1. New Directions in Detection, Security and Privacy for RFID
Leonid Bolotnyy and Gabriel Robins
Department of Computer Science, UVa
Hello. Thank you for coming to my proposal presentation,
entitled New Directions in Detection, Security and Privacy for RFID.

2. Thesis
Multi-tags, “yoking-proofs”, and physical unclonable functions can improve reliability, security, and privacy in radio frequency identification (RFID) systems.
My one-sentence thesis statement is “Multi-Tags”, “Yoking-Proofs”, and PUFs can improve reliability, security, and privacy in RFID Systems.
In the next 20 minutes I hope to convince you of this.

3. Progress
L. Bolotnyy and G. Robins, Multi-Tag Radio Frequency Identification Systems, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp , 2005
L. Bolotnyy and G. Robins, Randomized Pseudo-Random Function Tree Walking Algorithm for Secure Radio Frequency Identification, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp , 2005
L. Bolotnyy and G. Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006
L. Bolotnyy and G. Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007
Several additional papers in progress
NSF Cyber Trust proposal (submitted January 2007)
Deutsche Telekom (largest in EU) offered to patent our multi-tags idea
Our progress to date is as follows.
We published four refereed papers in premier IEEE conferences with several more papers in preparation.
Our work has also formed the basis of an NSF Cyber Trust proposal submitted last week.
In addition, Deutsche Telekom, the largest telecommunications company in the European Union, has offered to patent our multi-tags idea for commercialization.

4. Introduction RFID Tags types:
passive
semi-passive
active
Frequencies: Low (125KHz), High (13.56MHz), UHF (915MHz)
Coupling methods:
Reader
antenna
signal
Inductive coupling
Backscatter coupling
I will start with a brief introduction to RFID and its history.
RFID stands for radio frequency identification, which uses radio signals to uniquely identify objects.
An RFID System consists of readers, tags, and back-end servers for information processing.
There are three general types of RFID tags: passive, semi-passive, and active.
Passive tags have no batteries on-board. They use power from the reader for computation and for communication.
Semi-passive tags have batteries on-board, however the batteries are used for data processing only. The power harvested from the reader is still used for communication.
Active tags have batteries on-board and they can use them for both computations and communications.
The three major RFID frequencies are: Low frequency of 125kHz, High of MHz, and ultra high of 915 MHz in the US.
Two main coupling mechanisms used for read-tag communication.
In inductive coupling, the reader creates a magnetic field between itself and the tag, and the tag harvests the power from its field for its operation. In backscatter coupling, or far-field propagation as it is sometimes called, the reader sends a signal to the tag, which tag backscatters back to the reader.
I placed several tags, readers and antennas on this table – please feel free to play with them.

5. History Radar invented - 1935 EAS invented - early 1960’s
First RFID patent filed
First RFID book published
Auto-ID Center formed
RFID technology originated with Radar, which was invented in 1935.
Electronic Article Surveillance was invented in the early 60s.
In the 70s, first patent on access control technology using RFID was filed.
In 1999 the first book on RFID was published.
In the same year, the Auto-ID Center was formed at MIT, for developing protocols and standards for Electronic Product Code (EPC), to be used as a substitute for bar-code.
Over 100 large companies and organizations, including Wal-Mart and the US Department of Defense, financed these efforts.
In 2004 the Auto-ID center was transformed into a newly formed non-profit EPCglobal organization.
At the end of 2006, the first RFID-enabled game console was marketed.
EPCglobal formed
First RFID game marketed

6. Thesis Proposal Improve tag detection Improve security and privacy
Auditing algorithms for RFID
“Yoking-Proofs”
Our proposal spans three intertwined areas: tag detection, security and privacy in RFID.
Traditional RFID systems have one tag per object.
We propose tagging objects with multiple tags, to improve tag detection.
This will benefit applications that require high tag detection rate, tag reliability and durability.
We will compare our multi-tag approach with systems using single-tagged objects,
as well as with multiple-readers systems.
We will also analyze various combinations of these two approaches.
On the security front, we will devise RFID auditing algorithms, such as “Yoking-Proofs”.
“Yoking-Proof” protocols generate proofs which guarantee that groups of tags were read nearly-simultaneously.
We will create a framework for inter-tag communication in which passive/battery-less tags communicate with each other through the reader.
We will define privacy in RFID in a way that takes physical attacks into consideration.
We will also design algorithms for security and privacy in RFID, based on physically unclonable functions, and design and evaluate PUF prototypes that avoid the drawbacks of previous approaches.
Inter-tag communication
Definition of privacy
PUF-based security
Algorithms
PUF design

7. Why Multi-Tag RFID? Bar-codes vs. RFID Unreliability of tag detection
line-of-sight
scanning rate
Unreliability of tag detection
radio noise is ubiquitous
liquids and metals are opaque to RF
milk, water, juice
metal-foil wrappers
Wal-Mart experiments (2005)
90% tag detection at case level
95% detection on conveyor belts
66% detection of individual items inside fully loaded pallets
Our preliminary experiments support data above
Bar-code scanning requires a line-of-sight visibility, and the scan rate is at most a few bar-codes per second.
On the other hand, RFID does not require line-of-sight, and hundreds of RFID tags can be read per second.
However, these benefits have a price.
RFID tag detection is unreliable due to the ubiquitous radio noise permeating the environment, which can interfere with the readers’ ability to successfully identify tags.
In addition, liquids such as milk, water, juice etc., or metals, can absorb or reflect radio waves, in ways that impede tag detection.
In 2005, Wal-Mart conducted tag detection experiments that showed
only 90% tag detection rate at case level,
95% tag detection rate on conveyor belts,
and only 66% tag detection rate of individual items inside fully loaded pallets.
Our preliminary experimental data with commercial RFID equipment supports these results.
If objects are tagged with multiple tags, the detection rate will be higher.

8. Applications of Multi-Tags
Some applications of multi-tags include supply chain management, access control (especially for disabled people), luggage tracking, embedding tags into trees to help detect and discourage illegal deforestation.

9. The Power of an Angle
Inductive coupling: voltage ~ sin(β), distance ~ (power)1/6
Far-field propagation: voltage ~ sin2(β), distance ~ (power)1/2
B-field β
Optimal Tag Placement: 1 4 3 2
One of the reasons multi-tags are effective in improving tag detection is improved expected tag orientation to the reader.
Let beta be the angle between the reader’s signal and the tag.
The voltage generated on-board a tag is proportional to sin(beta) for inductive coupling and to sin^2(beta) for far-field propagation.
The distance at which the reader can detect the tag is proportional to the sixth root of the voltage for inductive coupling, and to the square root of the voltage for far-field propagation.
Therefore, it is important to make the angle beta as close to 90 degrees as possible.
To maximize the grazing angle beta, it is best to position the tags perpendicular to each other for two and three tag ensembles and to position four tags ensembles parallel to the faces of a tetrahedron, a platonic solid.
For this tag positioning, the expected grazing angle beta is as shown on the graphs, assuming uniform signal distribution.
You can see the sharp double digit increase in the expected angle value when the number of tags is increased from one to two and from two to three, but only a single digit angle increase from three tags to four tags.
This suggests that the law of diminishing returns comes into effect pretty quickly.
We computed the expected angle using simulation 1 to 4 tags and analytics for one and for two tags.

10. Benefits and Costs of Multi-Tags
PROS
increases expected induced voltage on tag
increases operational range of system
increases memory per object
improves availability
improves reliability
improves durability
provides potential security enhancement
new applications
CONS
increases system cost
modestly complicates manufacturing
potentially increases tags’ interrogation time
Here is a summary of some of the benefits and costs of multi-tags.
Multi-tags increase the expected induced voltage aboard a tag which increases the expected communication distance.
Multi-tags increase the amount of memory per object, increase probability of object detection, improve reliability, and durability of the system.
Multi-tags can also enhance security and enable new applications.
The cost of these improvements is the increased system cost, modest complication of manufacturing process for some types of multi-tags, and potential increase of tags’ interrogation time, depending on the anti-collision algorithm.

11. Experimental Apparatus and Experiments with Multi-Tags
Equipment
Experiments
Measure detection of ~20 multi-tagged objects
With/without metals and liquids
Rotate multi-tagged object mixes
1, 2, 3, & 4 tags per object
Vary tag, reader, and antenna types
Vary distances, geometry, power
Multi-tags vs. multiple readers
We will experimentally evaluate multi-tags using equipment from different manufacturers to ensure impartiality of results.
We will use readers by Alien Technology and ThingMagic, and tags by Alien Technology and UPM Raflatac, the leading tag manufacturer is the world.
We will determine tag detection for a cart full of non-metallic and non-liquid objects, about of them.
We will repeat the experiments for metal and liquid objects.
To determine the detection probability, we will rotate a cube with tags attached to its faces in different planes, and perform similar experiments for tetrahedra.
In our experiments, we will vary distances between objects and the reader antennas, vary reader antennas geometry, and vary readers’ emitted power.
We will compare multi-tags with single-tags and multiple readers.

12. Preliminary Experimental Results1
0.9
0.8
0.7
0.6
Average Detection Probability
0.5
0.4
0.3
Δ= 4.0%
2 Readers, 2 Tags 86.6%
Preliminary representative experimental results with commercial RFID equipment support our theoretical expectations.
The four curves here show the detection probabilities for all combinations of 1 and 2 tags and 1 and 2 readers, averaged over multiple experiments.
The X axis represents the objects, and the Y axis represents the average object detection probabilities.
The lowest, dark blue curve shows the detection probabilities of traditional RFID systems with one reader and one tag per object,
yielding an average detection probability of 57.8%.
The yellow curve shows the detection probabilities for two readers and one tag per object, with an average detection probability of 63.9%.
the orange curve shows the detection probabilities for one reader and two tags per object, with an average detection probability of 82.6%.
and the blue curve shows the detection probabilities for two readers and two tags per object, with an average detection probability of 86.6%.
As you can see, the difference of adding an extra reader is relatively small: about 6 percent in the 1-tag case, and 4% in the 2-tag case.
However, the difference of adding an extra tag is quite dramatic: about 24.8 percent in the 1-reader case, and 22.7% in the 2-reader case.
This data clearly indicates that adding a tag is substantially more beneficial than adding a reader, by a factor of 4 to 5 in terms of detection improvements.
This experiment also demonstrates that two tags and one reader outperform one tag and two readers by 18.7% in terms of detection probability.
Δ=22.7%
0.2
1 Reader, 2 Tags 82.6%
Δ=18.7%
Δ=24.8%
2 Readers, 1 Tag %
0.1
Δ= 6.1%
1 Reader, 1 Tag % 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Object Number

13. Security and Privacy in RFIDB C
Alice was here: A, B, C
We now turn to the issues of security and privacy in RFID systems.
As Alice carries insecure RFID tags from A to B to C, her movements may be tracked surreptitiously, violating her privacy.
Privacy-preserving RFID algorithms try to prevent illicit tag tracking.
privacy

14. Security and Privacy in RFID
Privacy: difficult to track tags
Security
Secure Identification
f(c)
f(r, ID)
Tag Authentication c
Message Authentication m
σ (m)
The term security in RFID is often overloaded to include privacy.
Before describing our proposed contributions to RFID security and privacy, I will first explain these concepts.
Tag identification is secure if an adversary cannot determine a tag’s ID.
The identification is also private if in addition to the tag hiding its ID from an adversary, an adversary cannot associate multiple tag readings with the same tag.
Tag authentication algorithms ensure that the tag is authentic, in other words, that it is not a clone.
In message authentication algorithms, the tag signs a message that it receives from the reader, or that it receives via sensors.
Recent work shows that passive/powerless RFID tags can perform sensing by harvesting the energy from the readers.
Ownership transfer algorithms securely and privately transfer tags from one owner to another. The goal of secure ownership transfer algorithms is to ensure that tag owners cannot be tracked.
Auditing algorithms verify that readers comply with the data collection policy.
Ownership Transfer
Auditing

15. “Yoking-Proofs”
Yoking: joining together / simultaneous presence of multiple tags
Key Observation: Passive tags can communicate
with each other through reader
Problem Statement: Generate proof that a group of passive tags were identified nearly-simultaneously
Yoking-Proofs protocols belong to the category of auditing algorithms, however they also have roots in message authentication algorithms.
The term yoking refers to joining together, or simultaneous presence of multiple tags.
Yoking proofs try to yoke/join reading of multiple tags.
The key observation in yoking-proofs is that passive tags can communicate with each other through the reader.
I will say more about this interesting new communication paradigm later.
The problem statement in yoking-proofs is the following.
The reader should identify a group of tags nearly-simultaneously (i.e., within some predetermined time period t), and generate an unforgeable proof that this was the case.
Applications of yoking proofs include:
Verifying that a medicine bottle was sold together with the instruction leaflet;
or that tools were sold together with the safety devices;
or verifying that matching parts were delivered together, etc.
Applications – verify that:
medicine bottle sold together with instructions
tools sold together with safety devices
matching parts were delivered together
several forms of ID were presented
a group of people was present at a meeting

16. Assumptions and Goals Assumptions Solution Goals Timer on-board a tag
Tags are passive
Tags have limited computational abilities
Tags can compute a keyed hash function
Tags can maintain some state
Verifier is trusted and powerful
Solution Goals
Allow readers to be adversarial
Make valid proofs improbable to forge
Allow verifier to verify proofs off-line
Detect replays of valid proofs
We postulate the following assumptions and solution goals.
We assume that tags are passive (i.e., they have no batteries on-board), and have limited computational abilities, but they can compute a keyed hash function.
We also assume that tags can maintain some state between protocol runs, and that the verifier is trusted and reasonably powerful (i.e., a PC or server).
The protocols should allow readers to be adversarial and make it infeasible for readers to forge valid proofs.
We want our protocols to allow the verifier to be off-line, and detect replays of valid proofs by adversarial readers.
To ensure near-simultaneous reading of tags, the protocol can rely on FCC RFID regulations which require protocol termination within 400ms.
If the an adversarial reader violates these regulations, a tag can use an on-board capacitor discharge to implement timeout.
Yoking proofs formulations were invented by Ari Juels who gave a protocol for a pair of tags, and left the problem of generalizing the protocol to more than two tags open for future research.
Aside from generalizing this yoking protocol to arbitrary numbers of tags,
we also found and fixed flaws in previous papers on this topic.
Timer on-board a tag
FCC regulations: protocol termination < 400ms
Capacitor discharge can implement timeout

17. Generalized “Yoking-Proof” Protocol
Idea: construct a chain of mutually dependent MACs 1 2 3 5 4
The idea of our generalized yoking proof protocol is to construct a chain of mutually dependent message authentication code computations.
The reader accesses the first tag that computes a MAC of its state and starts the timer, then the reader passes the value computed by the tag to the next tag, which computes its own MAC, and so on.
After reading the last tag, the reader passes the computed value back to the first tag, which closes the chain.
We can prove that it is infeasible for the reader to forge a proof.
We also define anonymous yoking - a new class of privacy-preserving yoking-proofs, and we propose new private yoking protocols.
We can show how yoking proofs can be sped up by splitting this chain into multiple arcs, where each arc is constructed independently, and then arcs are joined together.
Anonymous Yoking: tags keep their identities private
Speedup yoking protocols by splitting chain into arcs

18. Inter-Tag Communication in RFID
Idea: heterogeneity in ubiquitous computing
“Yoking proofs”
Battery-less sensing
Tags as mailboxes
Tags as proxies
Location access control
Tags partitioned into groups
Group leader in charge of authentication and access control
Subordinate reader-tag authentication
As mentioned before, passive tags can communicate with each other through the reader.
We believe that this communication paradigm will add heterogeneity in ubiquitous computing frameworks, with both active and passive devices communicating with each other.
We showed that “yoking-proofs” rely on this paradigm, and propose to develop new applications of inter-tag communication.
Battery-less sensing can be performed with powerless RFID tags, and inter-tag communication can allow tags to share sensor information.
Tags can be used as mailboxes or proxies for reader-to-reader communication.
Tags can also communicate location information or ensure simultaneous reader authentication, etc.

19. PUF-Based Security and Privacy
Digital crypto implementations require 1000’s of gates
Low-cost alternatives
Pseudonyms / one-time pads
Low complexity / power hash function designs
Hardware-based solutions
Definition of privacy that incorporates hardware attacks
PUF definition
Security is based on:
wire delays
gate delays
quantum mechanical fluctuations
PUF characteristics
uniqueness
reliability
unpredictability
Known digital cryptographic function implementations require thousands of gates.
RFID researchers are looking for low-complexity and consequently low-cost solutions to security and privacy in RFID.
Some low-complexity solutions include: use of pseudonyms or one-time pads, and
minimal complexity and power hash functions.
In this proposal we concentrate on solutions that rely on hardware support.
We believe that for low-complexity implementations we need to utilize randomness that is an inherent part of any chip design. For some protocols a combination of physical and digital cryptography can be used.
As part of our quest for hardware-based solutions to security and privacy in RFID,
we propose to give a definition of privacy for RFID taking physical attacks into account.
Our work so far has been based on physically unclonable functions, PUFs for short. Security of a PUF is based on wire delays, gate delays, and quantum mechanical fluctuations that are inherent in chip designs today.
A PUF can be characterized by its uniqueness, which is probability that it computes a value different from the value computed by another PUF for the same input.
A PUF can also be characterized by its reliability, which is the probability that the PUF will output the value observed in the reference environment (i.e., the one with no power or temperature fluctuations).
Another characteristic of a PUF is unpredictability, which is the characteristic of how hard it is to predict a PUF’s output for a never before tried input.
In essence, this is a characteristic of how hard it is to model a PUF.
We propose to more precisely define this characteristic.
My thesis proposal writeup details previous works on PUFs, and we will design PUFs that avoid the drawbacks of previous methods.

20. PUF-Based Algorithms Identification Sequence: ID, p(ID), …, pk(ID)
It is important to have
a reliable PUF
no loops in PUF chains
no identical PUF outputs
no impersonation attacks
Authentication Pairs: c1, p(c1), c2, p(c2), ..., cn, p(cn)
Verify that at least the desired fraction of challenge-response pairs is correct
MAC based on PUF
Motivation: “yoking-proofs”, signing sensor data
large keys
cannot support arbitrary messages
Large message set
Small message set
We propose RFID identification, authentication, and MAC algorithms based on PUFs.
To privately identify a tag, the tag will send its ID to the reader and update its ID using the PUF. For this algorithm to work, it is important for the PUF to be reliable.
For privacy, it is important to have no loops in the desired chain, and no PUF outputs should collide. We assume that an adversary cannot physically overwrite an ID of another PUF with observed tag ID. Otherwise, an adversary will gain considerable tracking advantage.
The main point is that from a single ID, a PUF can extract multiple pseudo-IDs that it can use for identification.
For a non-privacy-preserving authentication, the reader can send multiple challenges to a tag. The tag will compute PUF values for these challenges and send them to the reader. The reader will verify that at least the desired fraction of values is correct.
PUFs can also be used to sign messages.
For example, yoking proofs require messages to be signed and PUFs can also sign sensitive sensor data such as temperature.
MAC protocols that we propose are different from standard cryptographic MAC protocols. Our MAC protocols require large keys whereas standard MAC protocols have short keys, and our MACs cannot be used in all scenarios.
We will design MAC protocols for large and small message spaces.

21. PUF-Based Ownership Transfer
To maintain privacy we need
ownership privacy
forward privacy
Physical security is especially important
Solutions
public key cryptography
knowledge of owners sequence
trusted authority
short period of privacy
Ownership transfer in RFID occurs when a tag changes hands, which can occur in case of a sale or rental, for example.
It is desired to preserve the privacy of tag owners.
Past owners should not be able to track current and future owners,
and current and future owners should be able to track previous owners back in time.
When tags can change owners, physical security becomes especially important since current owners can tamper with their own tags in order to track future owners.
We propose to devise new PUF-based privacy-preserving ownership transfer protocols that rely on knowledge of the sequence of owners, trusted authority, or short period of privacy.

22. Comparison of PUF With Digital Hash Functions
MD4
7350
MD5
8400
SHA-256
10868
Yuksel
1701
PUF
545
AES
3400
algorithm
# of gates
Reference PUF: 545 gates for 64-bit input
6 to 8 gates for each input bit
33 gates to measure the delay
Low gate count of PUF has a cost
probabilistic outputs
difficult to characterize analytically
non-unique computation
extra storage
Different attack target for adversaries
model building rather than key discovery
Physical security
hard to break tag and remain undetected
In terms of gate count, a PUF compares favorably to known cryptographic hash functions that require thousands of gates to implement.
In contrast, existing PUFs require only about 550 gates for a 64-bit input – an order of magnitude improvement over standard hash functions.
Of course, the PUF’s low gate count comes at a cost.
In particular, the PUF’s output is only probabilistically accurate, and it is hard to analytically characterize a PUF, making it difficult to assess its complexity and security.
Also several different PUFs may produce identical outputs for the same input, requiring algorithms to protect against impersonation attacks.
PUFs also require extra storage at the back-end database to store all the challenge response pairs recorded for each tag.
Plus, PUFs create a different attack target for adversaries.
Instead of trying to recover a key for keyed hash functions, an adversary would try to model the PUF based on the known challenge response pairs.
In addition, PUFs add physical security to otherwise vulnerable RFID tags.
With PUFs it is much more difficult for an adversary to break the tag, or create a clone of the PUF/tag and remain undetected.

23. PUF Design Attacks on PUF Weaknesses of existing PUF New PUF design
impersonation
modeling
hardware tampering
side-channel
Weaknesses of existing PUF
reliability
A good PUF design and PUF-based algorithms should make it difficult for an adversary to use a clone PUF for impersonation.
A good PUF should be resistant to modeling attacks.
A PUF should resist hardware-tampering attacks that attempt to measure wire delays and/or try to learn secret data stored underneath the PUF’s wires.
PUFs should not leak substantial information about its computation through side channels.
Existing PUF has some weaknesses.
It has an oscillating counting circuit which computes the delay by counting and increases the tag manufacturing cost.
In addition, the delay values of this PUF follow a Gaussian distribution, requiring filtering of some challenges and longer computation times.
The reliability of existing PUFs is also relatively low.
We propose to design and evaluate better PUF prototypes in collaboration with our EE colleagues.
We will design a sub-threshold voltage PUF without an oscillating circuit, which will require less time to run.
We will also include non-linear delays in our PUF circuit, to make modeling difficult.
New PUF design
no oscillating circuit
sub-threshold voltage
Compare different non-linear delay approaches

24. Conclusion and Research Plan
Contributions
Multi-Tags
tag objects with multiple tags to improve detection
Security and Privacy
Yoking proofs
Inter-tag communication
Hardware-based security
PUFs
Plan for the next 5 months
finish multi-tag experiments
define privacy w.r.t. physical attacks
design / evaluate improved PUF circuits
publish more papers
In conclusion, we propose tagging objects with multiple-tags to improve object detection and the reliability of the system in general.
On the security front, we design generalized yoking-proofs for RFID auditing.
We propose a new inter-tag communication framework and its applications.
We also propose secure and private RFID algorithms based on physical unclonable functions.
In the next five months,
we plan to complete our experiments with multi-tags,
develop new privacy definitions for RFID,
design and evaluate new improved PUF circuits,
and publish additional papers on these topics.
Thank you.

25. Bolotnyy and Robins, Multi-Tag Radio Frequency Identification Systems,IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp , 2005
Bolotnyy and Robins, Randomized Tree Walking Algorithm for Secure RFID, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp , 2005
Bolotnyy and Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006
Bolotnyy and Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007

26. Back Up Slides

27. Related Work on Multi-Tags
Two-antennas per tag to determine location
Four tags per object to determine movement direction
Multiple tags to increase reliability (for visually impaired)
Random placement of two tags on playing cards
Splitting tag ID into Class ID and Pure ID
Up to three tags to determine object-person interaction
Some works observed the need for better object detection. X uses two antennas per object to better determine a tag’s location. Y places four differently positioned tags on an object to determine its moving direction. Z mentions that multiple tags per object can be used to increase reliability to help visually impaired. Q randomly places two tags on playing cards to increase cards detection. The work of W splits tag ID into two parts: Class ID and Pure ID. At sale time Pure ID is pilled off leaving only Class ID to enhance individual privacy. E uses up to three tags to better determine object-person interaction. In contrast to these works, we take a systematic approach to developing a theory of multi-tags, proposing optimal tag placement, quantify improvements obtained with multi-tags, analyzing effect of multi-tags on different tag interrogation algorithms, suggest ways to enhance security with multi-tags, and offer appealing new applications.

28. Types of Multi-Tags Redundant Tags Complimentary Tags Dual-Tags
Own Memory Only
Shared Memory Only
Own and Shared Memory
Triple-Tags
We define different types of multi-tags. Redundant tags are identical disconnected tags attached to an object. Complimentary tags are disconnected tags having distinct functionality that compliment each other for the common purpose (e.g., to speed up parallelizable computation or subdivide function computation). Dual-Tags is a pair of connected tags. Triple-Tags and n-Tags in general refer to n inter-connected tags.
n-Tags

29. Detection Distance with Multi-Tags

30. Effects of Multi-Tags on Anti-Collision Algorithms
Redundant Tags
Dual-Tags
Binary
No Affect
Binary Variant
Randomized
Doubles Time**
No Affect*
STAC
Causes DOS
Slotted Aloha
*If Dual-Tags communicate to form a single response
**Assuming an object is tagged with two tags

31. Related Work on “Yoking-Proofs”
Juels [2004]
protocol is limited to two tags
no timely timer update (minor/crucial omission)
Saito and Sakurai [2005]
solution relies on timestamps generated by trusted database
violates original problem statement
one tag is assumed to be more powerful than the others
vulnerable to “future timestamp” attack
Piramuthu [2006]
discusses inapplicable replay-attack problem of Juels’ protocol
independently observes the problem with Saito/Sakurai protocol
proposed fix only works for a pair of tags
violates original problem statement

32. Speeding Up The Yoking Protocol
Idea: split cycle into several sequences of dependent MACs
starting / closing tags
Requires
multiple readers or multiple antennas
anti-collision protocol

33. Related Work on PUF Optical PUF [Ravikanth 2001]
Silicon PUF [Gassend et al 2002]
design, implementation, simulation, manufacturing
authentication algorithm
controlled PUF
PUF in RFID
off-line reader authentication using public key cryptography [Tuyls et al 2006]
The concept of a physical unclonable function was introduced by Ravikanth in his Ph.D. thesis in 2001.
His work is mainly structured around optical PUFs.
Silicon PUFs were introduced by Gassend and others in 2002.
They designed a PUF, characterized its operation under changing voltage and temperature values, and showed how it can be used for circuit authentication.
They have also introduced controlled PUFs that use cryptographic hash functions.
A couple of works mentioned possible PUF application to RFID.
Tuyls and others gave an off-line reader authentication algorithm using PUFs.
Their algorithm relies on a public key cryptography, which may be expensive to implement aboard low-cost tags.

34. PUF-Based Authentication
Reader
Tag
α < probv ≤ 1 and probf ≤ β ≤ 1
0 ≤ t ≤ n-1
probv(n)
probf(n)
i=t+1
μi(1-μ)n-i
probv = 1 - ∑ n i
τj(1- τ)n-j
probf = 1 - ∑
j=t+1 j .
GetID
GetResponse(c1)
GetResponse(cn) ID
p(c1)
p(cn)

35. PUF-Based Identification Algorithm
Tag stores its identifier: ID
Database stores: ID, p(ID), …, pk(ID)
Upon reader’s query, the tag
responds with p(ID)
updates its ID with p(ID)
It is important to have
a reliable PUF
no loops in PUF chains
no identical PUF outputs
Assumptions
passive adversaries (otherwise, denial of service possible)
physical compromise of tags not possible
reliable PUF

36. PUF-Based MAC Algorithms
MAC = (K, τ, υ) K
valid signature σ : υ (M, σ) = 1
forged signature σ’ : υ (M’, σ’) = 1, M = M’
Need to protect against replay attacks
MAC based on PUF
large keys
cannot support arbitrary messages
Motivational example: buyer/seller
σ (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)
Large message set
Small message set
σ (m) = c, pc(1)(m), ..., pc(n) (m), ..., c+q-1, pc+q-1(1)(m), pc+q-1(n)(m)

37. Using PUF to Detect and Restore Privacy of Compromised System
Detect potential tag compromise
Update secrets of affected tags