martha. I wish you had come sooner.
This is Peter Whiffle, she said, leading him into the room and then,
as he extended his hand to me, You know Clara Barnes.
He turned away to bow but I had already caught his interesting face,
his deep blue eyes that shifted rather uneasily but at the same time
remained honest and frank, his clear, simple expression, his high
brow, his curly, blue-black hair, carefully parted down the centre of
his head. He spoke to me at once.
Martha has said a good deal, perhaps too much about you. Still, I
have wanted to meet you.
You must tell me who you are, I replied.
I should have told you, only you just arrived, Martha put in. I had no
idea that Peter would come in today. He is the American Flaubert or
Anatole France or something. He is writing a book. What is your
book about, Peter?
Whiffle smiled, drew out a cigarette-case of Toledo work, extracted a
cigarette from it, and said, I haven't the slightest idea. Then, as if he
thought this might be construed as rudeness, or false modesty, or a
rather viscous attempt at secrecy, he added, I really haven't, not the
remotest. I want to talk to you about it.... That's why I wanted to meet
you. Martha says that you know ... well, that you know.
You really should be painting Mr. Van Vechten now, said Clara
Barnes, with a trace of malice. He has the right expression.
I hope I haven't interrupted your work, said Peter.
No, I'm through today, Martha rejoined. We're neither of us in the
mood. Besides it's absurd to try to paint in this light.
Painting, Peter went on, is not any easier than writing. Always the
search for—for what? he asked suddenly, turning to me.
For truth, I suppose, I replied.
I thought you would say that but that's not what I meant, that's not at
all what I meant.
This logogriph rather concluded that subject, for Peter did not explain
what it was that he did mean. Neither did he wear a conscious air of
obfuscation. He rambled on about many things, spoke of new
people, new books, new music, and he also mentioned Mary
Garden.
I have heard of Mary Garden for the first time today, I said, and I am
beginning to be interested.
You haven't seen her? demanded Peter. But she is stupendous,
soul, body, imagination, intellect, everything! How few there are. A
lyric Mélisande, a caressing Manon, a throbbingly wicked Chrysis.
She is the cult in Paris and the Opéra-Comique is the Temple where
she is worshipped. I think some day this new religion will be carried
to America. He stopped. Let me see, what am I doing tonight? O!
yes, I know. I won't do that. Will you go with me to hear Aphrodite?
Of course, I will. I have just come to Paris and I want to do and hear
and see everything.
Well, we'll go, he announced, but I noted that his tone was curiously
indecisive. We'll go to dinner first.
You're not going to dinner yet? Martha demanded rather querulously.
Not quite yet. Then, turning to Clara, How's the Voice?
It was my first intimation that Clara had thus symbolized her talent in
the third person. People were not expected to refer to her as Clara or
Miss Barnes; she was the Voice.
The Voice is doing very well indeed, Clara, now quite mollified,
rejoined. I'm studying Manon, and if you like Mary Garden, wait until
you hear me!
Peter continued to manipulate Clara with the proper address. The
conversation bubbled or languished, I forget which; at any rate, a
half hour or so later, Peter and I were seated in a taxi-cab, bound for
Foyot's where he had decided we would dine; at least I thought he
had decided, but soon he seemed doubtful.
Foyot's, Foyot's, he rolled the name meditatively over on his tongue.
I don't know....
We leaned back against the seat and drank in the soft air. I don't
think that we talked very much. The cocher was driving over the
bridge of Alexandre III with its golden horses gleaming in the late
afternoon sunlight when Peter bent forward and addressed him,
Allez au Café Anglais.
Where meant nothing to me, but I was a little surprised at his
hesitation. The cocher changed his route, grumbling a bit, for he was
out of his course.
I don't know why I ever suggested Foyot, said Peter, or the Café
Anglais either. We'll go to the Petit Riche.
Chapter III
If the reader has been led to expect a chapter devoted to an account
of Mary Garden in Aphrodite, he will be disappointed. I did not see
Mary Garden that evening, nor for many evenings thereafter, and I
do not remember, indeed, that Peter Whiffle ever referred to her
again. We dined at a quiet little restaurant, Boilaive by name, near
the Folies-Bergère. The interior, as bare of decoration as are most
such interiors in Paris, where the food and wines are given more
consideration than the mural paintings, was no larger than that of a
small shop. My companion led me straight to a tiny winding staircase
in one corner, which we ascended, and presently we found ourselves
in a private room, with three tables in it, to be sure, but two of these
remained unoccupied. We began our dinner with escargots à la
bordelaise, which I was eating for the first time, but I have never
been squeamish about novel food. A man with a broad taste in food
is inclined to be tolerant in regard to everything. Also, when he
begins to understand the cooking of a nation, he is on the way to an
understanding of the nation itself. There were many other dishes, but
I particularly remember a navarin because Peter spoke of it, pointing
out that every country has one dish in which it is honourable to put
whatever is left over in the larder. In China (or out of it, in Chinese
restaurants), this dish is called chop suey; in Ireland, Irish stew; in
Spain, olla or puchero; in France, ragoût or navarin; in Italy,
minestra; and in America, hash. We lingered over such matters,
getting acquainted, so to speak, passing through the polite stages of
early conversation, slipping beyond the poses that one
unconsciously assumes with a new friend. I think I did most of the
talking, although Whiffle told me that he had come from Ohio, that he
was in Paris on a sort of mission, something to do with literature, I
gathered. We ate and drank slowly and it must have been nearly ten
when he paid the bill and we drove away, this time to Fouquet's, an
open-air restaurant in the Champs-Elysées, where we sat on the
broad terrasse and drank many bocks, so many, indeed, that by the
time we had decided to settle our account, the saucers in front of us
were piled almost to our chins. We should probably have remained
there all night, had he not suggested that I go to his rooms with him.
That night, my second in Paris, I would have gone anywhere with
any one. But there was that in Peter Whiffle which had awakened
both my interest and my curiosity for I, too, had the ambition to write,
and it seemed to me possible that I was in the presence of a writing
man, an author.
We entered another taxi-auto or fiacre, I don't remember and it
doesn't matter, there were so many peregrinations in those days,
and we drove to an apartment house in a little street near the Rue
Blanche. The house being modern, there was an ascenseur and I
experienced for the first time the thrill of one of those little personally
conducted lifts, in which you press your own button and take your
own chances. Since that night I have had many strange
misadventures with these intransigent elevators, but on this
occasion, miraculously, the machine stopped at the fourth floor, as it
had been bidden, and soon we were in the sitting-room of Whiffle's
apartment, a room which I still remember, although subsequently I
have been in half a dozen of his other rooms in various localities.
It was very orderly, this room, although not exactly arranged, at any
rate not arranged like Martha's studio, as if to set object against
object and colour against colour. It was a neat little ivory French
room, with a white fire-place, picked in gold, surmounted by a gilt
clock and Louis XVI candlesticks. There were charming aquatints on
the ivory walls and chairs and tables of the Empire period. The
tables were laden with neat piles of pamphlets. Beside a type-writer,
was ranged a heap of note-books at least a foot high and stacked on
the floor in one corner there were other books, formidable-looking
volumes of weight and heft, "thick bulky octavos with cut-and-come-
again expressions," apparently dictionaries and lexicons. An orange
Persian cat lay asleep in one of the chairs as we entered, but he
immediately stretched himself, extending his noble paws, yawning
and arching his back, and then came forward to greet us, purring.
Hello, George! cried Whiffle, as the cat waved his magnificent red tail
back and forth and rubbed himself against Peter's leg.
George? I queried.
Yes, that's George Moore. He goes everywhere with me in a basket,
when I travel, and he is just as contented in Toledo as he is in Paris,
anywhere there is raw meat to be had. Places mean nothing to him.
My best friend.
I sat in one of the chairs and lit a cigarette. Peter brought out a bottle
of cognac and a couple of glasses. He threw open the shutters and
the soft late sounds of the city filtered in with the fresh spring air.
One could just hear the faint tinkle of an orchestra at some distant
bal.
I like you, Van Vechten, my host began at last, and I've got to talk to
somebody. My work has just begun and there's so much to say
about it. Tell me to stop when you get tired.... In a way, I want to
know what you think; in another way, it helps me merely to talk, in
the working out of my ideas. But who was there to talk to, I mean
before you came? I can see that you may be interested in what I am
trying to do, good God! in what I will do! I've done a lot already....
You have begun your book then?
Well, you might say so, but I haven't written a line. I've collected the
straw; the bricks will come. I've not been idle. You see those
catalogues?
I nodded.
He fumbled them over. Then, without a break, with a strange glow of
exhilaration on his pale ethereal face, his eyes flashing, his hands
gesticulating, his body swaying, marching up and down the room, he
recited with a crescendo which mounted to a magnificent fortissimo
in the coda:
Perfumery catalogues: Coty, Houbigant, Atkinson, Rigaud, Rue de la
Paix, Bond Street, Place Vendôme, Regent Street, Nirvana, Chypre,
Sakountala, Ambre, Après l'Ondée, Quelques Fleurs, Fougère
Royale, Myrbaha, Yavahnah, Gaudika, Délices de Péra, Cœur de
Jeannette, Djer Kiss, Jockey-Club, and the Egyptian perfumes,
Myrrh and Kyphy. Did you know that Richelieu lived in an
atmosphere heavily laden with the most pungent perfumes to inflame
his sexual imagination? Automobile catalogues: Mercedes, Rolls-
Royce, Ford, tires, self-starters, limousines, carburettors, gas.
Jewellery catalogues: heaps of 'em, all about diamonds and
platinum, chrysoprase and jade, malachite and chalcedony,
amethysts and garnets, and the emerald, the precious stone which
comes the nearest to approximating that human manifestation
known as art, because it always has flaws; red jasper, sacred to the
rosy god, Bacchus, the green plasma, blood-stone, cornelian, cat's-
eye, amber, with its medicinal properties, the Indian jewels, spinels,
the reddish orange jacinth, and the violet almandine. Did you know
that the Emperor Claudius used to clothe himself in smaragds and
sardonyx stones and that Pope Paul II died of a cold caught from the
weight and chill of the rings which loaded his aged fingers? Are you
aware that the star-topaz is as rare as a Keutschacher Rubentaler of
the year 1504? Yonder is a volume which treats of the glyptic lore. In
it you may read of the Assyrian cylinders fashioned from red and
green serpentine, the Egyptian scarabei, carved in steaschist; you
may learn of the seal-cutters of Nineveh and of the Signet of
Sennacherib, now preserved in the British Museum. Do you know
that a jewel engraved with Hercules at the fountain was deposited in
the tomb of the Frankish King Childeric at Tournay? Do you know of
Mnesarchus, the Tyrrhene gem-cutter, who practised his art at
Samos? Have you seen the Julia of Evodus, engraved in a giant
aquamarine, or the Byzantine topaz, carved with the figure of the
blind bow-boy, sacrificing the Psyche-butterfly, or the emerald signet
of Polycrates, with the lyre cut upon it, or the Etruscan peridot
representing a sphinx scratching her ear with her hind paw, or the
sapphire, discovered in a disused well at Hereford, in which the head
of the Madonna has been chiseled, with the inscription, round the
beasil, in Lombard letters, tecta lege lecta tege, or the jacinth
engraved with the triple face of Baphomet, with a legend of darkly
obscene purport? The breastplate of the Jewish High Priest had its
oracular gems, which were the Urim and Thummim. Apollonius
Tyaneus, the sorcerer, for the purposes of his enchantments, wore
special rings with appropriate stones for each day of the week. Also,
in this curious book, and others which you may examine, such as
George III's Dactyliotheca Smithiana (Venice; 1767), you will find
some account of the gems of the Gnostics: an intaglio in a pale
convex plasma, carved with the Chnuphis Serpent, raising himself
aloft, with the seven vowels, the elements of his name, above;
another jewel engraved with the figure of the jackal-headed Anubis,
the serpent with the lion's head, the infant Horus, seated on the
lotus, the cynocephalus baboon, and the Abraxas-god, Iao, created
from the four elements; an Egyptian seal of the god, Harpocrates,
seated on the mystic lotus, in adoration of the Yoni; and an esoteric
green jasper amulet in the form of a dragon, surrounded by rays.
Florists' catalogues: strangely wicked cyclamens, meat-eating
begonias, beloved of des Esseintes (Henri Matisse grows these
peccant plants in his garden and they suggest his work), shaggy
chrysanthemums, orchids, green, white, and mauve, the veined
salpiglossis, the mournful, rich-smelling tube-rose, all the mystic
blossoms adored by Robert de la Condamine's primitive, tortured,
orgiastic saints in The Double Garden, marigolds and daisies, the
most complex and the most simple flowers of all, hypocritical
fuchsias, and calceolaria, sacred to la bella Cenerentola. Reaper
catalogues: you know, the McCormicks and the Middle West.
Porcelain catalogues: Rookwood, Royal Doulton, Wedgwood, Delft,
the quaint, clean, heavy, charming Brittany ware, Majolica, the
wondrous Chinese porcelains, self-colour, sang de bœuf, apple of
roses, peach-blow, Sèvres, signed with the fox of Emile Renard, or
the eye of Pajou, or the little house of Jean-Jacques Anteaume.
Furniture catalogues: Adam and Louis XV, Futurist, Empire, Venetian
and Chinese, Poincaré and Grand Rapids. Art-dealers' catalogues:
Félicien Rops and Jo Davidson, Renoir and Franz Hals, Cranach
and Picasso, Manet and Carpaccio. Book-dealers' catalogues:
George Borrow, Thomas Love Peacock, Ambrose Bierce, William
Beckford, Robert Smith Surtees, Francis William Bain. Do you know
the true story of Ambrose Gwinett, related by Oliver Goldsmith: the
fellow who, having been hanged and gibbeted for murdering a
traveller with whom he had shared his bed-chamber at a tavern,
revived in the night, shipped at sea as a sailor, and later met on a
vessel the man for whose murder he had been hung? Gwinett's
supposed victim had been attacked during the night with a severe
bleeding of the nose, had risen and left the house for a walk by the
sea-wall, and had been shanghaied. Catalogues of curious varieties
of cats: Australian, with long noses and long hind-legs, like
kangaroos, Manx cats without any tails and chocolate and fawn
Siamese cats with sapphire eyes, the cacodorous Russian blue cats,
and male tortoise-shells. Catalogues of tinshops: tin plates, tin cups,
and can-openers. Catalogues of laces: Valenciennes and Cluny and
Chantilly and double-knot, Punto in Aria, a Spanish lace of the
sixteenth century, lace constructed of human hair or aloe fibre, Point
d'Espagne, made by Jewesses. Catalogues of toys: an engine that
spreads smoke in the air, as it runs around a track with a
circumference of eight feet, a doll that cries, Uncle! Uncle! a child's
opium set. Catalogues of operas: Marta and Don Pasquale, Der
Freischütz and Mefistofele, Simon Bocanegra and La Dolores. Cook-
Books: Mrs. Pennell's The Feasts of Autolycus, a grandiose treatise
on the noblest of the arts, wherein you may read of the amorous
adventures of The Triumphant Tomato and the Incomparable Onion,
Mr. Finck's Food and Flavour, the gentle Abraham Hayward on The
Art of Dining, the biography of Vatel, the super-cook who killed
himself because the fish for the king's dinner were missing, Mrs.
Glasse's Cookery, which Dr. Johnson boasted that he could surpass,
and, above all, Jean Anthelme Brillat-Savarin's Physiologie du Goût.
Catalogues of harness, bits and saddles. Catalogues of cigarettes:
Dimitrinos and Melachrinos, Fatimas and Sweet Caporals.
Catalogues of liqueurs: Danziger Goldwasser and Crème Yvette,
Parfait Amour, as tanagrine as the blood in the sacred altar chalice.
Catalogues of paints: yellow ochre and gamboge, burnt sienna and
Chinese vermilion. Catalogues of hats: derbies and fedoras, straw
and felt hats, top-hats and caps, sombreros, tam-o'shanters,
billycocks, shakos and tarbooshes....
He stopped, breathless with excitement, demanding, What do you
think of that?
I don't know what to think....
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookfinal.com

T. Li, C.-H. Chu, P. Wang, G. Wang-Radio Frequency Identification System Security - RFIDsec 11 Asia Workshop Proceedings - Volume 6 Cryptology and Information Security Series-IOS Press (2011)
100% (1)
T. Li, C.-H. Chu, P. Wang, G. Wang-Radio Frequency Identification System Security - RFIDsec 11 Asia Workshop Proceedings - Volume 6 Cryptology and Information Security Series-IOS Press (2011)
170 pages
Radio Frequency Identification System Security RFIDsec 13 Asia Workshop Proceedings 1st Edition C. Ma Full Chapters Instanly
100% (3)
Radio Frequency Identification System Security RFIDsec 13 Asia Workshop Proceedings 1st Edition C. Ma Full Chapters Instanly
125 pages
CS3235 SemI 2011 12 Projects
No ratings yet
CS3235 SemI 2011 12 Projects
297 pages
Applications of Secure Multiparty Computation 1st Edition P. Laud Available Any Format
No ratings yet
Applications of Secure Multiparty Computation 1st Edition P. Laud Available Any Format
149 pages
A Systems Approach To Cyber Security
No ratings yet
A Systems Approach To Cyber Security
172 pages
RFID Guardian: A Mobile Device For RFID Privacy Location-Aware
No ratings yet
RFID Guardian: A Mobile Device For RFID Privacy Location-Aware
3 pages
Attacking Rfid Systems
No ratings yet
Attacking Rfid Systems
20 pages
Physical Attack Protection Techniques For IC Chip Level Hardware Security
No ratings yet
Physical Attack Protection Techniques For IC Chip Level Hardware Security
10 pages
Design and Construction of An Automatic Security System of A Door Using RFID Technology
No ratings yet
Design and Construction of An Automatic Security System of A Door Using RFID Technology
7 pages
Contributions To RFID Security
No ratings yet
Contributions To RFID Security
155 pages
Rahman 2015
No ratings yet
Rahman 2015
6 pages
Cat 2
No ratings yet
Cat 2
5 pages
Advanced Radio Frequency Identification Design and Applications-Stevan Preradović PDF
No ratings yet
Advanced Radio Frequency Identification Design and Applications-Stevan Preradović PDF
294 pages
RFID Security & Privacy Bibliography
No ratings yet
RFID Security & Privacy Bibliography
54 pages
Radio Frequency Identification and IoT Security 12th International Workshop RFIDSec 2016 Hong Kong China November 30 December 2 2016 Revised Selected Papers 1st Edition Gerhard P. Hancke instant access 2025
No ratings yet
Radio Frequency Identification and IoT Security 12th International Workshop RFIDSec 2016 Hong Kong China November 30 December 2 2016 Revised Selected Papers 1st Edition Gerhard P. Hancke instant access 2025
88 pages
Radio Frequency Identification Fundamentals and Applications, Bringing Research To Practice
No ratings yet
Radio Frequency Identification Fundamentals and Applications, Bringing Research To Practice
286 pages
Ausecha RFID
No ratings yet
Ausecha RFID
21 pages
RFID Security in Telemedicine
No ratings yet
RFID Security in Telemedicine
18 pages
RFID Based Security System: K.Srinivasa Ravi, G.H.Varun, T.Vamsi, P.Pratyusha
No ratings yet
RFID Based Security System: K.Srinivasa Ravi, G.H.Varun, T.Vamsi, P.Pratyusha
3 pages
Security Issues in RFID
No ratings yet
Security Issues in RFID
25 pages
Radio Frequency Identification (Rfid) : Advancements, Applications, and Security Challenges
No ratings yet
Radio Frequency Identification (Rfid) : Advancements, Applications, and Security Challenges
21 pages
RFID Systems: Overview & Applications
No ratings yet
RFID Systems: Overview & Applications
16 pages
The Evolution of RFID Security and Privacy:A Research Survey
No ratings yet
The Evolution of RFID Security and Privacy:A Research Survey
5 pages
Applications of Secure Multiparty Computation
No ratings yet
Applications of Secure Multiparty Computation
264 pages
Vulnerability and Countermeasures of RFID System: Nidhi Chauhan
No ratings yet
Vulnerability and Countermeasures of RFID System: Nidhi Chauhan
3 pages
Security and Trends in Wireless Identification and Sensing Platform Tags Advancements in RFID 1st Edition Pedro Peris Lopez Kindle & PDF Formats
No ratings yet
Security and Trends in Wireless Identification and Sensing Platform Tags Advancements in RFID 1st Edition Pedro Peris Lopez Kindle & PDF Formats
79 pages
Security and Trends in Wireless Identification and Sensing Platform Tags Advancements in RFID 1st Edition Pedro Peris Lopez Download
100% (9)
Security and Trends in Wireless Identification and Sensing Platform Tags Advancements in RFID 1st Edition Pedro Peris Lopez Download
61 pages
28 Rfid
No ratings yet
28 Rfid
7 pages
Final 2
No ratings yet
Final 2
28 pages
Seminar Abstract
No ratings yet
Seminar Abstract
3 pages
FPGA Side Channel Attack Analysis
100% (1)
FPGA Side Channel Attack Analysis
89 pages
Applied Cryptography and Network Security
100% (4)
Applied Cryptography and Network Security
390 pages
Security in Comp Science 2021
No ratings yet
Security in Comp Science 2021
145 pages
Wireless Privacy Mobile System
No ratings yet
Wireless Privacy Mobile System
310 pages
Secure Symmetric Authentication For Rfid Tags
No ratings yet
Secure Symmetric Authentication For Rfid Tags
5 pages
Group 4 Cys322
No ratings yet
Group 4 Cys322
5 pages
Research Ideas On Network Security Experiment and Appraisal of Avionics System
No ratings yet
Research Ideas On Network Security Experiment and Appraisal of Avionics System
8 pages
Radio Frequency Identification Technolog
No ratings yet
Radio Frequency Identification Technolog
10 pages
Radio Frequency Identification - RFID
No ratings yet
Radio Frequency Identification - RFID
20 pages
Ensayo 2
No ratings yet
Ensayo 2
17 pages
A Digital Design Flow For Secure Integrated Circuits
No ratings yet
A Digital Design Flow For Secure Integrated Circuits
12 pages
IoT Security for Tourism Resorts
No ratings yet
IoT Security for Tourism Resorts
9 pages
CPP Presentation On Rfid Icards 5th Sem
No ratings yet
CPP Presentation On Rfid Icards 5th Sem
18 pages
Security in RFID and Sensor Networks Kitsos PDF Available
100% (1)
Security in RFID and Sensor Networks Kitsos PDF Available
95 pages
Privacy Etc. Nov 08
No ratings yet
Privacy Etc. Nov 08
20 pages
Radio Frequency Identification Security and Privacy Issues 10th International Workshop RFIDSec 2014 Oxford UK July 21 23 2014 Revised Selected Papers 1st Edition Nitesh Saxena Instant Download
No ratings yet
Radio Frequency Identification Security and Privacy Issues 10th International Workshop RFIDSec 2014 Oxford UK July 21 23 2014 Revised Selected Papers 1st Edition Nitesh Saxena Instant Download
116 pages
(Ebook) Applications of Secure Multiparty Computation by P. Laud L. Kamm ISBN 9781614995326, 161499532X Digital Download
No ratings yet
(Ebook) Applications of Secure Multiparty Computation by P. Laud L. Kamm ISBN 9781614995326, 161499532X Digital Download
80 pages
Lightweight Cryptography For RFID Tags
No ratings yet
Lightweight Cryptography For RFID Tags
4 pages
A Survey Paper On Elliptic Curve Cryptog PDF
No ratings yet
A Survey Paper On Elliptic Curve Cryptog PDF
5 pages
Wireless Security Challenges & Trends
No ratings yet
Wireless Security Challenges & Trends
39 pages
S Rfid M A S M S: Ecured Utual Uthentication Cheme For Ifare Ystems
No ratings yet
S Rfid M A S M S: Ecured Utual Uthentication Cheme For Ifare Ystems
15 pages
Risks of RFID
No ratings yet
Risks of RFID
1 page
Hardware Security Insights
No ratings yet
Hardware Security Insights
35 pages
RFID Spoofing: University Study
No ratings yet
RFID Spoofing: University Study
15 pages
Unit 5 - Advanced Wireless Networks
No ratings yet
Unit 5 - Advanced Wireless Networks
49 pages
SEMINAR REPORT - Blockchain............................ Final
No ratings yet
SEMINAR REPORT - Blockchain............................ Final
20 pages
Jabra Speak 750 UC Datasheet A4 Web
No ratings yet
Jabra Speak 750 UC Datasheet A4 Web
2 pages
Iterative Deepening DFS Guide
No ratings yet
Iterative Deepening DFS Guide
4 pages
IR Models for Students
No ratings yet
IR Models for Students
62 pages
Unit 5 Soft Computing
No ratings yet
Unit 5 Soft Computing
20 pages
W07 Report: Digital Profile or Eportfolio
No ratings yet
W07 Report: Digital Profile or Eportfolio
2 pages
PDF Bahram
No ratings yet
PDF Bahram
3 pages
Project Report AI Chatbot Covid 19
No ratings yet
Project Report AI Chatbot Covid 19
28 pages
Codes
No ratings yet
Codes
4 pages
Chapter 08
No ratings yet
Chapter 08
75 pages
W3Schools Quiz Results Css
No ratings yet
W3Schools Quiz Results Css
9 pages
Logistic Regression
No ratings yet
Logistic Regression
7 pages
HTTP Methods and REst APIs
No ratings yet
HTTP Methods and REst APIs
6 pages
Dca01 - D42010019 - Hitesh Parashar
No ratings yet
Dca01 - D42010019 - Hitesh Parashar
8 pages
10a Piping Diagrams and Drawings
No ratings yet
10a Piping Diagrams and Drawings
8 pages
True University Management System
0% (1)
True University Management System
12 pages
Liebherr Liccon Universal Work Planner v6 19 Mobile Crane LTM 1200-5-1
100% (4)
Liebherr Liccon Universal Work Planner v6 19 Mobile Crane LTM 1200-5-1
19 pages
Java Programming Question Bank PDF
No ratings yet
Java Programming Question Bank PDF
12 pages
Advance Java Unit 4 Networking Basics Prof Akhil Jaiswal Notes - No
No ratings yet
Advance Java Unit 4 Networking Basics Prof Akhil Jaiswal Notes - No
21 pages
Supported Memory Type For Intel
No ratings yet
Supported Memory Type For Intel
6 pages
Module 1 - AI - chp-1
No ratings yet
Module 1 - AI - chp-1
19 pages
Schoolmgmtsystem
No ratings yet
Schoolmgmtsystem
22 pages
ECT352 - Ktu Qbank
No ratings yet
ECT352 - Ktu Qbank
7 pages
I PUC CS Chapter 2
No ratings yet
I PUC CS Chapter 2
11 pages
EDI Guideline INVOIC Romania
No ratings yet
EDI Guideline INVOIC Romania
80 pages
Unit-I Essay Type Questions With Answers
No ratings yet
Unit-I Essay Type Questions With Answers
4 pages
Software Project Management Quiz
No ratings yet
Software Project Management Quiz
3 pages
Itec 7430 Lesson Plan and Screencast
No ratings yet
Itec 7430 Lesson Plan and Screencast
10 pages
21st-Century-Cbc - BEAUTY CARE Superseded
No ratings yet
21st-Century-Cbc - BEAUTY CARE Superseded
62 pages
SewerGEMS V8i User Guide
100% (14)
SewerGEMS V8i User Guide
1,018 pages

Radio Frequency Identification System Security RFIDsec 13 Asia Workshop Proceedings 1st Edition C. Ma Ebook All Chapters PDF

Uploaded by

Radio Frequency Identification System Security RFIDsec 13 Asia Workshop Proceedings 1st Edition C. Ma Ebook All Chapters PDF

Uploaded by

Visit https://ebookfinal.

com to download the full version and

Radio Frequency Identification System Security

_____ Click the link below to download _____

Explore and download more ebook at ebookfinal.com

Radio Frequency Integrated Circuits and Systems 1st

Radio frequency circuit design 2nd ed Edition W Alan

Radio Frequency Electronics Circuits and Applications 2nd

Radio Frequency Transistors Principles and Practical

Control System Documentation Applying Symbols And

Power System Load Frequency Control Classical and Adaptive

Lepton Scattering Hadrons and QCD Proceedings 1st Edition

Autism and the Environment Challenges and Opportunities

Coordinating Series Editors: Raphael C.-W. Phan and Jianying Zhou

ISSN 1871-6431 (print)

Amsterdam • Berlin • Tokyo • Washington, DC

ISBN 978-1-61499-327-8 (print)

Distributor in the USA and Canada

PRINTED IN THE NETHERLANDS

Changshe Ma and Jian Weng

Organization of the 2013 Workshop

Tieyan Li (Huawei, Singapore)

Publication and Publicity Chairs

Local Organization Committee

On RFID Authentication Protocols with Wide-Strong Privacy 3

Securing NFC with Elliptic Curve Cryptography – Challenges and Solutions 97

Subject Index 133

On RFID Authentication Protocols with

Abstract. Radio frequency identiﬁcation (RFID) tag privacy is an im-

Wide-strong privacy is achievable by using the public key cryptography

The rest of this paper is organized as follows. In Section 2, we describe some

In this section, we give the deﬁnitions of some mathematical preliminaries and

2.1. Bilinear Maps

is a bilinear mapping (pairing) and (P, V, q, e, G1 , G2 , GT ) is a bilinear group.

2.2. Complexity Assumptions

Deﬁnition 1 (Computational Diﬃe-Hellman (CDH) assumption) Given a tuple

2.3. Privacy Model

• Free(vtag): Taking as input a virtual tag vtag, it retrieves the tuple

Deﬁnition 2 A RFID authentication protocol is privacy-preserving if there is no

V irtual T ag Adversary Challenger

Figure 1. Our attack.

3.1. Peeters and Hermans’ Protocol

Recently, Peeters and Hermans [18] proposed an interesting RFID identiﬁcation

Theorem 1 In Peeters and Hermans’ protocol (Figure 2), a wide-strong adversary

Reader(y, DB{Xi }) T ag(x, Y )

Figure 2. Peeters and Hermans’ protocol.

where d∗ = xcoord(r∗ Y ). Then, A generates a new instance I ∗ = (R∗ , e∗ , s∗ )

R∗ = R∗ , e∗ = e∗ , s∗ = s∗ − x0 + x1 .

Since A is a wide adversary, it queries the Result oracle on input a session I ∗ .

Then, we have three cases:

Many ECC-based RFID identiﬁcation protocols employ Diﬃe-Hellman keys to

v = h(R, rY, C),

where rY is a temporary Diﬃe-Hellman key. The signing message is computable

If X exists in the database, the tag is identiﬁed, otherwise it is rejected. The

Figure 3. Baisc protocol.

Theorem 2 The proposed basic RFID authentication protocol is private against

If X exists in the database, the tag is identiﬁed, otherwise it is rejected. The

Reader(X = e(P1 , xP2 ), y, Y = yP2 ) T ag(xP2 , Y )

Choose c ∈R Z∗q , C = cP2

Figure 4. Optimized protocol.

6.2. Privacy Analysis

Theorem 3 The proposed optimized RFID identiﬁcation protocol is private against

• Setup: B selects k, where k ∈ Z∗q and sets P1 , P2 , where P1 = kP, P2 =

and sets mi = (Ri , Si ), πi = (Ci , mi ). B outputs mi and adds < Ti , πi , zi >

In this paper, we demonstrated an attack which is launched by the wide-strong

Chameleon RFID and Tracking

Abstract. We propose a method for prevention of tracking RFID tags. We consider

1.1. Main Assumptions

Poland; E-mail: [email protected].

Draft of the Scheme

Hamming distance between ID and ID is exactly n. When found, ID overwrites ID in

Setup of the System

4. choose at random k positions where

6. check that on positions from L the update: presentedID := z

20000 times. Fig. 3 depicts results of the experiment for n = 6.

where HD(x, y) denotes Hamming distance between x and y. Probability distribution of

_ Click the link below to download _