Tracker: Security and Privacy for RFID-based Supply Chains

Transcription

1 Tracker: Securty and Prvacy for RFID-based Supply Chans Erk-Olver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao Abstract The counterfetng of pharmaceutcs or luxury objects s a major threat to supply chans today. As dfferent facltes of a supply chan are dstrbuted and dffcult to montor, malcous adversares can nject fake objects nto the supply chan. Ths paper presents TRACKER, a protocol for object genuneness verfcaton n RFID-based supply chans. More precsely, TRACKER allows to securely dentfy whch (legtmate) path an object/tag has taken through a supply chan. TRACKER provdes prvacy: an adversary can nether learn detals about an object s path, nor can t trace and lnk objects n the supply chan. TRACKER s securty and prvacy s based on an extenson of polynomal sgnature technques for run-tme fault detecton usng homomorphc encrypton. Contrary to related work, RFID tags n ths paper are not requred to perform any computaton, but only feature a few bytes of storage such as ordnary EPC Class 1 Gen 2 tags. 1. Introducton Supply chan management s one of the major applcatons of RFID tags today. The tags are physcally attached to objects, therewth enablng trackng of objects on ther way through the steps of a supply chan. Today, RFID-based supply chan applcatons range from smple barcode replacements n supermarkets to more senstve applcaton scenaros, where tags are used for product genuneness verfcaton, ant-counterfetng, ant-clonng, and replca-preventon of luxury products or pharmaceutcs [12, 15, 22, 29, 32]. All these scenaros and the latter n partcular rase new securty and prvacy challenges. Frst, wth respect to securty, t must be verfable whether an object has taken one of the vald paths through the supply chan,.e., the object went through a certan vald sequence of steps n the supply chan. The goal s to allow the operator or manager of the supply chan to be able to check the genuneness of an object by smply scannng the object s RFID tag. The problem s, though, that supply chans are physcally dstrbuted and partes nvolved n a supply chan (the steps ) may resde n dfferent locatons, even n dfferent countres. The manager does nether have full control over nterconnectons n between steps of the supply chan, nor full control over some of the steps tself. Also, for smple feasblty reasons, t cannot be assumed that facltes of the supply chan are permanently onlne or synchronzed wth a back- database. Consequently, supply chans today are prone to njecton of faked, counterfet or manpulated products. For example, World Health Organzaton (WHO) has estmated that 10% of U.S. pharmaceutcal products were already counterfet n 2005 [9]. Today, the Internatonal Chamber of Commerce estmates that counterfetng accounts for 5-7% of world trade, relatng to $600 bllon per year [14]. Hence, there s a strngent requrement for a securty soluton to prevent an adversary from tamperng wth tags n order to forge faked traces through the steps of the supply chan. Some supply chans today protect products by usng addtonal tamperproof hardware, for example the famlar holograms stckng to products. However, massve deployment of any tamper proof hardware mples addtonal costs. To the best of our knowledge, there s no securty soluton avalable solely based on cheap, non tamper-proof RFID tags. The second problem regards the prvacy of objects n the supply chan. Typcally, the manager of the supply chan does not want to reveal any nformaton about nternal detals, strategc relatonshps and processes wthn the supply chan to adversares, e.g., compettors or customers. An adversary should not be able to trace and recognze tags and objects through subsequent steps n the supply chan and therewth learn somethng about the nternal processes of the supply chan. Smlarly, by scannng an RFID tag attached to an object, the adversary should not be able to gan any knowledge about the hstory of that tag and the object t s attached to. Solutons addressng these securty and prvacy requrements are, however, governed by the challenges of the RFID settngs: RFID tags have to be cheap for massve deploy-

2 ments and therefore can only afford lghtweght computatonal capabltes. Tradtonal securty and prvacy solutons would overburden tny tags and therefore are nelgble. Moreover, the manager of the supply chan uses a handheld RFID reader whch s typcally an embedded devce. Consequently, the path verfcaton at the manager should requre few cryptographc operatons. Note that securty and prvacy requrements for RFIDbased supply chan management call for more than just prvacy-preservng authentcaton as already extensvely covered n the lterature, cf., Avone [3]. As a new requrement rased by the supply chan management, the soundness of the hstory kept n the tags must be assured throughout the steps of the supply chan. Ths paper presents TRACKER, a protocol for secure, prvacy-preservng supply chan management wth RFID tags. The man dea behnd TRACKER s to encode paths n a supply chan usng polynomal sgnature technques smlar to software run-tme fault detecton. These polynomals wll be evaluated usng homomorphc encrypton, thereby provdng securty and prvacy. TRACKER s major contrbutons are: TRACKER allows to determne the exact path that each tag 1 went through n the supply chan. TRACKER provdes provable securty: an adversary cannot create new tags or modfy exstng ones and fake that a tag went properly through the supply chan. TRACKER s prvacy-preservng: only the manager of the supply chan, but no adversary, can fnd out a tag s path. Also, TRACKER acheves unlnkablty. An adversary cannot lnk tags t observes on subsequent occasons. To perform path verfcaton, the manager s requred to perform O(1) computatons per tag,.e., the computatonal complexty of path verfcaton does nether dep on the number of tags n the supply chan n, nor on the number of vald paths ν. Memory requrements scale wth O(n + ν) for the manager. Contrary to related work such as Ouaf and Vaudenay [25] or L and Dng [21], TRACKER does not requre tags to perform any computaton. Instead, TRACKER reles on passve tags wth lmted storage, such as standard EPC Class 1 Generaton 2 tags. Due to lower hardware complexty, ths mples less productons costs and cheaper (or cheapest) tags n comparson to related work. 1 Assumng that a tag s physcally connected to an object and thereby representng t, ths paper uses tag and object nterchangeably. RFID readers do not need to be permanently onlne or synchronzed wth a central data-base. In the same manner, the manager s offlne. TRACKER detects, but does not prevent, malcous tamperng wth tags nternal states by any adversary. The rest of ths paper s structured as follows: after presentng a formal model for a supply chan as used throughout ths paper n Secton 2, we wll state the problem addressed by TRACKER and the adversary model n Secton 3. Ths also ncludes the securty and prvacy goals wthn TRACKER. In sectons 4 and 5, we descrbe TRACKER s detals and formally analyze and prove TRACKER s securty and prvacy propertes. 2. Background We use terms and expressons smlar to the ones used by Ouaf and Vaudenay [25] and Vaudenay [31]. A supply chan n ths paper smply denotes seres of consecutve steps that a product has to pass through. The exact meanng or semantc of such a step n the supply chan deps on the partcular applcaton and wll not be dscussed here, one could magne a step beng a warehouse or a manufacturng unt. The actual busness or manufacturng process that takes place durng each step of a supply chan s out of the scope of ths paper. From the pont of vew of ths paper, each step of the supply chan s equpped wth an RFID reader, and when a product moves to the subsequent step of a supply chan, an nteracton takes place between the product s RFID tag and the reader assocated wth the step. Fnally, a manager wants to know whether a product went through the correct sequence of steps n the supply chan Enttes The followng enttes exst n TRACKER: Tags T : Each tag s attached to and therewth stands for a sngle product or object. A tag T features re-wrtable memory representng T s current state denoted s j T. The set of all possble states s denoted wth S, s j T S, and S s a suffcently large securty parameter of TRACKER, e.g., S = Issuer I: The ssuer I prepares tags for deployment. Whle attachng a tag T to a product, I wrtes an ntal state s 0 T nto T. Readers R k : Representng a sngle step n the supply chan, a reader R k can nteract wth a product s tag T : R k reads out T s current state s j T and wrtes an updated state s j+1 T nto T. Here, R k uses some functon f Rk to generate s j+1 T out of s j T,.e., f Rk (s j T ) = s j+1. Each reader s T

3 assumed to be offlne,.e., not permanently connected to the ssuer, manager, other readers, or some knd of back database. Only durng ntal system preparaton, we assume that ssuer I can connect to readers, e.g., to s some secrets to the reader usng some secure channel. Manager M: Eventually, a tag arrves at a specal step n the supply chan called a checkpont. At a checkpont, manager M wants to check a tag s genuneness or valdty. M checks whether tag T, and therewth the tagged object, has passed through a vald ( correct ) sequence of steps n the supply chan. To do so, M smply reads out the current state s j T of T. Solely based on s j T, M decdes whether T went through a vald sequence of steps. We assume that M knows whch paths n a supply chan are vald or not. As wth readers, M s assumed to be offlne and not synchronzed wth the rest of the system besdes durng an ntal setup Supply Chan Formally, a supply chan s represented by a dgraph G = (V, E) consstng of vertces V and edges E. Each vertex v V s equvalent to one step n the supply chan. A vertex/step v n the supply chan s unquely assocated wth a reader R. Each drected edge e E, e := v v j, from vertex v to vertex v j, expresses that v j s a possble next step to step v n the supply chan. Ths smply means that accordng to the organzaton of the supply chan, a product mght proceed to step v j after beng at step v. If products must not advance from step v to v j, then v v j / E. Note that a supply chan can nclude loops and reflexve edges. Whenever a product n the supply chan proceeds from step v to step v j, reader R j nteracts wth the product s tag. Issuer I s represented n G by the only vertex wthout ncomng edges v 0. A path P s a fnte sequence of steps P = {v 0,..., v l }, where {0,..., l 1} : v v +1 E, and l s the length of path P. Clearly, dfferent paths can have dfferent path lengths. A vald path P vald s a specal path whch manager M wll eventually check products for. A vald path represents a partcular legtmate sequence of steps n the supply chan that M s nterested n. There may be up to ν multple dfferent vald paths {P vald1,..., P valdν }, n a supply chan. The last step v l of a vald path P vald = {v 0,..., v l } represents a checkpont. After tag T has passed through such a checkpont, M wll check for T s path valdty. Whle manager M mght not know all possble paths n G, we assume n the followng that M knows the vald paths,.e., the sequences of steps, that he s wllng to accept as vald. Fgure 1 depcts a sample supply chan. Checkponts, a d I c Fgure 1. Smple supply chan, checkponts are encrcled. where manager M verfes tags/objects, are encrcled. So, after ther deployment at ssuer I, tags can ether start n steps a or b. Vald paths n Fgure 1 are, for example, {I, a, d}, {I, a, d, e} or {I, a, c, c, e}. Other sequences such as {I, a, e} are not vald accordng to the supply chan A Tracker System Usng the above defntons, a complete TRACKER system conssts of a supply chan G = (V, E) a set T of n dfferent tags a set of possble states S a total of η dfferent readers, η = E ssuer I and manager M a set of η state transton functons f : S S a set of ν vald paths a set of vald states S vald a database DB clone, stored at manager M to protect aganst cloned tags (see next secton) a functon READ : T S that reads out tag T and returns T s current state s j T a functon WRITE: T S S that wrtes a new state s j+1 T nto tag T. a functon { Pvald, f tag T CHECK: S went through P vald, f P vald that T went through that based on T s current state s j T decdes about whch vald path n the supply chan tag T has taken. b e

4 3. Problem Statement and Adversary Model In TRACKER, we assume that the readers n the supply chan are ndepent. We assume as well that a reader R s sem-honest ( honest-but-curous ). That s, a reader R at step v behaves correctly when t comes to the operatons t has to perform on tags gong through v. For nstance, a reader R at step v that corresponds to qualty control does not update the state of T unless the product attached to T satsfes the qualty requrements. Wthn TRACKER, we dentfy the followng securty and prvacy challenges and derve a formal adversary model accordngly. Our formal defntons are drect adaptatons of well-establshed RFID adversary models to the challenges of supply chan management. In summary, our adversary corresponds to the adversary proposed by Juels and Wes [17] and the Non-Narrow Destructve adversary by Vaudenay [31] 3.1. Securty The man securty goal of TRACKER s to prevent an adversary from forgng a tag s nternal state wth a vald path that was not actually taken by the tag n the supply chan. Usng the components of the TRACKER system, ths goal s stated as follows: f the verfcaton of tag T s nternal state s j T by manager M usng CHECK returns a vald path P vald, then T must have gone through the steps of P vald n the supply chan. Only the soundness of the CHECK functon s requred wth respect to dentfcaton of a vald path, snce the completeness of the CHECK functon cannot always be assumed. As shown below, the adversary mght wrte any content, for example just garbage, nto T at any tme to spol detecton of vald paths. Even f a tag T has been through P vald n the supply chan, the adversary mght replace and nvaldate the state of T leadng to a CHECK output of. We formalze ths securty property and our adversary model usng game-based defntons n accordance wth Juels and Wes [17]. An adversary A(ρ, r, ɛ), or just A, has access to a TRACKER system n two phases. Frst, n a learnng phase, A can query an oracle O pck, cf., Algorthm 1. When quered, O pck randomly selects a tag from all the n tags T n the supply chan and gves t to A. Durng learnng, A s allowed to read from and wrte nto the tags provded by O pck. For the sake of smplcty, we assume that products and tags go through a supply chan n a clocked, synchronous way. At each clock cycle, all tags are read and then re-wrtten by the readers n ther vcnty and then proceed to the subsequent step n the supply chan. More precsely, the ITERATESUPPLYCHAIN command n Algorthm 1 enables A to terate or execute the supply chan by one clock cycle,.e., all tags advance by one step and they are read-out and re-wrtten by readers. A can terate the supply chan a total of ρ tmes. Now per teraton and per clock cycle, A gets access to a set of r arbtrary tags, read-outs ther nternal state, and re-wrtes ther state wth some arbtrary data. Also, A has access to an oracle lke constructon O M : quered wth a tag T,j, O M wll return the output of the CHECK functon. The above defnton of A reflects an adversary n the real world havng full control over the network and knowledge about the valdty of tags states. After the learnng phase of Algorthm 1, A enters the (smple) challenge phase, cf., Algorthm 2. for := 0 to (ρ 1) do ITERATESUPPLYCHAIN; for j := 1 to r do T,j O pck ; s T,j :=READ(T,j WRITE(T,j, s +1 T,j CHECK(s +1 T,j ) O M (T,j Algorthm 1: Securty learnng phase of adversary A T O pck ; { } s j CREATETAG T :=READ(T WRITE(T, s j+1 or T ; WRITE(T, s j+1 T T A M: T ; M evaluates CHECK on T s state; Algorthm 2: Securty challenge phase of adversary A A can ether arbtrarly choose one tag T T, read and re-wrte, or A can create hs own tag T T and wrte some state s T n t. Fnally, A ss T to M. Manager M wll now evaluate CHECK on T s state. Defnton 1 (False postves). If M s evaluaton of CHECK on tag T s state outputs one of the ν vald paths P vald = {v 0,..., v l }, andf T has not been through the exact sequence of steps {v 0,..., v l } n the supply chan, then ths s called a false postve n TRACKER. The probablty of a false postve s denoted by Pr[False Postve]. Now, adversary A must not be able to generate a state correspondng to a vald path wth hgher probablty than smple guessng: Defnton 2 (Securty). TRACKER provdes securty For adversary A, nequalty Pr[False Postve] S vald S + ɛ holds, where ɛ s neglgble.

5 Dscusson: Clonng As we assume cheap re-wrteable tags wthout any computatonal abltes, no reader authentcaton s possble on the tag sde. Any adversary can read from and wrte nto a tag. Trvally, an adversary mght clone a tag. Ths s mpossble to prevent n our setup wth only re-wrteable tags and offlne, unsynchronzed readers. To mtgate ths problem, manager M utlzes a database DB clone. Intally empty, ths database wll contan dentfers of tags that went through a vald path of a supply chan and were checked by M. Each tme that M verfes a tag s path, M wll also check whether ths tag s dentfer s already n DB clone to check for clonng. Detals about dentfers and handlng of DB clone wll be gven later n the protocol descrpton of Secton 4. Therefore, an adversary cannot clone a tag more than once, and thus, clonng cannot be performed n a large scale. On the other hand, f the tag s attached to a luxury product, clonng s crtcal even f a tag s cloned only once. However, to get a malcous tag to be accepted by the manager, the adversary has to break-n the supply chan, clone a tag, nject ths tag, and overtake the legtmate tag n the supply chan to reach the manager before the legtmate tag. We conjecture that ths s not easy for an adversary to do. Lmtatons The adversary model above does not capture an adversary hjackng tags and performng extra steps wth tags. One mght envson an adversary controllng a set of steps wth readers that do not behave protocol complant. For example, f the extra steps do not change the tags state (but modfy products), ths wll be unnotced by the manager. We clam that these attacks, as well as physcal attacks, e.g., removng one tag from one product and attachng t to another product, are out of scope. Also, there s no noton of multple managers n the supply chan checkng tags for genuneness, but we focus on only one manager. Whle n the real world, multple managers are probably more realstc, ths s left for future work. Addtonally, we do not target managers provng (non-) genuneness to a thrd party n a prvacy-preservng way. Also, we focus only on detectng counterfets, not preventng that s, t remans unclear what happens f a counterfet has been detected. All ths s left for future research Prvacy An adversary n TRACKER s an actve adversary who, besdes beng able to eavesdrop on tags communcaton, can as well tamper wth tags nternal states. Along these lnes, we dentfy two notons of prvacy n TRACKER: the frst one s commonly known as tag anonymty. That s, an adversary A should not be able to dsclose the (unque) dentty of tags he reads from or wrtes nto. The second noton of prvacy that we are nterested n s what we call step prvacy: an adversary A should not be able to fnd out the steps v a tag went through. Whle A can eavesdrop on tags communcaton and re-wrte tags nternal states, t should be nfeasble for A to break tag anonymty or step prvacy. Along these lnes, another noton of prvacy that could be derved as well s path prvacy: A should not be able to tell whch path P a gven tag T took. Note, however, that step prvacy s stronger than path prvacy. If A s able to dsclose the path a tag T went through, then A automatcally knows each of T s steps. So, f TRACKER preserves step prvacy, then A cannot fnd out the path P a tag has taken. Moreover, TRACKER should prevent A from bndng ( lnkng ) the data he reads to the tag storng t. Ths dffers from tag anonymty, as the latter can be acheved, for example, through encrypton. However, smple encrypton cannot acheve tag unlnkablty: A may always be able to recognze the tag through the cphertext t stores. Thus, there s a need to regularly change the data stored on tags to prevent such a threat. In the real world, tag unlnkablty s the property that prevents an eavesdropper from trackng, followng, and dstngushng tems and goods based on the data tags store. Furthermore, A may as well am at lnkng tags based on the steps they went through n the supply chan. Roughly speakng, step unlnkablty should prevent an adversary A from tellng, whether the paths that two dfferent tags T and T j took have a step n common. In practce, step unlnkablty prevents an adversary A from bndng a tag T to a pallet of tags n the supply chan. In ths paper, we wll focus on tag unlnkablty and step unlnkablty for whch we gve formal defntons n the followng secton. It s suffcent to focus only on unlnkablty propertes, as they represent stronger requrements than tag anonymty and step prvacy. As mentoned earler, tag unlnkablty grasps the ablty of an adversary A to dstngush between tags based on the content they store. Ths noton of unlnkablty s stronger than tag anonymty: f an adversary s able to undermne tag anonymty and to unquely dentfy a tag, he s automatcally able to dstngush tags, therewth undermnng tag unlnkablty. Just as well, step unlnkablty ensures that t s nfeasble for an adversary A to tell whether the paths of two tags have a step n common or not. Ths noton s stronger than step prvacy: f A s able to dsclose the steps any tag went through, he can always tell whether two tags have a step n common. Therefore, f TRACKER provdes tag and path unlnkablty, t provdes as well tag anonymty and step prvacy. So n concluson, t s suffcent to nvestgate unlnkablty propertes. These wll be presented n the followng secton n detal.

6 3.3. Unlnkablty For our formal defntons of tag and path unlnkablty, we assume A has access to the followng oracles: O choose s an oracle that, when quered, returns a random tag T enterng the supply chan. O select s an oracle that, when quered, returns a par (T, S). T s a tag selected randomly from the set of tags T and S s the set of steps that T went through so far. O draw s an oracle that, when quered wth a step v, returns a par (T, S). T s a random tag that wll go through v n the next supply chan teraton, and S s the set of steps that T went through so far. O step s an oracle that, when quered wth a tag T, returns the next step that T wll go through n the next supply chan teraton. O flp s an oracle that, when quered wth two tags T 1, T 2, randomly chooses b {1, 2} and returns T b. Tag Unlnkablty: We llustrate tag unlnkablty by a formal experment smlar to the experment by Juels and Wes [17]. In ths experment, A has access to tags n two phases. In the learnng phase, cf., Algorthm 3, O select provdes A wth two challenge tags T 1 and T 2, and r other tags along wth the steps they went through so far. A terates the supply chan ρ tmes. At each teraton, A reads from and wrtes nto tags. He s as well provded wth the step that T 1 and T 2 wll go through n the next supply chan teraton. Ths unlnkablty game reflects an adversary A n the real world that can follow tags n the supply chan along the steps they are gong through. (T 1, S 1 ) O select ; (T 2, S 2 ) O select ; for := 1 to ρ do ITERATESUPPLYCHAIN; T 1 O step ; v T1,(+1) O step ; s T 1 :=READ(T 1 WRITE(T 1, s T 1 T 2 O step ; v T2,(+1) O step ; s T 2 :=READ(T 2 WRITE(T 2, s T 2 for j := 1 to r do (T,j, S,j ) O select ; s T,j :=READ(T,j WRITE(T,j, s T,j Algorthm 3: A s tag unlnkablty learnng phase ITERATESUPPLYCHAIN; T b O flp {T 1, T 2 }; s Tb :=READ(T b for := 1 to s do (T, S ) O select; s T :=READ(T OUTPUT b; Algorthm 4: A s tag unlnkablty challenge phase In the challenge phase, cf., Algorthm 4, the supply chan s terated frst. Then, A s provded wth tag T b, b {1, 2} through oracle O flp. A s goal s to output the value of b. O select provdes A wth s other tags that he can read from and wrte nto. Gven the data stored on T b and the result of the dfferent readngs, A outputs hs guess for the value of b {1, 2}. A s successful, f hs guess of b s correct. Defnton 3 (Tag Unlnkablty). TRACKER provdes tag unlnkablty For adversary A, nequalty P r(a outputs a correct guess) ɛ holds, where ɛ s neglgble. Dscusson: Unlnkablty n between reader nteractons Ths paper targets passve tags that only feature storage capabltes and therewth cannot perform any (cryptographc) computaton. Consequently, tags cannot update ther state after an nteracton wth a reader on ther own, and tags cannot perform any knd of access control. Hence, the tag state does not change n between two protocol executons, and an adversary can easly access a tag s state. Under such crcumstances, t s therefore mpossble to provde tag unlnkablty aganst a powerful adversary who tres to lnk tags n between two subsequent reader nteractons (cf., formal proof by Vaudenay [31]). However, we conjecture that, n a real world scenaro, an adversary cannot permanently access tags or eavesdrop tags communcatons, but there s at least one unobserved nteracton between a tag and a reader. Ths s also n accordance wth related work, such as Atenese et al. [2], Dmtrou [11], Sadegh et al. [27]. We mplement ths n our defnton of adversary A n Algorthm 4 by teratng the supply chan before callng oracle O flp and gvng tag T b to A. Step unlnkablty: TRACKER should prevent an adversary A from beng able to tell, whether the paths of two dfferent tags T and T j have a step n common. Ths s formalzed as follows: n the learnng phase, cf., Algorthm 5, A(ρ, r, s, ɛ) calls O choose whch provdes hm wth a random tag that just entered the supply chan at step v 0. A then terates the supply chan for a maxmum of ρ tmes. At each teraton, A reads out T s state and wrtes nto T. Also, O step provdes A wth the step v T,(+1) that

7 T wll go through n the next supply chan teraton. A then queres the oracle O draw wth step v T,(+1). O draw provdes A wth r tags T,j that wll go through v T,(+1) n the next supply chan teraton that he can read and wrte nto. Also, O select provdes A wth s tags T,j from T along wth the steps they went through so far. A s also provded wth the next step of tags T,j by callng the oracle O step. A then terates the supply chan and reads the updated states of the r tags provded by O draw and the s tags provded by O select. As n the tag unlnkablty game, ths step unlnkablty game reflects the capabltes of an actve adversary who, besdes eavesdroppng on tags communcaton, can as well follow tags and tamper wth ther nternal states along dfferent steps of the supply chan. T O choose ; for := 0 to ρ 1 do T O step ; v T,(+1) O step ; s T :=READ(T WRITE(T, s T for j := 1 to r do v T,(+1) O draw ; (T,j, S,j ) O draw ; s T,j :=READ(T,j WRITE(T,j, s T,j for j := 1 to s do (T,j, S,j ) O select; T,j O step; v T,j O step ; s T,j :=READ(T,j WRITE(T,j, s T,j ITERATESUPPLYCHAIN; for j := 1 to r do READ(T,j for j := 1 to s do READ(T,j Algorthm 5: A s step unlnkablty learnng phase In the challenge phase, cf., Algorthm 6, A s provded wth a challenge tag T c whch just entered the supply chan. A s goal s to tell whether the paths that tag T and tag T c took have a step n common trvally, besdes the ntal step v 0. A terates the supply chan for a maxmum of ρ tmes. At each teraton, A reads out and wrtes nto T c. A calls as well the oracle O select that provdes hm wth s tags T,j whch he can read and wrte nto. He s also T c O choose ; for := 0 to ρ 1 do s T c :=READ(T c WRITE(T c, s T c for j := 1 to s do (T,j, S,j ) O select ; s T,j :=READ(T,j WRITE(T,j, s T,j T,j O step ; v T,j O step ; ITERATESUPPLYCHAIN; for j := 1 to s do READ(T,j READ(T c OUTPUT b; Algorthm 6: A s step unlnkablty challenge phase provded wth the step v T,j that T,j wll go through n the next teraton. A then terates the supply chan and reads the updated state of the s tags. At the of the challenge phase, A reads the current state of tag T c and outputs b = 1, f T c and T have a step n common (besdes v 0 ), and b = 2 f they do not have a step n common (besdes v 0 ). The adversary s successful, f hs guess s correct. Defnton 4 (Step Unlnkablty). TRACKER provdes step unlnkablty For adversary A, nequalty P r(a outputs a correct guess) ɛ holds, where ɛ s neglgble. The above defnton covers unlnkablty of ndvdual steps n the supply chan. Note that step unlnkablty s stronger than unlnkablty of paths that prevents an adversary A from tellng whether two tags went through the same path or not. If A s able to tell whether two tags went through the same path then he automatcally knows that the paths of these two tags have steps n common. So, f TRACKER provdes step unlnkablty, t wll as well provde path unlnkablty. Step unlnkablty also mples step and path prvacy. 4. Tracker Protocol Protocol overvew: In TRACKER, a tag T s state s l T represents the sequence of steps n the supply chan that T went through. The man concept s to represent dfferent paths n the supply chan usng dfferent polynomals. More precsely, at the of a supply chan s vald path P vald, a tag s state s l T wll match the evaluaton of a unque polynomal Q Pvald (x) n a fxed value x 0. Therefore, a path n the

8 supply chan s represented by Q Pvald (x 0 ) F q provdng a compact and effcent representaton of paths. Now, TRACKER reles on the property that for any two dfferent paths P P, vald or not, the equaton Q P (x 0 ) = Q P (x 0 ) holds only wth neglgble probablty. Two dfferent paths wll result n two dfferent polynomal evaluatons. As a result, the state of a tag T at the of the supply chan can be unquely related to one sngle (vald) path. However, the path representaton as presented above does not suffce to prevent path clonng,.e., copyng the path of a vald tag nto a fake tag and then njectng the fake tag n the supply chan. To tackle ths problem, tags wll store Q Pvald (x 0 ) multpled by a keyed HMAC of ther unque IDs. HMAC serves two purposes: frst, t proves that tags are ssued by a legtmate authorty and prevents an adversary from njectng ts own tags. Second, t allows to map the tag s ID to a random number that cannot be predcted by the adversary. A tag s state therefore conssts of three elements that are: a unque ID, HMAC k (ID) and HMAC k (ID) Q Pvald (x 0 ). TRACKER can be structured nto three parts: 1.) Issuer I wrtes an ntal state s 0 T nto a new tag T. 2.) Readers successvely compute the evaluaton of a polynomal: to acheve the evaluaton of the entre polynomal Q Pvald (x 0 ) at the of a vald path, each reader vsted by tag T computes T s new state s T by applyng smple arthmetc operatons represented by the functon f on the T s current state s 1 T. Eventually, ths results n the evaluaton of the entre polynomal Q Pvald (x 0 ). 3.) Fnally, manager M checks a tag s state s l T. M knows a set of ν evaluatons of vald polynomals Q Pvald (x 0 ). M checks whether one of these polynomals corresponds to s l T, and f so, M knows the path the tag has taken. Prvacy and securty overvew: On the one hand, to protect prvacy (more precsely unlnkablty ) n TRACKER, tags store only probablstc ellptc curve Elgamal encryptons of ther states, and readers use homomorphc (re-)encrypton technques for the arthmetc operatons on encrypted path encodngs. At the of the supply chan, the manager can then decrypt and dentfy the path. On the other hand, securty of TRACKER reles on both the securty of Elgamal and the securty of HMAC. A tag stores an encrypted state of the three elements: ID, HMAC k (ID) and HMAC k (ID) Q Pvald (x 0 ). Although an adversary can always have access to encryptons of HMAC k (ID) and encryptons of Q Pvald (x 0 ), he cannot come up wth an encrypton that corresponds to the product of the underlyng plantexts, that s, HMAC k (ID) Q Pvald (x 0 ). We show n Secton 5.2 that f an adversary A s able to come up wth an encrypton of HMAC k (ID) Q Pvald (x 0 ), he wll be able to break ether computatonal Dffe-Hellman (CDH) or HMAC securty. Before the detaled protocol descrpton n Secton 4.3, we wll frst provde an overvew about TRACKER s polynomal path encodng and ellptc curve encrypton used n ths paper Path Encodng n Tracker TRACKER s polynomal path encodng s based on technques for software fault detecton. Noubr et al. [23] propose to encode a software s state machne usng polynomals such that the exact sequence of states vsted durng runtme generates a unque mark. Therewth, run-tme faults can be detected. TRACKER s path encodng s based on the one by Noubr et al. [23] and wll be descrbed n the followng. For each step v, 1 η, n the supply chan, v s assocated wth a unque random number a F q, where q s a large prme. Accordngly, the ssuer s step v 0 s assocated wth a random number a 0 F q. As mentoned above, a path n the supply chan s represented as a polynomal n F q. The polynomal correspondng to a path P = v 0 v 1... v l s defned n Equaton (1). All operatons are n F q. Q P (x) := a 0 x l + l a x l. (1) =1 To have a more compact representaton of paths, a path P s represented as the evaluaton of Q P (x) n x 0, where x 0 s a generator of F q. We denote (P) = Q P (x 0 ). The above path encodng usng polynomals wth random coeffcents a F q has the desred property that any two dfferent paths result n dstnct polynomal evaluatons wth hgh probablty. That s, P, P wth P = P, equaton (P) = (P ) holds wth probablty 1 q, cf., Noubr et al. [23]. Let T be a tag wth a unque ID that took path P. We defne T s path mark as: ID (P) := HMAC k (ID) (P). As defned above, the path mark deps on tags ID to prevent an adversary from copyng the path mark of a tag nto another one. Although the path mark deps on ID, knowledge of ID (P) and HMAC k (ID) allows M to always derve (P) and dentfy P. Readers: The path mark ID (P) s stored on the tag. A reader that s vsted by a tag T reads T s current path mark, updates t, and wrtes the updated path mark back nto T. To eventually acheve the evaluaton of path mark ID (P) of path P = v 0 v 1... v 1 v v v l, the per reader effort s qute low. Assume that T arrves at reader R,.e., step v n the supply chan. So far, T went through (sub-)path P 1 = v 0 v 1... v 1, and stores ID, HMAC k (ID), and path mark ID (P 1 ). To get ID (P ), reader R smply computes ts state tran-

9 ston functon f R defned as f R (x) := x 0 x + HMAC k (ID) a. So, ID (P ) := f R ( ID (P 1 )) = x 0 ID (P 1 ) + HMAC k (ID) a. R wrtes ID (P ) n T. By constructon, ths wll eventually result n ID (P ) = HMAC k (ID) (a 0 x l 0 + j=1 a jx j 0 ) = HMAC k (ID) (P ). Tag state decodng: Ths operaton corresponds to the CHECK functon of the TRACKER protocol. The state s l T of a vald tag T n the supply chan that went through a vald path P vald conssts of a tuple of three elements s l T := (ID, HMAC k(id), ID (P vald )). Before decodng ID (P vald ), M provded wth the secret key k and ID, computes HMAC k (ID) and verfes the second element of T s state. If T passes the verfcaton, M multples ID (P vald ) by HMAC k (ID) 1 to get (P vald ). M stores a lst of all possble (P vald ) along wth ther correspondng vald paths. Gven (P vald ), M wll be able to check and dentfy the path P vald. As we wll now see n the followng paragraphs, tags n TRACKER store encrypted versons of ID, HMAC k (ID) and ID (P vald ). So n concluson, a tag stores the tuple: s l T = (E(ID), E(HMAC k(id)), E( ID (P vald )) Ellptc Curve Elgamal Cryptosystem An ellptc curve Elgamal cryptosystem provdes the followng usual set of operatons: Setup: The system outputs an ellptc curve E over a fnte feld F p. Let P be a pont on E(F p ) of a large prme order q such that the dscrete logarthm problem s ntractable for G =< P >. Here, p and q are TRACKER securty parameters, e.g., p = q = 160 bt. Key generaton: The secret key s sk F q. The correspondng publc key pk s the par of ponts (P, Y = sk P ). Encrypton: To encrypt a pont M E, one randomly selects r F q and computes E(M) := (U, V ) = (r P, M + r Y ). The cphertext s c = (U, V ). Decrypton: To decrypt a cphertext c = (U, V ), one computes D(c) := U sk V = M. In TRACKER, a tag n the supply chan stores the ellptc curve Elgamal encrypton of ts unque ID, HMAC k (ID), and a path mark ID (P). Wthout loss of generalty, we assume that ID of a tag s a random pont n the ellptc curve E and that HMAC k (ID) s an element of F q such that q = 160 bts. To encrypt HMAC k (ID) and ID (P) n F q usng Elgamal over ellptc curves, we need a pont mappng whch transforms a message m F q to a pont n the ellptc curve E. Pont mappng: We use a smple addtvely homomorphc mappng M : F q E that preserves the propertes of our polynomal path encodng wth respect to the probablty of path collsons. Message m F q s mapped to a pont n E by M(m) = m P, where P s a pont n E of large prme order q. Ths mappng s a one-to-one mappng from F q to G =< P >: f m 1, m 2 F q such that M(m 1 ) = M(m 2 ), then m 1 = m 2 mod q. Therefore, the probablty that the mappngs of two path marks collde n E,.e., M( ID (P 1 )) = M( ID (P 2 )), s the same as the probablty that two path marks collde n F q. Ths mappng s not reversble whch means that we cannot deduce ID (P) from M( ID (P)). However, ths s not an ssue n TRACKER: as mentoned above, the manager knows the vald paths n advance. So he computes and stores the mappngs M((P vald )) E, nstead of computng and storng (P vald ) F q. Gven ID, the manager computes HMAC k (ID), derves the mappng M((P)) E from M( ID (P)), and then checks f P s a vald path by comparng M((P)) wth the lst of vald mappngs Detaled Protocol Descrpton TRACKER conssts of an ntal setup phase, the preparaton of new tags enterng the supply chan, reader and tag nteracton as part of the supply chan, and fnally a path verfcaton conducted by manager M. Tracker ntalzaton: Issuer I sets up an ellptc curve Elgamal cryptosystem and generates the secret key sk and the publc key pk = (P, Y = sk P ) such that the order of P s a large prme q, q = 160 bt. Then, I selects x 0 a generator of the fnte feld F q, and selects randomly a value a 0 F q. I generates a random bt strng k, k = 160 bt. The ntal step v 0, representng the ssuer n the supply chan, s assocated wth (a 0, k). Smlarly, I generates η random numbers a F q, 1 η. I ss to each reader R, representng step v, the tuple (x 0, a ) usng a secure channel. Also usng a secure channel, I provdes manager M wth secret key sk, generator x 0, key k and tuples (, a ). Therewth, M s nformed whch reader R at step v knows whch a. As M knows whch paths n the supply chan wll be vald, he now computes all the ν vald (P vald ) usng Equaton (1). Fnally, M computes and stores pars (M((P vald )), steps), where steps s the sequence of steps v 0 v Pvald,1v Pvald,2... v Pvald,l of P vald. That s, M knows for each mappng the sequence of steps. Therefore, the manager verfes the valdty of the path and f the path s vald he can dentfy t. In concluson, x 0 s publc, the a are secret and only known by reader R and M. Also, only M and I know sk and k. Tag preparaton: For each new tag T enterng the supply chan, I draws a random pont ID E whch s T s unque dentfer. Now, let HMAC k be a (secure) HMAC algorthm [6], HMAC k (m) : F q E F q. Provded wth

10 key k, I computes HMAC k (ID). I then selects three random numbers r 0 ID, r0 σ, r 0 F q to compute the followng cphertexts: c 0 ID = E(ID) = (UID, 0 VID) 0 = (rid 0 P, ID + rid 0 Y ) c 0 σ = E(HMAC k (ID)) = (Uσ, 0 Vσ 0 ) = (r 0 σ P, HMAC k (ID) P + r 0 σ Y ) c 0 = E( ID (v 0 )) = (U 0, V 0 ) = (r 0 P, HMAC k (ID) a 0 P + r 0 Y ) Fnally, I wrtes state s 0 T = (c0 ID, c0 σ, c 0 ) nto T that can enter the supply chan. Tag and reader nteracton n the supply chan: Assume a tag T arrves at step v and reader R n the supply chan. Wthout loss of generalty, assume that the path that tag T took so far s P 1 = v 0 v 1 v 1 and let P = v 0 v 1 v. R reads out T s current state s 1 T = (c 1 ID, c 1 σ, c 1 ). Gven the cphertexts c 1, V 1 (U 1 σ (U, V ): = (U 1, V 1 ), c 1 σ ), generator x 0, and a, R computes c = U = x 0 U 1 V = x 0 V 1 j=0 + a U 1 σ + a V 1 σ = (x 0 r 1 σ = + a rσ 1 ) P 1 = x 0 ( HMAC k (ID) a j x 1 j 0 P + r 1 Y ) = +a (HMAC k (ID) P + rσ 1 Y ) 1 HMAC k (ID) a j x 1 j 0 P j=0 +HMAC k (ID) a P +x 0 r 1 = HMAC k (ID) Y + a rσ 1 Y a j x j 0 P j=0 +(x 0 r 1 + a rσ 1 ) Y = M(HMAC k (ID) (P )) +(x 0 r 1 + a rσ 1 ) Y = M( ID (P )) + (x 0 r 1 + a rσ 1 ) Y In concluson, the above s the homomorphc encrypton varant of the reader computaton of Secton 4.1. To get c ID and c σ, reader R re-encrypts c 1 ID and c 1 σ, respectvely: t pcks randomly two numbers r ID and r σ F q and outputs two new cphertexts c ID = (U ID, V ID ) = (r ID P + U 1 ID, r ID Y + V ID ) and c σ = (Uσ, Vσ) = (r σ P + Uσ 1, r σ Y + Vσ). The reader also re-encrypts c. It pcks randomly r F q and outputs: c = (U, V ) = (r P +U, r Y +V ). Fnally, R wrtes the new state s T = (c ID, c σ, c ) nto T. Path verfcaton by M: Ths operaton corresponds to TRACKER s realzaton of the CHECK functon. Upon readng a tag s state s l T = (cl ID, cl σ, c l ), M decrypts cl ID and gets ID E. M checks then for clonng by lookng up ID n M s database DB clone. If ID DB clone, then M outputs and rejects T. Otherwse, M decrypts c l σ to get a pont Q E. M computes HMAC k (ID) and M(HMAC k (ID)), and verfes whether the equaton Q = M(HMAC k (ID)) holds. If t does not, M outputs and rejects T. If Q = M(HMAC k (ID)), M decrypts c l whch results n a pont Q. Gven HMAC k (ID), M computes the nverse of HMAC k (ID) F q, and then computes π = HMAC k (ID) 1 Q = M((P)). M checks, whether π s n hs lst of vald mappngs M((P vald )). If there s no match, M outputs and rejects the tag. Otherwse, manager M outputs P vald and adds ID to DB clone. 5. Securty and Prvacy Analyss Before gvng the securty and the prvacy analyss, we ntroduce the securty propertes of HMAC HMAC Securty An HMAC wth key k, a message m, and a cryptographc hash functon h s defned as HMAC k (m) := h(k opad h(k pad m)), where s concatenaton. For more detals about opad and pad see Krawczyk et al. [20]. If the output of h and the secret key k are ndstngushable from random data for an adversary, then HMAC k holds the followng two propertes [5, 6]: 1.) Resstance to exstental forgery: Let O forge HMAC k be an HMAC oracle that, when provded wth a message m, returns HMAC k (m). An adversary A can choose N messages m 1,..., m N, and provde them to the oracle O forge HMAC k to get the correspondng HMAC k (m ). Stll, the advantage ɛ of A to come up wth a new par (m, HMAC k (m)), where m m, 1 N, s neglgble. 2.) Indstngushablty: Let O dstngush HMAC k be an HMAC oracle, when provded wth a message m, t flps a con b {0, 1} and returns a message m such that: f b = 0, t returns a random number. If b = 1, t returns HMAC k (m). Even knowng m, A cannot tell f m s a random number or m = HMAC k (m). That s, HMAC k s a pseudo-random functon.

11 As an asde note, nstead of usng HMAC, one could use any MAC provdng the same provable propertes as HMAC. In TRACKER, we use HMAC, as t can be mplemented effcently n software [6] Securty Frst, an adversary A wnnng the securty game of Algorthm 2 mples that A wrtes nto a tag T a vald state s T = (c ID, c σ, c ). Ths mples that the par (c ID, c σ) s a vald par,.e., c ID = E(ID) and c σ = E(HMAC k (ID) P ). Producng a new vald par (c ID, c σ) entals that A s breakng the securty of HMAC as sketched n Lemma 1. Note. We say that A produces a new vald par (c ID = E(ID), c σ = E(HMAC k (ID) P )), f (c ID, c σ) s not (a reencrypton of) a par (c ID, c σ ) that A read durng the learnng phase. Lemma 1. Producng a new vald par (c ID, c σ) contradcts the ndstngushablty property of HMAC. Sketch. More precsely, we can buld an adversary A that uses A to break the ndstngushablty property of HMAC k. When A provdes A wth a new par (c ID, c σ), A decrypts c ID and c σ and gets ID and a pont Q respectvely. A gves ID to O dstngush HMAC k. O dstngush HMAC k returns a message m. Fnally, to break the ndstngushablty of HMAC k, A checks whether Q = m P. If so, A outputs 1, meanng that m = HMAC k (ID). Otherwse, A outputs 0 mplyng that m s a random number. Theorem 1. TRACKER s secure under the securty of HMAC and the computatonal Dffe-Hellman (CDH) assumpton. Proof. As of Lemma 1, A cannot compute a new vald par (c ID, c σ). If A re-uses a vald par (c ID, c σ) read n the learnng phase, then provdng a vald tuple (c ID, c σ, c ) mples that A s able to solve an nstance of the computatonal Dffe-Hellman problem as shown below. Assume there would be an adversary A(ρ, r, ɛ) that breaks the securty of TRACKER by choosng arbtrarly a tag T T, then re-wrtng t wth a vald state (c ID, c σ, c ). If ths s the case, and f the output of HMAC s ndstngushable from a random number, we show that there s an adversary A that breaks the CDH assumpton wth nonneglgble advantage ɛ. Note that we do not cover smple clonng here, as an adversary can always succeed n copyng the state of a tag that went through a vald path. As dscussed before, antclonng protecton s provded by DB clone. Let O CDH be an oracle that, when t s quered, selects randomly two elements a and b n F q and returns the tuple (P, a P, b P ). An adversary A breaks CDH, f gven (P, a P, b P ), he outputs ab P. Overvew: In a nutshell, an adversary A s able to break TRACKER, f he outputs an encrypton of ID, HMAC k (ID) P, and HMAC k (ID) (P vald ) P from an encrypton of ID, HMAC k (ID) P, and (P vald ) P. So to break CDH, A uses A as a subroutne as follows: frstly, A creates a TRACKER system wth a vald path P vald = v 0 v 1... v l. He randomly generates (l 1) elements a F q such that a corresponds to step v. The step v l, however, wll be l 1 assocated wth a pont R = b P x 0 =0 a x l 1 0 P. Therefore, M((P vald )) = b P. Secondly, A wrtes nto a challenge tag T n a state s Tn = (c IDn, c σn, c n ) such that c σn = E(a P ). If n the challenge phase of the securty game A s able to wrte a vald state (c ID n, c σ n, c n ) nto T n whch corresponds to the path P vald, then A wll be able to break CDH by decryptng c n. By constructon, the path mark stored on T n wll correspond to ab P. Detals: For ease of understandng, we assume that the supply chan conssts of only one vald path P vald = v 0 v 1... v l such that M((P vald )) = b P. A creates a TRACKER system wth one vald path P vald = v 0 v 1... v l : he generates randomly l elements a, 0 l 1, such that a corresponds to v, the step v l however s assocated wth a pont l 1 R = b P x 0 =0 a x l 1 0 P. Fnally, A generates a vald par of keys (sk, pk) for Elgamal encrypton and a key k for the HMAC. A ntalzes (n 1) tags T n TRACKER. To create the n th tag T n, A pcks randomly ID n E and encrypts t nto c IDn. Then, to compute c σn, A encrypts a P nstead of encryptng HMAC k (ID n ) P. Gven the ndstngushablty property of HMAC, A cannot tell, whether A computes the HMAC correctly or not. Fnally, A computes c n = E(aa 0 P ). A calls A(ρ, r, ɛ) that enters the learnng phase. A terates the supply chan ρ tmes. At each teraton of the supply chan: 1. A updates the state of tags n the supply chan as follows: frst, f a tag T s at step v v l, the tag s updated accordng to the TRACKER protocol. Second, f a tag T s at step v l : A decrypts the state s T = (c ID, c σ, c ) and gets three ponts (ID, Q, Q ). A checks whether (ID, Q, Q ) corresponds to a vald state of a tag gong through the sub-path v 0 v 1... v l 1,.e., Q = HMAC k (ID ) P and Q = HMAC k(id ) l 1 =0 a x l 1 0 P. If t s the case, A wrtes nto T a state s T = (c ID, c σ, c ) such that c = E(HMAC k (ID ) b P ). Otherwse, A wrtes nto T a state s T = (c ID, c σ, c ) such that c s an encrypton of a random number.

12 Note. Wrtng the encrypton of a random number nto an nvald tag T does not affect the output of the CHECK functon. An nvald tag T ether dd not go through the vald subpath v 0 v 1... v l 1 or t stores an nvald HMAC. When A calls the CHECK functon on T, CHECK wll always output. Moreover, a vald tag T that went through P vald wll always store a vald path mark correspondng to HMAC k (ID) b P. 2. Smulatng O pck, A provdes A wth r tags that A s allowed to read from and wrte nto. 3. A gves back the r tags to A. A smulates O M as follows: Upon readng the state s T = (c ID, c σ, c ) of a tag T, A decrypts c ID to get ID. Frst, A verfes whether ID = ID n. If t s the case, A aborts and restarts the game. Otherwse, A decrypts c σ and gets a pont Q. Then, A verfes whether the equaton Q = HMAC k (ID ) P holds. If t does not hold, A rejects the tag T. If Q = HMAC k (ID ) P, A decrypts c and gets a pont Q. A then computes π = HMAC k (ID ) 1 Q. If π = b P,.e., π s vald, A outputs P vald. Otherwse, A rejects the tag T and outputs. After the learnng phase, A puts A nto the challenge phase. A then returns a tag T T whch stores the state (c ID, c σ, c ) to A. Once A receves (c ID, c σ, c ), he decrypts c ID and gets ID usng Elgamal secret key sk. He checks whether ID = ID n,.e., T = T n. If t s not the case, A restarts the game. Otherwse, A decrypts c. Snce A computes the HMAC of ID n as f t was a, the decrypton of c results n a pont Q = a (P vald ) P = ab P. To solve the CDH problem A outputs Q. A succeeds n ts attacks f: 1.) the game does not abort: A s not provded wth tag T n n the learnng phase. 2.) In the challenge phase, A pcks T n. In the learnng phase, A s provded wth r ρ tags. Snce tags are selected randomly among n tags, the probablty that A s not provded wth T n n the learnng phase s (1 1 )r ρ n. Moreover, the probablty that A pcks T n n the challenge phase s 1 n. Therefore, f A(ρ, r, ɛ) breaks TRACKER s securty, then A breaks CDH wth advantage ɛ = 1 n (1 1 )r ρ n ɛ. Above, we have shown that f there s an adversary A who breaks the securty of TRACKER wth one vald path, then there s an adversary who breaks CDH assumpton. However, note that the securty of TRACKER wth one vald path can be exted to the securty of TRACKER wth multple vald paths. Lemma 2. If there s an adversary A(ρ, r, ɛ) who breaks TRACKER s securty wth ν vald path, then there s an adversary A(ρ, r, ɛ ) who breaks TRACKER s securty wth one vald path. Sketch. In order to break TRACKER wth one vald path P vald, A creates a supply chan of ν vald paths such that P vald s one of the vald paths. Snce A(ρ, r, ɛ) breaks TRACKER wth ν vald paths, he may output a tuple (c ID, c, σ ) that corresponds to the path P vald wth probablty 1 ν ɛ. Therefore, the advantage of A s ɛ = ɛ ν. In concluson, f there s an adversary A(ρ, r, ɛ) that breaks the securty of TRACKER wth ν vald paths, then there s an adversary A who breaks CDH wth advantage ɛ = 1 νn (1 1 n )r ρ ɛ Prvacy Analyss For the prvacy analyss, we use the semantc securty property of Elgamal under re-encrypton, cf., Golle et al. [13], to prove both tag unlnkablty and step unlnkablty. Let O re encrypt be the oracle that, provded wth two cphertexts c 1, c 2, randomly chooses b {1, 2}, re-encrypts c b usng Elgamal and publc key pk, and returns the resultng cphertext c b. As ths re-encrypton s based on Elgamal, the semantc securty property of Elgamal encrypton s exted to semantc securty under re-encrypton. Let A be an adversary that selects two cphertexts c 1, c 2 and provdes oracle O re encrypt wth c 1 and c 2. O re encrypt randomly chooses b, re-encrypts c b to c b, and returns c b to A. The semantc securty of Elgamal under re-encrypton mples that guessng the value of b s as dffcult for A as the decsonal Dffe- Hellman (DDH) problem [13]. Theorem 2 (Tag Unlnkablty). TRACKER provdes tag unlnkablty under the DDH assumpton. Proof. Assume there s an adversary A whose advantage ɛ to break the tag unlnkablty experment s non-neglgble. We now construct a new adversary A that executes A and breaks the semantc securty of Elgamal under re-encrypton ensured under the DDH assumpton: A creates a supply chan for the TRACKER protocol. A calls the adversary A. Smulatng O select, A provdes A wth two pars (T 1, S 1 ) and (T 2, S 2 ) such that T 1 and T 2 are selected randomly among the n tags n the supply chan, and S 1 (respectvely S 2 ) s the set of steps that T 1 (respectvely T 2 ) went through so far.

13 A terates the supply chan ρ tmes. At each teraton of the supply chan: 1. A reads and wrtes nto T 1 and T Smulatng O step, A provdes A wth the next step that T 1 (respectvely T 2 ) wll go through n the next supply chan teraton. 3. A smulates O select and provdes A wth r pars (T,j, S,j ), 1 j r, where T,j s selected randomly, and S,j s the set of steps that T,j went through so far. A s allowed to read from and wrte nto these r tags. After the learnng phase, A submts T 1 and T 2 to A that smulates O flp. T 1 contans state s T1 = (c ID1, c σ1, c 1 ), and T 2 contans state s T1 = (c ID2, c σ2, c 2 ). A transmts c ID1 and c ID2 to oracle O re encrypt. O re encrypt randomly chooses b and returns the result c ID b of re-encryptng one of the cphertexts c ID1, c ID2 to A. A prepares the challenge tag T c : 1. A terates the supply chan one more tme. 2. A randomly selects b {1, 2} and stores the state s Tc = (c ID b, c σ b, c b ) n T c. Smulatng O flp, A provdes A wth the challenge tag T c. A smulates O select and provdes A wth s pars (T, S ), 1 s, where T s selected randomly, and S s the set of steps that T went through so far. A s allowed to read from and wrte nto these s tags. In general, gven two events {E 1, E 2 }, the probablty that event E 1 occurs s always P r(e 1 ) = P r(e 1 E 2 ) P r(e 2 ) + P r(e 1 E 2 ) P r(e 2 ). Now let E 1 be the event that A can break the semantc securty of Elgamal under re-encrypton, and E 2 s the event that b = b holds. If b = b, the state s Tc = (c ID b, c σ, b c ) stored on T b c corresponds to a well formed tuple. Therefore, A outputs hs guess for the tag correspondng to challenge tag T c wth non-neglgble advantage ɛ. If A outputs T 1, ths means that T c stores a re-encrypton of c ID1, and A outputs 1. If A outputs T 2, ths means that T c stores a re-encrypton of c ID2, and A outputs 2. If b b, the probablty that A breaks the semantc securty of Elgamal under re-encrypton s at worst a random guess,.e., 1 2. Snce b s selected randomly, the probablty that b = b holds s 1 2. Therefore, P r(e 1 ) = P r(e 1 E 2 ) + P r(e 1 E 2 ) = P r(e 2 ) P r(e 1 E 2 ) + P r(e 2 ) P r(e 1 E 2 ) = 1 2 P r(e 1 E 2 ) P r(e 1 E 2 ) = 1 2 (1 2 + ɛ) P r(e 1 E 2 ) 1 2 (1 2 + ɛ ) = ɛ 2 Consequently, the advantage of A to break the semantc securty of Elgamal under re-encrypton s at least ɛ 2. As a concluson, f A has a non-neglgble advantage ɛ to break TRACKER, A as well wll have a non-neglgble advantage ɛ 2 to break the semantc securty of Elgamal under re-encrypton. Theorem 3 (Step Unlnkablty). TRACKER provdes step unlnkablty under the DDH assumpton. Proof. Assume there s an adversary A whose advantage ɛ to break the step unlnkablty experment s non-neglgble. We now construct a new adversary A that executes A and breaks the semantc securty of Elgamal under reencrypton: A creates a supply chan for the TRACKER protocol wth n tags, η + 1 steps, and ν vald paths. A calls the adversary A. Smulatng O choose, A provdes A wth a tag T enterng the supply chan. A terates the supply chan ρ tmes. At each teraton of the supply chan: 1. A reads from and wrtes nto T. 2. Smulatng O step, A provdes A wth the next step v T,(+1) that T wll go through n the next supply chan teraton. 3. A smulates O draw and provdes A wth r pars (T,j, S,j ), 1 j r, where T,j s a tag that wll go through v T,(+1) n the next teraton, and S,j s the set of steps that T,j went through so far. A s allowed to read from and wrte nto these r tags. 4. A smulates O select and provdes A wth s pars (T,j, S,j ), 1 j s, where T,j s a tag selected randomly, and S,j s the set of steps that T,j went through so far. A s allowed to read from and wrte nto these s tags.

14 5. A provdes the oracle O step wth tags T,j. A smulates O step and provdes A wth the next step of tags T,j. 6. When A terates the supply chan, he wll agan receve the tags T,j, T,j whch he can read from. Wthout loss of generalty, we assume that T went through path P = v 0 v 1... v ρ. Let P = v 0 v 1... v ρ be a path such that P and P have no step n common except for v 0. In the challenge phase, A provdes A wth a challenge tag T c that just entered the supply chan. A s allowed to terate the supply chan ρ tmes. Before each teraton : 1. A can read from and wrte nto T c. 2. A smulates O select and provdes A wth s pars (T,j, S,j ), 1 j s, where T,j s a tag selected randomly, and S,j s the set of steps that T,j went through so far. A s allowed to read and wrte nto these s tags. 3. A provdes the oracle O step wth tags T,j. A smulates O step and provdes A wth the next step of tags T,j. To update the state of T c n the challenge phase, A proceeds as follows: Durng the frst teraton: 1. A computes two states. He computes s 1 T c,1 = (c 1 ID, c1 σ, c 1 1 ) as f T c wll go through v 1 n the frst teraton. He computes s 1 T = c,2 (c1 ID, c1 σ, c 1 2 ) as f T c wll go through v 1 n the frst teraton. 2. A then transmts c 1 1 and c 1 2 to oracle O re encrypt. 3. O re encrypt returns the result c b of reencryptng one of the two cphertexts c 1 1, c 1 2 to A. 4. A wrtes the state s 1 T c = (c 1 ID, c1 σ, c b ) nto T c. In the next teratons, A updates the state of T c as f T c wll go through the sub-path v 2v 3... v ρ. At the of the challenge phase, A reads the state of tag T c and outputs b. Note that the path stored n T c s now ether P Tc = v 0 v 1 v 2... v ρ or P T c = P = v 0 v 1v 2... v ρ. If A outputs b = 1, ths means that T c and T have a step n common that s dfferent from v 0. Snce P Tc P = {v 0, v 1 } and P T c P = {v 0 }, outputtng 1 mples that T c went through P Tc and hence through v 1. Therefore, the state that T c stored at the frst teraton corresponds to v 0 v 1, and c b s a re-encrypton of c 1 1. A outputs 1. If A outputs b = 2, ths means that T c and T do not have a step n common except for v 0. Ths mples as well that T c went through P T c = P and hence through v 1. Therefore, the state that T c stored at the frst teraton corresponds to v 0 v 1, and c b s a re-encrypton of c 1 2. A outputs 2. Therefore, f A has a non-neglgble advantage ɛ n breakng TRACKER, A as well has non-neglgble advantage ɛ n breakng the semantc securty of Elgamal under re-encrypton, leadng to a contradcton. 6. Evaluaton TRACKER can be mplemented usng today s avalable RFID tags. It requres tags to only store data,.e, the encrypted ID, the encrypted HMAC and the encrypted path mark. Consequently, the tag stores three Elgamal cphertexts c ID = (r ID P, ID + r ID Y ), c σ = (r σ P, M(HMAC k (ID)) + r ID Y ) and c = (r P, M( ID (P vald )) + r Y ), whch results n an overall storage of = 960 bts. Storng only 1 Kbt of data s feasble for today s EPC Class 1 Gen 2 UHF tags, for example Alen Technology s Hggs 3 tags [1]. Complexty for readers s also low n TRACKER. A reader R at step v s requred to store an element a F q and the publc key of Elgamal pk. So, the total storage per reader s less than 80 bytes. Regardng computaton, R s requred to update the path mark of the tags passng by and to re-encrypt three cphertexts: ths sums up to a total three ellptc curve Elgamal encryptons. Based on prevous research [7], we conjecture ths to be feasble even for lghtweght embedded readers. The manager M s the entty verfyng the path that a tag T went through. Therefore, M s requred to decrypt the cphertexts stored on the tag usng the secret key sk. M mantans two hash tables: the frst table stores the lst of vald paths n the supply chan. The second table s DB clone. Ths s a hash table contanng the IDs that M has read. So, the storage requred for M s lnear n the number of vald paths, and the number of tags n the supply chan O(ν + n), the path verfcaton cost has constant complexty: when M reads a tag T, M s requred to decrypt three ellptc curve cphertexts to get ID, M(HMAC k (ID)) and M( ID (P)). Therewth, he computes a sngle HMAC and compares the output. To detect clonng, M checks whether DB clone contans ID. Ths operaton s a hash look-up operaton of cost

15 O(1). If no clonng s detected, M uses M( ID (P)) and HMAC k (ID) to derve M((P)). Fnally, M traces the tag path by lookng up M((P)) nto the table of vald paths. In total, M performs three ellptc curve Elgamal decryptons, one HMAC verfcaton, and two hash look-up operatons per tag verfcaton whch s cheap. As a concluson, the complexty of TRACKER on the manager sde s O(n + ν) storage and O(1) computaton. Assume the sze of an ID beng 96 bt as specfed for EPC Class 1 Generaton 2 tags, and each entry M((P vald )) s 160 bt. A large sample TRACKER system supportng n = 10 9 dfferent tags, η = 10 3 readers, and ν = 10 6 dfferent vald paths wth maxmum length of 10 would consume only around 11 GByte of storage for manager M. We conjecture ths storage to be avalable for the manager of such a supply chan. 7. Related Work Although hstorcally one of the major applcatons for RFID tags, secure and prvacy-preservng supply chan management has not receved much attenton n research. Instead, research focuses more on prvacy-preservng authentcaton protocols and ther cryptographc prmtves [4, 8, 16, 24, 30], see Avone [3] for an overvew. Ouaf and Vaudenay [25] address counterfetng of products usng strong cryptography on RFID tags. To protect aganst malcous state updates, tags authentcate readers at every step n the supply chan. Only f readers are successfully authentcated, tags wll update ther nternal state. Ouaf and Vaudenay [25] requre tags to evaluate a cryptographc hash functon twce: for reader authentcaton and for the state update. A smlar approach wth tags evaluatng cryptographc hash functons s proposed by L and Dng [21]. Whle such setups usng cryptography-enabled tags mght lead to a secure and prvacy-preservng soluton of the counterfetng problem, tags wll always be more expensve than read/wrte-only tags n TRACKER. Chawla et al. [10] check whether covert channels exst n a supply chan that leak nformaton about a supply chan s nternal detals to an adversary. Therefore, tags state s frequently synchronzed wth a back-database. If a tag s state contans extra data not n the database, the tag s rejected. TRACKER s focus, however, s on the secure, prvacy-preservng detecton of whch path a tag has taken. Shuhua and Chu [28] detect malcous tamperng of a tag s state n a supply chan usng watermarks. However, there s nether a way to dentfy a tag s path, nor to protect ts prvacy n the supply chan. Kerschbaum and Oertel [19] detect counterfets n the supply chan usng pattern matchng for anomaly detecton. When a tag s read, ths nformaton s stored n a central database along wth the ID of the tag. Unlke TRACKER, the focus of ths paper s prvacy-preservaton of readers partcpatng n the supply chan. There s no prvacy for the tags n the supply chan. Regardng smple product genuneness verfcaton, solutons exst that rely on physcal propertes of a tag. For example, TAGSYS produces holographc tags that are expensve to clone [29]. Verayo produces tags wth Physcally Unclonable Functons (PUF) [32]. Whle these approaches solve product genuneness verfcaton, they nether support dentfcaton of tag s paths nor any knd of prvacy propertes. Our constructon based on polynomal path encodng mght resemble other (cryptographc) constructons based on, e.g., Rabn fngerprnts [26], aggregated messages authentcaton codes [18] or any knd of aggregated sgnatures. However, we stress that our desgn focuses on 1.) preservng both the order or sequence of steps n the supply chan and the prvacy of paths and tags, 2.) at the same tme puttng only mnmal computatonal burden on the manager (O(1) complexty wth low overhead), and 3.) beng provable. Whle alternatve constructons mght be envsoned, ths s far from beng straghtforward. Fnally, whle Golle et al. [13] and Atenese et al. [2] use re-encrypton technques smlar to re-encrypton used n ths work, both target only smple tag dentfcaton. TRACKER, however, targets prvacy-preservng dentfcaton of dfferent paths that tags can take n the supply chan. 8. Concluson In ths paper, we presented TRACKER to address securty and prvacy challenges n RFID-based supply chan management. TRACKER s man dea s to encode vald paths n a supply chan usng polynomals. Readers representng steps n the supply chan evaluate polynomals successvely, such that eventually the manager of the supply chan can unquely dentfy the exact path a tag has taken. TRACKER s securty, prvacy, and unlnkablty propertes aganst adversares reles on the semantc securty of Elgamal and the securty of HMAC, and we prove these propertes. Contrary to related work, TRACKER does not requre any computatonal complexty on the tag, but only 80 bytes of storage. Ths shows TRACKER s feasblty for today s cheap EPC Class 1 Gen 2 RFID tags. Acknowledgment: Ths work has been funded by L Agence Natonale de la Recherche (ANR), grant reference ANR-07- SESU-009, project RFID-AP.

16 References [1] Alen Technology. RFID Tags, tags/ndex.php. [2] G. Atenese, J. Camensch, and B. de Mederos. Untraceable rfd tags va nsubvertble encrypton. In CCS 05: Proceedngs of the 12th ACM conference on Computer and communcatons securty, pages , New York, NY, USA, ACM. ISBN [3] G. Avone. RFID Securty & Prvacy Lounge, [4] G. Avone, E. Dysl, and P. Oechsln. Reducng tme complexty n rfd systems. In Selected Areas n Cryptography, pages , Kngston, Canada, ISBN [5] M. Bellare. New Proofs for NMAC and HMAC: Securty wthout Collson-Resstance. In Proceedngs of Annual Internatonal Cryptology Conference, pages , Santa Barbara, USA, ISBN [6] M. Bellare, R. Canett, and H. Krawczyk. Keyng hash functons for message authentcaton. In Proceedngs of Annual Internatonal Cryptology Conference, pages 1 15, Santa Barbara, USA, ISBN [7] E.-O. Blass and M. Ztterbart. Towards acceptable publc-key encrypton n sensor networks. In Proceedngs of ACM 2nd Internatonal Workshop on Ubqutous Computng, pages 88 93, Mam, USA, ISBN [8] E.-O. Blass, A. Kurmus, R. Molva, G. Noubr, and A. Shkfa. The F f -famly of protocols for rfd-prvacy and authentcaton. IEEE Transactons on Depable and Secure Computng, /TDSC , ISSN [9] K. Brooks. Ant-Counterfetng Intatves and RFID Practces. Contract Pharma, Feb [10] K. Chawla, G. Robns, and W. Wemer. On Mtgatng Covert Channels n RFID-Enabled Supply Chans. In RFIDSec Asa, Sngapore, sg. [11] T. Dmtrou. rfddot: RFID delegaton and ownershp transfer made smple. In Proceedngs of Internatonal Conference on Securty and prvacy n Communcaton Networks, Istanbul, Turkey, ISBN [12] EU project SToP. Stop Tamperng of Products, [13] P. Golle, M. Jakobsson, A. Juels, and P. Syverson. Unversal re-encrypton for mxnets. In In Proceedngs of the 2004 RSA Conference, Cryptographer s track, pages Sprnger-Verlag, [14] ICC Commercal Crme Servces. Counterfetng Intellgence Bureau, opton=com content&vew=artcle&d= 29&Itemd=39. [15] Internatonal Medcal Products Ant-Counterfetng Taskforce. Internatonal Medcal Products Ant- Counterfetng Taskforce IMPACT, [16] A. Juels and S. Wes. Authentcatng pervasve devces wth human protocols. In CRYPTO, pages , Santa Barbara, USA, ISBN [17] A. Juels and S.A. Wes. Defnng Strong Prvacy for RFID. In PerCom Workshops, pages , Whte Plans, USA, ISBN [18] J. Katz and A. Y. Lndell. Aggregate message authentcaton codes. In Topcs n Cryptology CT-RSA 2008, volume 4964 of Lecture Notes n Computer Scence, pages Sprnger Berln / Hedelberg, ISBN [19] F. Kerschbaum and N. Oertel. Prvacy-Preservng Pattern Matchng for Anomaly Detecton n RFID Ant- Counterfetng. In Workshop on RFID Securty RFIDSec 10, Istanbul, Turkey, June [20] H. Krawczyk, M. Bellare, and R. Canett. Hmac: Keyed-hashng for message authentcaton, RFC 2104, [21] Y. L and X. Dng. Protectng RFID communcatons n supply chans. In Proceedngs of ACM Symposum on Informaton, Computer and Communcatons Securty, pages , Sngapore, ISBN

17 [22] Motorola. Saud Araba s luxury retaler Jade Jewellery mplements Motorola s RFID technology to mprove nventory management and securty, [23] G. Noubr, K. Vjayan, and H. J. Nussbaumer. Sgnature-based method for run-tme fault detecton n communcaton protocols. Computer Communcatons Journal, 21(5): , ISSN [24] M. Ohkubo, K. Suzuk, and S. Knoshta. Cryptographc approach to prvacy-frly tags. In RFID Prvacy Workshop, Cambrdge, USA, aga.php. [25] K. Ouaf and S. Vaudenay. Pathchecker: an RFID Applcaton for Tracng Products n Suply-Chans. In Workshop on RFID Securty RFIDSec 09, pages 1 14, Leuven, Belgum, rfdsec09/papers/pathchecker.pdf. [26] M.O. Rabn. Fngerprntng by random polynomals. Techncal Report TR-15-81, Center for Research n Computng Technology. Harvard Unversty, Cambrdge, Massachusetts, USA, [27] A.R. Sadegh, I. Vscont, and C. Wachsmann. Anonymzer-Enabled Securty and Prvacy for RFID. In 8th Internatonal Conference on Cryptology And Network Securty CANS 09, Kanazawa, Ishkawa, Japan, December Sprnger. ISBN [28] H. Shuhua and C.-H. Chu. Tamper Detecton n RFID-Enabled Supply Chans Usng Fragle Watermarkng. In Proceedngs of IEEE RFID, pages , Las Vegas, USA, [29] TAGSYS RFID. RFID Luxury Goods Solutons, Industres/Luxury-Goods. [30] G. Tsudk. Ya-trap: yet another trval rfd authentcaton protocol. In Internatonal Conference on Pervasve Computng and Communcatons Workshops, Psa, Italy, ISBN [31] S. Vaudenay. On Prvacy Models for RFID. In Proceedngs of ASIACRYPT, pages 68 87, Kuchng, Malaysa, ISBN [32] Verayo. Verayo Ant-Counterfetng Soluton, ant-counterfetng.html.