A Realistic Lightweight PUF-based Mutual Authentication in RFID Environments

—Radio frequency identification has been widely used in several fields based on its low-cost property. However, the wireless-based communication part in the radio frequency identification still suffers from several kinds of attacks such as impersonation attack, cloning attack, DoS attack, and tracking attack. To solve these problems in the radio frequency identification environment, this manuscript proposes a new authentication protocol that just uses limited resources. Moreover, both the informal and the formal analyses are used to ensure that the proposed scheme achieves the security features, withstands kinds of attacks, and has low computational complexity.

set of the Response R in the chip manufacturing process [1][2] [3]. Several authentication protocols based on the PUF in the RFID environment are proposed by [4]- [9]. Unfortunately, these protocols fail to achieve security features such as anonymity, untraceability, resolving desynchronization problem, perfect forward, and backward secrecy. Additionally, these protocols fail to withstand various kinds of attacks such as impersonation attack, DoS attack, and tracking attack. Additionally, the previous protocol [4]- [9] used ideal PUF hence it did not denote the realistic condition, in the real condition output of PUF has noisy. Subsequently [10] and [11] proposed protocol security in the RFID environment using realistic PUF. However, [12] and [13] point out that the protocols proposed by [10] and [11] fail to achieve scalability, untraceability. Subsequently, two popular PUF-based authentication protocols in the RFID environment are proposed by [12] and [13], their researches discuss ideal PUF and Nonideal PUF. However, after we evaluate them deeply, both of them also fail to withstand impersonation attack, namely if the attacker stole the Tag by activating the PUF and Fuzzy Extractor with programming, the attacker can obtain response and fixed key and then the attacker is able to generate a new set of {response, fixed key, challenge, session key}. As result, the attacker impersonates the Tag as a legitimate user (see Section II for more detail of discussion the weaknesses of [12] and [13]).
Besides, both [12] and [13] cannot achieve perfect forward and backward secrecy for after the attacker obtains response, the attacker can obtain past and future secret such as new {response, challenge, session key}. On the other hand, their scheme cannot achieve untraceability as well because the attacker can compute a new challenge. The attacker searches for a new challenge in collected messages, if found, he learns that the owner of the two messages is the same (see Section II for more detail of discussion the weaknesses of [12] and [13])..
In this paper, we propose a new mutual authentication protocol for focusing on non-ideal PUF-based which is used for authentication. The proposed protocol can achieve mutual authentication, anonymity, untraceability, perfect forward, and backward secrecy. Further, the proposed protocol withstands various kinds of attacks such as impersonation attack, DoS Universitas Singaperbangsa Karawang, Karawang, Indonesia (e-mail: dudink95@gmail.com, dudi.nurkifli@staff.unsika.ac.id).

A Realistic Lightweight PUF-based Mutual
Authentication in RFID Environments E Haodudin Nurkifli R Attack, tracking attack, and cloning attack. The rest of this paper is organized as follows. To support our point of view, Section II presents a brief review of two state-ofthe-art protocols proposed by Gope et al. and Feng Zhu et al. and points out their problems. Section III presents our proposal in detail. To ensure that our scheme achieves security features and withstands any kinds of attacks, we present informal analysis in Section IV followed by formal analysis using BAN Logic, and Scyther Tool Section V, VI, respectively. Finally, we conclude our article in Section VII.

A. Related Works and Motivation
Several schemes in the RFID environment have been proposed, such as the schemes by [14]- [19] using Elliptic curve cryptography with exponential module operation in the algorithm, however, it is not suitable to be applied in a tiny Tag in an RFID environment.
The other research by [20]- [23] proposed the protocols using a symmetric-key cryptosystem. Unfortunately, their schemes cannot guarantee to withstand the cloning attack. [4]- [9] offer authentication PUF-based which is resilient to the cloning attack. However, these PUF-based authentication schemes [4]- [9] have weaknesses, e.g., [4] tree-based authentication scheme using PUF. [5] pointed out that the scheme proposed by [4] fails to withstand the DoS and impersonation attack.
[5] proposed a new scheme based on PUF to enhance security features. However, [7] presented that the scheme introduced by [4] is vulnerable against the cold boot attack, and then [7] showed the evidence that the attacker is easy to tamper and obtain all data after impersonating it as well as tracing previous and future communication. In other research, [6] came up with a scheme to enhance security features [5]. However, [7] raised awareness that the scheme previously suggested by [5] is vulnerable against cold boot attack. [8] also applied authentication PUF-based in an RFID environment, but the scheme does not achieve forward secrecy and is weak against the DoS attack. However, since cold-boot attacks will cause a defect in the data in Tag memory due to the Tag sensitivity, the attacker cannot obtain data in Tag memory. At the other time, [24], [25] proposed PUF-based authentication in RFID, yet, both of them cannot withstand the DoS attack.
[9] presented a PUF-based authentication in the RFID system. However, [12] P. Gope et al. showed that the scheme proposed by [9] cannot achieve forward secrecy. P.Gope [12] then came up with mutual PUF-based authentication. Feng Zhu et al. [13] presented a lightweight RFID mutual authentication protocol with PUF. However, after careful investigation, we found that both [12]- [13] have the problem to achieve perfect forward and backward secrecy in which the attacker can impersonate the Tag. Additionally, their scheme does not achieve untraceability.
This article resolves the problems in the previous schemes specified by [4]- [13]. We present the review and point out the weakness of two papers by [12] and [13] to support our scheme's perspective in Sections 3 and 4. The proposed scheme contributions are as follow: 1. Evaluating two popular authentication protocols in RFID environment PUF-based and denote several weaknesses of them 2. Designing the new protocol in realistic conditions using non-ideal PUF. Our scheme achieves security features including mutual authentication, anonymity, untraceability, perfect forward secrecy, and backward secrecy, resolves the desynchronization problem, scalability. 3. Our proposal withstands various attacks such as impersonation attack, DoS attack, cloning attack, and Traceability attack. 4. A formal analysis using BAN Logic was carried out to ensure that our authentication protocol achieves secure mutual authentication. 5. The other analysis formally using the Scyther tool ensures that our protocol withstands various kinds of attacks. 6. A comparison of security features and computational complexity was conducted to ensure our proposal is not only secure but also has a low computational complexity

B. Preliminaries
This subsection briefly presents the preliminary background of the PUF and the capabilities of the attacker.

a. Physically Unclonable Function (PUF)
A PUF is a unique property of a circuit that maps a set of Challenge C to a set of the Response R in the chip manufacturing process [26]. Formally, inputting C into PUF to produce R where R=PUF(C) is hard to clone [27]. We divide PUF into two types, namely ideal PUF and non-ideal PUF.
an ideal PUF will produce a similar response with similar challenges inputted into PUF even if the non-stable temperature factor occurs. In the last few years, researchers have developed an ideal PUF which ensures 0% Bit-Error Rate [28]- [31], however, the ideal PUF is not realistic due to the real condition output of PUF has noisy. Meanwhile, a non-ideal PUF may produce a different response with a similar challenge inputted into PUF due to temperature factors. The fuzzy extractor is used to obtain stable PUF output [32], [33]; Therefore, in this paper, we use the non-ideal PUF, where ′ = ( ).

b. Fuzzy Extractor.
The fuzzy extractor has two functions, namely . () and .
(). . () is the probabilistic function to generate the fixed key and helper data ℎ from the input noisy response ′ , where ( , ℎ ) = .
(ℎ , ′ ). The successful is based on the similarity of original data and noisy data. Therefore, in this paper, we use the fuzzy extractor to obtain a fixed key, namely from noisy response , where ( , ℎ ) = .

c. The Adversary Model
The attacker's capabilities are summarized as follows; The proposed scheme could still remain secure under the attacks by attackers with the following capabilities. Our work adopts the research conducted by [34].
1. C1: the attacker has full control of the communication channel 2. C2: with a stolen RFID Tag the attacker can activate the PUF, and Fuzzy Extractor by programming The steps of the attacker: Step 1: The attacker Intercepts the message based on C1 Step 2: Steal RFID Tag and obtains data from Tag's memory Step 3: Activate PUF to compute ′ = ( ) based on C2 Step 3: Activate Fuzzy Extractor to compute = .
Step 5: The attacker can get all secret based on C1, C2.

II. STATE OF THE ART PROTOCOLS AND PROBLEMS
This section presents a brief review of two state-of-the-art protocols proposed by [12], [13], and points out their problems.

A. Gope et al.'s Protocol
This subsection presents a brief review of the authentication protocol proposed by [12], including notations, setup phase, mutual authentication, and the main weakness. Table 1 is the notations used throughout the authentication protocol proposed by [12].

a. The setup phase
Step 1: The backend server generates Challenge and sets the emergency challenge = { 1 , 2 , … } and then the backend server sends , to the Tag.
Step 3: The server generates the temporary identities for the i-th round, computes ( , ℎ ) = .
b. The mutual authentication between tag and readerserver unit Step 1: The Tag selects , generates COUNT, and sends , to the backend server Step 2: Upon receiving , , the server looks for in its database, if the server does not locate the communication will be terminated, otherwise, the server reads challenge-fixed key pairs CRP ( , ), generates a nonce , computes * = ⊕ , and computes the verifier of the server = ℎ( + 1|| || * ). The server sends , * , to the Tag.
Step 3: Upon receiving , * , , the Tag generates to the backend server.
Step 4: Upon receiving +1 * , the server verifies . If the is not equal to the server will terminate the communication, otherwise computes || +1 ) and stores +1 ,( +1 , +1 ). The server sends ℎ +1 * , to the Tag Step 5: Upon receiving ℎ +1 * , , the Tag verifies . If the is not equal to the server will terminate the communication, otherwise computes ℎ +1 = ℎ( c. The main weakness in [12].
Step 1: The attacker intercepts every message, namely Step 2: Steal RFID Tag and obtains data from the Tag's memory Step 3: Activate PUF to compute ′ = ( ), based on C2 Step 4: Activate Fuzzy Extractor to compute = .
d. The scheme [12] does not achieve untracebility Since the attacker can compute correct R, and the attacker can compute new challenge +1 . The scheme [12] does not achieve untracebility, the proof is as follow: Step 1: Compute +1 = ℎ( + 2|| || ) Step 2: Search +1 in his collected message Step 4: If the attacker finds similar +1 in his/her collected message, he/she will know that the owner of the two messages is the same.

B. Feng Zhu et al.'s Protocol
This subsection presents a brief review of the authentication protocol in [13], including Notations, Setup phase, Mutual authentication, and the main weakness. Table 2 is the notations used throughout the authentication protocol proposed by [13].

a. The setup phase
Step 1: The server generates Challenge and sends to the Tag.
( ′ ), sends , ℎ to the Tag, and stores: { , , } Step 4: The tag stores , ℎ The setup phase via secure channel. b. The mutual authentication between the tag and readerserver unit Step 1: The server generates Hello, and sends 1 : { } to the tag Step 2: The tag reads , ℎ , and sends 2 : to the server.

c. The weakness of Feng Zhu et al.'s Scheme
This subsection presents the weakness of a scheme by [13] based on the stolen card, and the attacker can activate PUF by programming, [13] fails to achieve perfect forward and backward secrecy.
Step 1: The attacker intercepts every message namely Step 2: Steal RFID Tag and obtains data from the Tag's memory Step 3: Activate PUF to compute ′ = based on C2 Step 4: Activate Fuzzy Extractor to compute = .
( ′ , ℎ ) based on C2 Step 5: If the attacker passes verification ℎ 1 by , that is, the attacker obtains correct fixed key Step 6: The attacker can compute all secrets include current response ′ , and then the attacker can compute new challenge +1 , new response +1 , new help data ℎ +1 based on C1, C2.
d. The scheme [13] does not achieve untracebility Based on the attacker's ability to compute correct and a new challenge. [13] does not achieve untracebility, the proof is as the following: Step 1: Can compute +1 = ℎ( || || ) Step 2: Search +1 in his collected message Step 4: if the attacker finds a similar +1 in his/her collected message, he/she will know the owner of two messages is the same.

III. PROPOSED SCHEME
This section presents our proposed scheme starting from System structure, Assumptions, Notation, Setup phase between Tag and backend server, and mutual authentication between Tag and the reader-server unit. For convenience, we use the notation in Table 3 throughout our scheme.
A. System structure This sub section presents a brief description of the system structure In Fig 1, the system structure consists of three participants, namely, Tag, Reader, and server. The Tag transmits information to the reader where it is processed, then the reader forwards it to the server. The communication between the Tag and the reader is done via the public channel. However, the reader and server communicate via a private channel since both of them are in one unit.

B. Assumptions
We have several assumptions as follows a. The RFID is equipped with PUF b. The RFID is able to resist side-channel attacks [35] c. Cold Boot Attack will cause data defect in Memory of Tag [35] C

. Notations of Cryptography Function
This subsection presents the notations of the cryptography function in table III throughout this paper. Additionally, based on the assumption aforesaid, the devices are equipped with PUF; hence our scheme uses this facility

D. Setup Phase between Tag and the Server
The setup phase between Tag and the server has 4 steps as follows: Step 1: The tag sends , to the server.

F. The Solution to Resolve the Loss of Synchronization and DoS Attack.
Step 1: When desynchronization occurs, the tag replaces , , by 1 , 1 .
Step 2: Run the same step with the authentication phase.

IV. ANALYSIS INFORMAL AND COMPARISON
This section presents the informal analysis using intuitive reasoning to show that our scheme achieves security features. This section also compares capabilities to withstand kinds of attacks with the previous authentication protocol by [10], [11], [12], and [13].

A. Informal Analysis
This subsection presents the security feature analysis. The details are as follows:

a. Achieve Mutual Authentication
Both parties recognize the identity of the other party by the possession of a shared key , The tag checks , and the reader-server unit checks 1 to ensure the freshness. Therefore, the scheme achieves mutual authentication.

b. Achieve Strong Anonymity
The tag uses a one-time Pseudonym to communicate with the reader-server unit. The adversary cannot obtain the original identity. Therefore, the scheme provides anonymity.

c. Achieve Perfect Forward Secrecy
In our scheme, the message updates in every session include shared key , challenge , and response . Even if the attacker obtains the current shared key , the attacker cannot obtain past secrets since those are deleted from memory. Therefore, the scheme achieves perfect forward.

d. Achieve Perfect Backward Secrecy
Our scheme protected challenge by a shared key where * = ⨁ℎ( || ); Even if the attacker can obtain shared key and ′ , the attacker cannot obtain fixed key simultaneously because of generated by the FE.Gen, where FE.Gen is the probabilistic function that produces different output if the attacker inserts the same response ′ , and then the attacker cannot compute new challenge and new response . Therefore, our proposed scheme achieves perfect backward secrecy.

e. Achieve Untraceability
Because of the attacker cannot compute new challenge, since the attacker cannot know the owner of the challenge based on the collected message in the public channel. Therefore, the scheme achieves untraceability.

f. Resolve the Loss of Synchronization
When desynchronization occurs, the tag replaces , , by 1 , 1 . Run the same step with the authentication phase. Therefore, the scheme can resolve the loss of synchronization.

B. Attack analysis
This subsection presents that our scheme withstands various kinds of attacks including impersonation attack, Tracking attack, and DoS attack. The details are as follows:

a. Withstand against Impersonation Attack
The attacker can't reveal the current fixed key, new challenge and new response even if the attacker stoles and activate PUF; hence, the attacker can't impersonate the Tag. Therefore, the scheme withstands Impersonation attack.

b. Withstand Tracking Attack
Because the scheme achieves untracebility, hence, our propose withstands a tracking attack.

c. Withstand against the DoS Attack
Based on the security features analysis, our scheme solves the loss of synchronization; hence automatically, our proposed scheme withstands against the DoS attack as wells.  [11] No No No Yes No Gope et al. [12] No No No Yes Yes Feng Zhu et al. [13] No  Asyu et al. [10] No No No Yes Huth et al. [11] No No No Yes Gope et al. [12] No No Yes Yes Feng Zhu et al. [13] No No Yes Yes Our scheme Yes Yes Yes Yes The details of notations are WA: withstand against kinds of attacks, WA1: withstand against impersonation attack, WA2: withstand against tracking attack, WA3: withstand against the DoS attack, WA4: withstand against cloning attack.

C. Comparison
The section presents a comparison between our proposed scheme with the previous protocol authentication by [10], [11], [12], and [13] in terms of security features and the capability to resist attack. The comparison is below: Based on table 4, [10], and [11] only achieve SF4 and does not achieve SF1-SF3, SF5. [12] and [13] do not achieve SF1-SF3, however, both of them achieve SF4 and SF5. The proposed scheme achieves all security features covering Perfect Forward Secrecy and Perfect Backward Secrecy, untracebility, Anonymity, and resolve the Desynchronization problem, represented as SF1-SF5.
. The final result shows that our scheme is lowest than [10], [11], [12] and [13]. Therefore, our proposal is secure and more efficient, suitable, and comfortable as well as practical to be applied in the RFID environment.

V. ANALYSIS FORMALLY USING BAN LOGIC
This subsection presents an analysis formally using BAN logic as evidence that our scheme achieves secure mutual authentication.

A. Brief explanation of BAN Logic
The BAN Logic has three objects [36], namely, participants, encryption keys, and logical formulas. In this paper participants are Tag and Reader-server unit, encryption keys are and , logical formulas are based on Table VII and VIII.

B. Proof of the scheme's formal analysis using BAN Logic
This subsection presents the formal analysis of Mutual Authentication between Tag (T) and Reader-Server Unit (RS),
( ′ , ℎ ) and the reader computes ′ = ℎ( || )⨁ 1 , then verifies to ensure the message from the Tag. Therefore, all parties recognize the identity of the other party by the possession of the shared key , and check freshness based on , 1

VI. ANALYSIS FORMALLY USING SCYTHER TOOL
In this article, we also use the Scyther Tool for validating our proposed protocol. The Scyther Tool is implemented in Python programming, which is used to verify the protocol security [37]. This tool also follows Delov-Yao (DY) adversary model [38]. There are two steps to evaluate a protocol using the Scyther Tool. First, we modeled our proposed protocol using Protocol Description Language (SPDL), and the second one ran the Scyther tool to validate the protocol's security claim. Figure 3 denotes the result of the modeling of our protocol. There are two entities in the modeling, namely a tag and readerserver. Later, the verification result for our proposed protocol is shown in figure 4. Based on figure 4, the Scyther Tool denotes that it cannot find any attacks, which proved our security claim usertype String; hashfunction H; const XOR:Function; const CON:Function; const PUF:Function; const FEGen:Function; macro Ctenc=XOR(Ct,H(CON(Kts,Na))); macro PIDtsenc=XOR(PIDtsnew,H(CON(IDt,Ct))); macro V0=H(CON (CON(CON(CON(Ct,IDt),Na),Ctenc),PIDtsenc)); macro Rt=PUF(Ct); macro kt =FEGen(Rt); macro hdt =FEGen(Rt); macro Ctnew=H(CON(Ct,kt)); macro Rnew = PUF(Ctnew); macro N1=XOR(Rnew,H(CON(Kts,kt))); macro hdtenc=XOR(hdt,H(CON(Kts,Na))); macro VA=H(CON(CON (CON(CON(IDt,kt),Rnew),N1),hdtenc)); protocol realistic-PUF-RFID(Reader, Tag This article proposed a new lightweight realistic PUF-based and mutual authentication scheme to improve the security features and resolve the RFID environment problem. Based on the informal analysis, our proposed scheme fulfills security features such as Mutual Authentication, Perfect Forward, and Backward Secrecy, Untracebility, Anonymity, resolve Desynchronization (SF1-SF5), and withstand various kinds of attacks (WA1-WA4). Additionally, formal analysis using BAN Logic ensures our scheme achieves mutual authentication, and analysis formally using Scyther tool denotes that our scheme withstands various kinds of attacks. On the other hand, based on the computational complexity comparison, our protocol obtains lower computational cost compared to the scheme proposed by by [10], [11], [12], and [13]. Therefore, our scheme is much suitable to be applied in the RFID environment.

ACKNOWLEDGMENT
The author would like to thank the editor and all the anonymous referees for their valuable comments and suggestions.