Lightweight batch authentication protocol, system, storage medium suitable for large scale RFID systems
The lightweight RFID batch authentication protocol designed using the Chinese Remainder Theorem solves the problems of low efficiency and insufficient security in large-scale RFID systems, achieving fast and efficient tag authentication and security assurance.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- XIDIAN UNIV
- Filing Date
- 2023-09-06
- Publication Date
- 2026-06-19
AI Technical Summary
Existing RFID bulk authentication protocols are inefficient when deploying large numbers of tags. Authentication time increases exponentially with the number of tags, energy consumption increases, and scalability is lacking. Some protocols sacrifice security to improve efficiency.
A lightweight batch authentication protocol is designed using the Chinese Remainder Theorem. Through initialization, authentication, and update phases, it utilizes a system of congruence equations and a pseudonym mechanism to achieve batch authentication of tags, thereby reducing tag computation costs and reader server communication overhead.
It achieves fast and efficient authentication in large-scale tagging scenarios, resists replay attacks and forgery attacks, satisfies forward and backward security and tag non-linkability, and reduces tag computing costs and communication overhead.
Smart Images

Figure CN117220858B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of wireless communication network security technology, and specifically to a lightweight batch authentication protocol, system, and storage medium suitable for large-scale RFID systems. Background Technology
[0002] For large-scale equipment in the Industrial Internet of Things (IIoT), in addition to ensuring data security and privacy, the authentication efficiency of the IIoT system also needs to be considered. That is, when deploying low-cost, resource-constrained equipment on a large scale in a network, improving the system's efficiency in authenticating legitimate entities is an important research direction for IIoT authentication protocols. The low cost of RFID tags perfectly meets the needs of large-scale equipment deployment in the IIoT. RFID technology uses radio frequency to achieve contactless, two-way data communication. It allows chips to transmit information to readers wirelessly. By using RFID readers, people can identify, track, and monitor entities without touching any objects with RFID tags. Since the 1980s, RFID has been widely used in logistics, pharmaceutical production, retail, and supply chain management.
[0003] When RFID authentication protocols handle large numbers of tags, efficiency becomes a significant challenge for researchers. Traditional RFID authentication protocols are typically designed based on a one-to-one authentication model, meaning each tag needs to conduct a separate authentication communication with the reader. As the number of tags increases, the authentication time grows exponentially, leading to a decrease in overall authentication efficiency. Existing batch authentication protocols also experience a significant increase in authentication time with the number of tags, resulting in increased energy consumption and a lack of scalability. Some batch authentication protocols sacrifice security while improving efficiency. For example, to reduce communication overhead, simplified authentication algorithms or shared authentication keys may be used, increasing the risk of attackers cracking the authentication.
[0004] Existing technologies, such as RFID batch authentication protocols based on homogeneous linear equations (Kang Junbin. Research on Batch Authentication Scheme for Large-Scale RFID Systems in the Internet of Things [D]. Xi'an University of Electronic Science and Technology, 2021. DOI:10.27389 / d.cnki.gxadu.2021.003367.), randomly distribute any different solution of the homogeneous linear equations to tags as keys. The reader collects a set of solutions each time and sends them to the backend server. The backend server can batch authenticate a number of tags equal to the number of rows in the coefficient matrix of the homogeneous linear equations each time. While RFID batch authentication protocols based on the properties of solutions to homogeneous linear equations have been designed to be efficient, due to the nature of these solutions, an attacker who obtains a solution to a homogeneous linear equation can construct countless legitimate solutions. This means that RFID batch authentication protocols based on the properties of solutions to homogeneous linear equations cannot satisfy the tag non-linkability requirement in RFID authentication systems. Furthermore, in this protocol, the shared key between the reader and the tags is not effectively updated, failing to meet the forward and backward security requirements of RFID authentication.
[0005] Based on the above analysis, the problems and defects of the existing technology are as follows: the existing lightweight RFID batch authentication protocols are inefficient, the authentication time increases exponentially with the linear increase of the number of tags, resulting in increased energy consumption and lack of scalability, and some batch authentication protocols sacrifice a certain degree of security while improving efficiency. Summary of the Invention
[0006] To overcome the shortcomings of the prior art, the present invention aims to provide a lightweight batch authentication protocol, system, and storage medium suitable for large-scale RFID systems. It can resist common attacks such as replay attacks, forgery attacks, and desynchronization attacks, meet security requirements such as two-way authentication, forward and backward security, and tag non-linkability, and can respond quickly in real time, and can efficiently complete authentication in scenarios with a large number of tags.
[0007] To achieve the above objectives, the technical solution adopted by the present invention is as follows:
[0008] A lightweight batch authentication protocol for large-scale RFID systems includes the following steps:
[0009] The first step, the initialization phase, involves a trusted third party generating keys and pseudonyms, storing them in each authentication entity, and grouping the tags.
[0010] The second step, the authentication phase, involves the server calculating the frame length with the lowest collision rate based on the number of tags; the reader and tags then communicate via key S. RT Initial mutual authentication; the reader uses authentication information a ki and PIDki Generate authentication matrices K and K1 and send them to the server. The server calculates whether K*x = 0 holds true using the authentication key vector x. If it does, the group of tags is authenticated; otherwise, it sends a set of erroneous tag indices to the reader.
[0011] The third step, the update phase, involves the tag updating its pseudonym after receiving an update notification, followed by the reader updating the key S. RT and authentication information a ki And send message R to the server; finally, update the tag key S. RT The server updates the group authentication key x via R. k .
[0012] The initialization phase includes:
[0013] (1) A trusted third party groups a batch of tags that need to be authenticated into groups, and each group of tags is represented by a set of congruence equations:
[0014]
[0015] For each congruence equation in the above system of equations, we obtain x. k =a i +k i *m i , where k i ∈N * A trusted third party calculates for each tag. a i For authentication information a ki Modulus m i Identity ID as a tag ki PID ki =m i *k i Let x be the pseudonym of the tag, and let x be the solution to the system of congruence equations, which is the group authentication key x. k Each group of labels is numbered I. k A label group consists of n labels, with each congruence equation identifying one label.
[0016] (2) A trusted third party generates a vector x as the group authentication key vector and preloads it into the backend server;
[0017]
[0018] (3) Tag storage {PID ki ID ki S RT S RTold I k ,i}, where,S RT It is the shared key between the reader and the tag, SRTold The shared key used in the previous round of authentication;
[0019] (4) Reader storage {a ki S RT S RTold I k ,i},a ki These are the coefficients of the congruence equation corresponding to each label;
[0020] (5) The server stores {x, I k};
[0021] (6) For tags to be added to or removed from a tag group, the relevant a records in the reader are used to... ki Simply perform the corresponding operation with 'i'.
[0022] The authentication phase includes:
[0023] (1) Before each authentication session begins, the reader sends the number of tags that need to be authenticated in batches to the server. The server calculates the optimal frame length, i.e., the frame length with the lowest collision rate, based on the number of tags. The server generates the current timestamp T. R The calculated optimal frame length f is then sent to the reader;
[0024] (2) The reader generates a random number r k It calculates the authentication message MT1 and broadcasts the message to the tags within the reading range;
[0025]
[0026] (3) Tag usage and reader's shared key S RT Recover the corresponding T from the received authentication message MT1. R and r k The T-values recovered from the label comparison R And the timestamp T0 of the last successful authentication stored, if T R If the value is greater than T0, then the tag considers the reader to be legitimate, generates the corresponding authentication message, and sends it to the server; authentication messages MT2 and MT3 are as follows:
[0027]
[0028]
[0029] (4) The reader uses the shared key to recover the T from the authentication message MT2. R I k If the recovered T R I k and the T stored in the reader RI k If they are equal, authentication continues; the reader uses the stored r k I k And recover the relevant i, PID ki And generate matrices K1 and K based on the indices:
[0030]
[0031] K = [na PID]
[0032] in,
[0033]
[0034] n is the number of tags in the tag group, and I is the reader forwarding group index. k And matrix K is given to the server;
[0035] (5) The server uses group index I x Calculate whether K·x = 0 is true; if true, all tags in the group have been successfully authenticated; if false, the server sends flag = 0 to the reader, the reader sends matrix K1 to the server, the server calculates K1·x = b, the index of the non-zero element in vector b is the index of the error tag; the server generates a set containing the indexes of the error tags and returns it to the reader.
[0036] The update phase includes:
[0037] (1) After authentication is completed, the reader generates the current timestamp T. C Generate message Broadcasting labels;
[0038] (2) Tag Calculation Recover the timestamp, if T R T stored during the authentication phase R If they are equal, a random number R is generated for updating the pseudonym and key; the label updates the pseudonym and generates a message:
[0039] PID kinew =PID ki +R
[0040]
[0041] PID kinew For the new tag pseudonym, the tag sends a message, MT update For the reader;
[0042] (3) Reader calculation If T C and the timestamp T generated after authentication.C If they are equal, then for the key S RT and authentication information a ki Update:
[0043] a kinew =a ki +R
[0044]
[0045] a kinew For the updated authentication information, S RTnew For the updated key; the reader generates MT update ′=Rot(T C T R And send it to the tag;
[0046] (4) The reader sends R to the server via a secure channel, and the server updates the group authentication key:
[0047] x knew =x k +2R
[0048] x knew For the updated group authentication key;
[0049] (5) Reader generates MT update ′=Rot(T C T R ), and send it to the tag; the tag uses the stored T C T R Validate MT update Does it hold true? If Rot(stored T) C ,stored T R ) = MT update ′, Tag update key:
[0050]
[0051] In the authentication phase step (3), the tag sends the tag pseudonym (PID) used for this round of authentication to the reader. ki .
[0052] The authentication phase utilizes the Chinese Remainder Theorem, requiring only one K·x=0 operation to authenticate a batch of tags, and the increase in the number of tags has a minimal impact on computational overhead.
[0053] A storage medium for a lightweight batch authentication protocol suitable for large-scale RFID systems, receiving user input programs, wherein the stored computer programs cause electronic devices to execute the protocol according to any one of claims 1-8, comprising the following steps:
[0054] The first step, the initialization phase, involves a trusted third party generating keys and pseudonyms, storing them in each authentication entity, and grouping the tags.
[0055] The second step, the authentication phase, involves the server calculating the frame length with the lowest collision rate based on the number of tags; the reader and tags then communicate via key S. RT Initial mutual authentication; the reader uses authentication information a ki and PID ki Generate authentication matrices K and K1 and send them to the server. The server calculates whether K*x = 0 holds true using the authentication key vector x. If it does, the group of tags is authenticated; otherwise, it sends a set of erroneous tag indices to the reader.
[0056] The third step, the update phase, involves the tag updating its pseudonym after receiving an update notification, followed by the reader updating the key S. RT and authentication information a ki And send message R to the server; finally, update the tag key S. RT The server updates the group authentication key x via R. k .
[0057] A system for a lightweight batch authentication protocol suitable for large-scale RFID systems includes:
[0058] Tags are used to store main information;
[0059] The reader is used to obtain subject information and communicate with the server through a computer terminal;
[0060] The server is used to process and store the data collected from the tags;
[0061] This system can perform the following steps:
[0062] The first step, the initialization phase, involves a trusted third party generating keys and pseudonyms, storing them in each authentication entity, and grouping the tags.
[0063] The second step, the authentication phase, involves the server calculating the frame length with the lowest collision rate based on the number of tags; the reader and tags then communicate via key S. RT Initial mutual authentication; the reader uses authentication information a ki and PID ki Generate authentication matrices K and K1 and send them to the server. The server calculates whether K*x = 0 is true using the authentication key x. If it is true, the group of tags is authenticated; if it is false, a set of erroneous tag indices is sent to the reader.
[0064] The third step, the update phase, involves the tag updating its pseudonym after receiving an update notification, followed by the reader updating the key S. RT and authentication information aki And send message R to the server; finally, update the tag key S. RT The server updates the group authentication key x via R. k .
[0065] Compared with the prior art, the beneficial effects of the present invention are as follows:
[0066] This invention uses each congruence equation from the Chinese Remainder Theorem to identify tags. The reader and server respectively store the coefficients 'a' of the congruence equations. ki The unique solution x of the system of congruences k This invention enables batch authentication of tags. In this invention, tags only need to undergo simple concatenation, shifting, and XOR operations, significantly reducing the computational cost of tags. The invention also considers the communication overhead between the reader and the server. When there are no invalid tags, the communication between the reader and the server includes the number of tags n, the frame length f, the 1*3 vector K generated by the reader, and the group index I. k Compared with RFID batch authentication protocols based on the solution properties of homogeneous linear equations, this invention contains all authentication information in a 1*3 vector K, which greatly reduces the communication overhead between the reader and the server. Attached Figure Description
[0067] Figure 1 This is a flowchart of the protocol of an embodiment of the present invention.
[0068] Figure 2 This is a schematic diagram of the RFID batch authentication system according to an embodiment of the present invention.
[0069] Figure 3 This is a flowchart of the batch authentication protocol according to an embodiment of the present invention.
[0070] Figure 4 This is a flowchart illustrating the update process of the batch authentication protocol in an embodiment of the present invention.
[0071] Figure 5 This is a comparison chart of simulation results of illegal and legal tags in the batch authentication protocol of this invention.
[0072] Figure 6 This is a comparison chart of simulation results between the batch authentication protocol of this invention and the classic solution.
[0073] Figure 7 This is a physical diagram of the hardware device used in the embodiments of the present invention.
[0074] Figure 8 This is an example of the protocol operation of the hardware device used in this embodiment of the invention.
[0075] Figure 9This is the second example of the protocol operation of the hardware device used in the embodiments of the present invention.
[0076] Figure 10 This is a comparison chart of the hardware platform communication time between the batch authentication protocol of this invention and the classic lightweight RFID batch authentication protocol.
[0077] Figure 11 This is a comparison chart of the hardware platform authentication time between the batch authentication protocol of this invention and the classic lightweight RFID batch authentication protocol. Detailed Implementation
[0078] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention.
[0079] like Figure 1 As shown, a lightweight batch authentication protocol suitable for large-scale RFID systems includes the following steps:
[0080] S01: During the initialization phase, a trusted third party generates keys and pseudonyms, stores them in each authentication entity, and groups the tags;
[0081] S02: During the authentication phase, the server calculates the frame length with the lowest collision rate based on the number of tags; the reader and tags communicate via key S. RT Initial mutual authentication; the reader uses authentication information a ki and PID ki Generate authentication matrices K and K1 and send them to the server. The server calculates whether K*x = 0 holds true using the authentication key vector x. If it does, the group of tags is authenticated; otherwise, it sends a set of erroneous tag indices to the reader.
[0082] S03: During the update phase, after receiving the update notification, the tag updates its pseudonym, and then the reader updates the key S. RT and authentication information a ki And send message R to the server; finally, update the tag key S. RT The server updates the group authentication key x via R. k .
[0083] like Figure 2 As shown, the RFID batch authentication system used in this embodiment includes:
[0084] Tag sets, electronic tags attached to certain objects, such as retail goods or express parcels, can store information about the subject;
[0085] Readers, whether fixed or portable, can identify these tags to obtain useful information about these objects, and then communicate with a server via some computer terminal;
[0086] The server is used to process and store the tag collection data. On the one hand, it stores all the tag information, making it convenient for readers to query and authenticate tags; on the other hand, it can process various tag information uploaded by readers and provide timely feedback.
[0087] like Figure 3 As shown, the initialization phase includes:
[0088] (1) A trusted third party groups a batch of tags that need to be authenticated into groups, and each group of tags is represented by a set of congruence equations:
[0089]
[0090] For each congruence equation in the above system of equations, we obtain x. k =a i +k i *m i , where k i ∈N * A trusted third party calculates for each tag. a i For authentication information a ki Modulus m i Identity ID as a tag ki PID ki =m i *k i Let x be the pseudonym of the tag, and let x be the solution to the system of congruence equations, which is the group authentication key x. k Each group of labels is numbered I. k A label group consists of n labels, with each congruence equation identifying one label.
[0091] (2) A trusted third party generates a vector x as the group authentication key vector and preloads it into the backend server;
[0092]
[0093] (3) Tag storage {PID ki ID ki S RT S RTold I k ,i}, where,S RT It is the shared key between the reader and the tag, S RTold The shared key used in the previous round of authentication;
[0094] (4) Reader storage {aki S RT S Rrold I k ,i},a ki These are the coefficients of the congruence equation corresponding to each label;
[0095] (5) The server stores {x, I k};
[0096] (6) For tags to be added to or removed from a tag group, the relevant a records in the reader are used to... ki Simply perform the corresponding operation with 'i'.
[0097] like Figure 3 As shown, the authentication phase includes the following steps:
[0098] (1) Before each authentication session begins, the reader sends the number of tags that need to be authenticated in batches to the server. The server calculates the optimal frame length, i.e., the frame length with the lowest collision rate, based on the number of tags. The server generates the current timestamp T. R The calculated optimal frame length f is then sent to the reader;
[0099] (2) The reader generates a random number r k It calculates the authentication message MT1 and broadcasts the message to the tags within the reading range;
[0100]
[0101] (3) Tag usage and reader's shared key S RT Recover the corresponding T from the received authentication message MT1. R and r k The T-values recovered from the label comparison R And the timestamp T0 of the last successful authentication stored, if T R If the value is greater than T0, then the tag considers the reader to be legitimate, generates the corresponding authentication message, and sends it to the server; authentication messages MT2 and MT3 are as follows:
[0102]
[0103]
[0104] (4) The reader uses the shared key to recover the T from the authentication message MT2. R I k If the recovered T R I k and the T stored in the reader R I k If they are equal, authentication continues; the reader uses the stored rk I k And recover the relevant i, PID ki And generate matrices K1 and K based on the indices:
[0105]
[0106] K = [na PID]
[0107] in,
[0108]
[0109] n is the number of tags in the tag group, and I is the reader forwarding group index. k And matrix K is given to the backend server;
[0110] (5) The server uses group index I x Calculate whether K·x = 0 is true; if true, all tags in the group have been successfully authenticated; if false, the server sends flag = 0 to the reader, the reader sends matrix K1 to the server, the server calculates K1·x = b, the index of the non-zero element in vector b is the index of the error tag; the server generates a set containing the indexes of the error tags and returns it to the reader.
[0111] like Figure 4 As shown, the update phase includes the following steps:
[0112] (1) After authentication is completed, the reader generates the current timestamp T. C Generate message Broadcasting labels;
[0113] (2) Tag Calculation Recover the timestamp, if T R T stored during the authentication phase R If they are equal, a random number R is generated for updating the pseudonym and key; the label updates the pseudonym and generates a message:
[0114] PID kinew =PID ki +R
[0115]
[0116] PID kinew For the new tag pseudonym, the tag sends a message MT. update For the reader;
[0117] (3) Reader calculation If T C and the timestamp T generated after authentication. CIf they are equal, then for the key S RT and authentication information a ki Update:
[0118] a kinew =a ki +R
[0119]
[0120] a kinew For the updated authentication information, S RTnew For the updated key; the reader generates MT update ′=Rot(T C T R And send it to the tag;
[0121] (4) The reader sends R to the server via a secure channel, and the server updates the group authentication key:
[0122] x knew =x k +2R
[0123] x knew For the updated group authentication key;
[0124] (5) Reader generates MT update ′=Rot(T C T R ), and send it to the tag; the tag uses the stored T C T R Validate MT update Does it hold true? If Rot(stored T) C ,stored T R ) = MT update ′, Tag update key:
[0125]
[0126] Symbol explanation: Tag: RFID tag; Reader: RFID reader; Database: RFID server; S RT : The shared key between the tag and the reader; r k : Random number r generated by the reader; T C T R : timestamp; x k Group authentication key; I k : Tag group index; m ki : Modulus of the congruence equation; n: Number of tags in a set; a ki : Authentication information, which is also the coefficient of the congruence equation; k i: ki ∈N*; i: label index; MT i : Communication message; PID ki : Pseudo-identifier; R: Random number generated by the tag; ||: Indicates concatenation operation, which can concatenate the bit strings on both sides of the symbol into a long bit string; This represents the XOR operation.
[0127] This embodiment uses a computer as a server and implements encryption and decryption algorithms using Java to simulate the overhead of tag authentication when the number of tags in a tag group increases from 5000 to 20000. For the case where there are erroneous tags in the batch, the proportion of erroneous tags is assumed to be 3%. 10,000 verifications are performed for each group of tags, and the average of the final authentication times is taken to ensure the accuracy of the authentication time. Figure 5 As can be seen, the number of tags in the protocol of this invention has almost no impact on the authentication time when authenticating a group of completely correct tags, while the authentication time for a group of tags with some incorrect tags only increases linearly. Figure 6 The comparison of the time cost of the present invention with that of the classic solution shows that the present invention has a very significant efficiency advantage.
[0128] The protocol of this invention is compared and analyzed with the classic ultra-lightweight RFID authentication method. The security comparison results are shown in Table 1, where “√” indicates that the security is satisfied and “×” indicates that the security is not satisfied.
[0129] Table 1 Safety Comparison
[0130]
[0131] Table 1 compares the security attributes and attack resistance capabilities of the protocol of this invention with several existing RFID bulk authentication protocols. It is evident that FISH, SEBA, and RFID bulk authentication protocols based on homogeneous linear equations cannot meet forward and backward security requirements, cannot resist certain common attacks, and cannot satisfy the requirements for two-way authentication, thus posing some system security risks. In contrast, the protocol of this invention can resist common attacks and meets the security requirements of RFID systems, achieving forward and backward security and tag non-linkability.
[0132] To verify the usability of this invention, the following will show and illustrate the test results of the lightweight RFID batch authentication protocol under simulation and the experimental results of its hardware platform. The simulation software used is Vivado released by FPGA supplier Xilinx, and the hardware used is ESP32, ESP8266 and Raspberry Pi.
[0133] Table 2 Comparison of Label Gate Circuit Overhead
[0134] Tag overhead PMEU UWSB This invention protocol LUTs 197 83 82 Slices Registers 384 256 289
[0135] Table 2 shows the resource consumption of the protocol of this invention and several other ultra-lightweight protocols on the GFPA 2017.3 circuit simulation platform. LUTs (Look-Up Tables) are used; fewer LUTs mean less tag overhead. PMEU, UWSB, and the protocol of this invention were simulated using 128-bit, 64-bit, and 64-bit inputs, respectively. In PMEU, tags need to perform matrix operations to encrypt their information, while in the protocol of this invention, tags only need to perform lightweight bit operations, which greatly reduces tag overhead. The tag LUT overhead in the protocol of this invention is similar to that of UWSB in the literature, which means that the protocol of this invention is also an ultra-lightweight authentication protocol.
[0136] Figure 7 The figure shows the hardware device of an embodiment of the present invention. In the figure: 1, ESP32 development board; 2, ESP8266 development board; 3, TTF screen for reader display; 4, OLED screen for sensor or tag display; 5, splitter; using ESP32 as reader and ESP8266 to simulate tag, the Arduino IDE is used to conduct experiments on the authentication time and communication time of the present invention protocol and the RFID batch authentication protocol based on the solution properties of homogeneous linear equations. Figure 8 , Figure 9 This demonstrates a sample authentication process. Figure 10 The results show a comparison of communication time between the protocol of this invention and an RFID batch authentication protocol based on the solution properties of homogeneous linear equations. Figure 11 This paper presents a comparison of authentication time between the protocol of this invention and an RFID batch authentication protocol based on the properties of solutions to homogeneous linear equations. In this invention, the reader aggregates the authentication information of the tags and generates a vector before sending it to the server. In contrast, the RFID batch authentication protocol based on the properties of solutions to homogeneous linear equations requires the reader to construct a matrix from the tag authentication information and forward it to the server. Therefore, this invention has less communication overhead than the RFID batch authentication protocol based on the properties of solutions to homogeneous linear equations. Furthermore, the batch authentication protocol based on the properties of solutions to homogeneous linear equations requires matrix operations to verify a batch of tags, while in this invention, the server only needs to perform single-dimensional vector operations to verify a batch of tags, thus improving the server's authentication efficiency. Figure 10 and Figure 11 As shown, the protocol of this invention has better authentication performance and system efficiency on the hardware platform than RFID batch authentication protocols based on the solution properties of homogeneous linear equations.
[0137] It should be noted that the present invention protocol can be implemented in hardware, software, or a combination of both. The hardware portion can be implemented using dedicated logic; the software portion can be stored in memory and executed by a suitable instruction execution system, such as a microprocessor or dedicated-design hardware. Those skilled in the art will understand that the above-described devices and methods can be implemented using computer-executable instructions and included in processor control code, for example, on a carrier medium such as a disk, CD, or DVD-ROM, a programmable memory such as a read-only memory, or a data carrier such as an optical or electronic signal carrier. The devices and modules employed in the present invention protocol can be implemented by hardware circuitry of programmable hardware devices such as very large-scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field-programmable gate arrays, programmable logic devices, etc., or by software executed by various types of processors, or by a combination of the above-described hardware circuitry and software, such as firmware.
[0138] The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any modifications, equivalent substitutions, and improvements made by those skilled in the art within the scope of the technology disclosed in the present invention, and within the spirit and principles of the present invention, should be covered within the scope of protection of the present invention.
Claims
1. A lightweight batch authentication protocol suitable for large-scale RFID systems, characterized in that, Includes the following steps: The first step, the initialization phase, involves a trusted third party generating keys and pseudonyms, storing them in each authentication entity, and grouping the tags. The second step, the authentication phase, involves the server calculating the frame length with the lowest collision rate based on the number of tags. Readers and tags use keys Initial mutual authentication; the reader uses the authentication information. and kana Generate authentication matrix and It is sent to the server, and the server uses the authentication key vector. calculate If the condition is met, the label is certified. If this is not the case, a set of error tag indices is sent to the reader; The authentication phase includes: (1) Before each authentication session begins, the reader sends the number of tags that need to be authenticated in batches to the server. The server calculates the optimal frame length, i.e. the frame length with the lowest collision rate, based on the number of tags. The server will then generate the current timestamp. and the calculated optimal frame length And send it to the reader; (2) the reader generates a random number and computes an authentication message and broadcasts the message to tags within the read range; (3) Tag usage and reader shared key From the received authentication message Recover the corresponding and ; Label comparison recovery and the timestamp of the last successful authentication stored. ,if > If the tag deems the reader legitimate, it generates a corresponding authentication message and sends it to the server. , as follows: (4) The reader uses the shared key to retrieve the authentication message Recovery If the recovered and reader storage If they are equal, authentication continues; the reader uses the stored data. and recovery related And generate a matrix based on the index. and matrix: in, The number of tags in the tag group, the reader forwards the group index and matrix to the server; (5) The server uses the group index calculate The system checks if the authentication is successful; if successful, all tags in the group have been successfully authenticated; if unsuccessful, the server sends a message to the reader. The reader will matrix Send to the server, the server calculates. ,vector The index of a non-zero element is the index of an error marker; the server generates a set containing error marker indices and returns it to the reader. The third step, the update phase, involves the tag updating its pseudonym after receiving an update notification, followed by the reader updating its key. and authentication information and send a message to the server. Finally, update the tag key. The server via Update group authentication key .
2. The protocol of claim 1, wherein, The initialization phase includes: (1) A trusted third party groups a batch of tags that need to be certified, and each group of tags is represented by a set of congruence equations: For each congruence equation in the above system of equations, we obtain ,in, A trusted third party calculates for each tag. , For authentication information Modulus identity as a label , For the pseudonyms of the labels, the solution to the system of congruence equations Group authentication key Each group of labels is numbered. Identifier, a group of tags consisting of It consists of 1 label, with each congruence equation identifying one label; (2) Trusted third party generates vector As a group authentication key vector, and preloaded into the background server; ; (3) Tag storage wherein, is a shared key between the reader and the tag, is a shared key used for the previous round of authentication; (4) Reader storage is the coefficient of the congruence equation corresponding to each tag; (5) server storage ; (6) For tags to be added to or removed from a tag group, the relevant information recorded in the reader is checked. and Simply perform the corresponding operations.
3. The protocol of claim 1, wherein, The update phase includes: (1) After authentication is completed, the reader generates a current time stamp , generates a message , and broadcasts it to the tag; (2) Tag Calculation Restore the timestamp, if Stored during the authentication phase If they are equal, then generate random numbers. Used for updating pseudonyms and keys; tags update pseudonyms and generate messages: For a new tag pseudonym, the tag sends a message To the reader; (3) Reader calculation = ,if and the timestamp generated after authentication. If they are equal, then the key is... and authentication information Update: For the updated authentication information, For the updated key; generated by the reader And send it to the tag; (4) The reader transmits data through a secure channel. Send to the server, and the server updates the group authentication key: is the updated group authentication key; (5) Reader generates and sends to tag; tag uses stored , authentication is true; if tag updates key: 。 4. The protocol of claim 1, wherein, In the authentication phase step (3), the tag sends the tag pseudonym used for this round of authentication to the reader. .
5. The protocol of claim 1, wherein, The authentication phase uses the Chinese remainder theorem, and only one operation is needed to authenticate a batch of tags, and the growth of the number of tags has little effect on the computational overhead.
6. A storage medium for a lightweight batch authentication protocol suitable for large-scale RFID systems as described in any one of claims 1-5, wherein a user input program is received, and the stored computer program causes the electronic device to perform the following steps: The first step, the initialization phase, involves a trusted third party generating keys and pseudonyms, storing them in each authentication entity, and grouping the tags. In the second step, the authentication phase, the server calculates the frame length with the minimum collision rate according to the number of tags; Readers and tags use keys Initial mutual authentication; the reader uses the authentication information. and kana Generate authentication matrix and It is sent to the server, and the server uses the authentication key vector. calculate If the condition is met, the group of tags is authenticated; otherwise, a set of erroneous tag indices is sent to the reader. The third step, the update phase, involves the tag updating its pseudonym after receiving an update notification, followed by the reader updating its key. and authentication information and send a message to the server. Finally, update the tag key. The server via Update group authentication key .
7. A system for implementing a lightweight batch authentication protocol suitable for large-scale RFID systems as described in any one of claims 1-5, characterized in that, include: Tags are used to store main information; The reader is used to obtain subject information and communicate with the server through a computer terminal; The server is used to process and store the data collected from the tags; This system can perform the following steps: The first step, the initialization phase, involves a trusted third party generating keys and pseudonyms, storing them in each authentication entity, and grouping the tags. The second step, the authentication phase, involves the server calculating the frame length with the lowest collision rate based on the number of tags. Readers and tags use keys Initial mutual authentication; the reader uses the authentication information. and kana Generate authentication matrix and It is sent to the server, and the server uses the authentication key vector. calculate If the condition is met, the group of tags is authenticated; if not, a set of erroneous tag indices is sent to the reader. The third step, the update phase, involves the tag updating its pseudonym after receiving an update notification, followed by the reader updating its key. and authentication information and send a message to the server. Finally, update the tag key. The server via Update group authentication key .