Randomized Bit Encoding for Stronger Backward Channel Protectionin RFID Systems

Tong-Lee Lim, Tieyan Li, and Sze-Ling YeoCryptography and Security Department

Institute for Infocomm Research (I2R), A*STAR Singapore{tllim, litieyan, slyeo}@i2r.a-star.edu.sg

Abstract

In this paper, we introduce a randomized bit encodingscheme that can strengthen the privacy protection on RFIDtags. This scheme is used together with the backward chan-nel protection method proposed by Choi and Roh in [1],which serves to protect the unique identifier of an RFIDtag from disclosure to close-range eavesdroppers. Choi andRoh’s method faces the ‘same-bit’ problem, in which somebits of the unique identifier could be disclosed, thereby re-vealing critical information. Our proposed scheme alle-viates the ‘same-bit’ problem to a negligible level. Fur-thermore, we propose an enhanced system model that canprotect the unique tag identifier from disclosure not onlyagainst eavesdroppers, but against unauthorized interroga-tors as well. A metric based on entropy was defined andused to measure the amount of protection offered by thescheme. A method to construct an optimal randomized n-bitencoding scheme was also described. In addition, theoret-ical analysis and simulations were conducted, which showthat the proposed encoding scheme provides significant im-provement (achieving almost twice the entropy) over no en-coding.

1 Introduction

Radio Frequency Identification (RFID) is an identifica-tion method that has been used in a variety of applications,ranging from product-tracking and health care monitoringto passport identification and transport payment. In suchsystems, RFID readers are used to remotely retrieve infor-mation from RFID tags. Essentially, each tag contains aunique identifier that is used by a reader to identify the tag.If the unique identifier is transmitted in clear, an adversarycan eavesdrop on the communication to identify and trackthe tag, thereby violating its privacy. Such a violation be-comes serious when the tag reveals further information or

when background information is available that enables theadversary to link the tag identifier to the identity of the tag’sowner. Hence, security mechanisms need to be in place toguard against such threats.

In [1], Choi and Roh proposed a method to protectthe transmission of the unique tag identifier by having thereader transmit a mask at the same time. However, the pro-posed method encounters the ‘same-bit’ problem, in whichsome bits of the identifier could still be disclosed. In thispaper, we propose an encoding scheme that can be used toalleviate this ‘same-bit’ problem and provide stronger pri-vacy protection. Under our proposed scheme, each bit of theunique identifier would be encoded into an n-bit string thatis randomly chosen from a pre-defined set of n-bit strings.The (l × n)-bit string corresponding to an l-bit identifier isthen transmitted under Choi and Roh’s backward channelprotection method to the reader.

Besides proposing the randomized bit encoding scheme,we also put forward the use of an enhanced system modelfor stronger privacy protection and greater flexibility. In ourproposed model, a trusted masking device, instead of thereader, is used to transmit the masking signals. This modelallows the system to defend not only against eavesdroppers,but malicious interrogators as well. In addition, our sys-tem model supports different singulation protocols, includ-ing tree-walking based or Aloha based protocols, therebyproviding greater flexibility.

To measure the amount of protection offered by our pro-posed encoding scheme, a metric based on entropy wasused. With the defined metric, we then showed how anoptimal randomized n-bit encoding scheme can be con-structed. With the use of theoretical analysis, as well assimulations, we showed that the proposed scheme providessignificant improvement towards protecting the unique tagidentifiers against disclosure. The related performance is-sues and overheads to the scheme were also investigated.

The rest of this paper is organized as follows – in sec-tion 2, we introduce the background and related works. Insection 3, we describe our proposed system model. In sec-

Sixth Annual IEEE International Conference on Pervasive Computing and Communications

0-7695-3113-X/08 $25.00 © 2008 IEEEDOI 10.1109/PERCOM.2008.23

40

tion 4, we describe the ‘same-bit’ problem. In section 5, weintroduce our randomized bit encoding scheme. In section6, we provide a security and performance analysis of thescheme. Finally, we wrap up the paper with our conclusionin section 7.

2 Background and Related Work

Singulation in RFID systems is analogous to medium ac-cess control in local area networks. Its goal is to resolve col-lisions between transmitting tags so that at the end of it, asingle tag is selected to communicate with the reader. Dur-ing singulation, tags are typically identified by their uniqueidentifiers, which poses a problem to privacy. For exam-ple, in the commonly-used binary tree-walking scheme, anadversary that eavesdrops on the queries transmitted duringthe tree-walking process can determine the unique identi-fier of the tag. In [2], Weis proposed the randomized tree-walking scheme to protect a tag’s unique identifier duringthe tree-walking process. This works by having each taggenerate a random number to act as a pseudo-identifier,which is used in place of its actual unique identifier dur-ing singulation. At the end of the tree-walking process, thetag then reports its actual identifier over the backward chan-nel (tag-to-reader channel), which is assumed to be safefrom long-range eavesdropping. Since the pseudo-identifierchanges with every singulation session, a long-range eaves-dropper that is monitoring the tree-walking process wouldnot be able to track any tag. However, if the adversary isable to get within close proximity of the reader and tag, hewould still be able to eavesdrop on the actual tag identifiertransmitted over the backward channel.

In [1], Choi and Roh proposed a method to strengthen therandomized tree-walking scheme by protecting the back-ward channel when the tag reports its actual identifier. Themethod involves the reader transmitting a mask at the sametime when the tag is transmitting its identifier. This in-duces a collision between the tag’s identifier and the maskthat can only be resolved if the mask is known. Hence, aneavesdropper would not be able to identify the tag withoutknowledge of the mask. Figure 1 illustrates the singulationprotocol that incorporates Choi and Roh’s backward chan-nel protection method and Figure 2 shows the transmittedand received bits under the method.

In Figure 2, we observe that Choi and Roh’s method doesnot completely protect the tag identifier since some bits ofthe identifier are disclosed. This occurs due to the ‘same-bit’ problem – a phenomenon that was also observed byCastellucia and Avoine in [3]. When a bit in the tag iden-tifier and the corresponding bit in the mask have the samevalue, a collision would not occur between these two trans-mitted bits, i.e. the transmitted bit in the tag identifier isnot protected but disclosed to an eavesdropper. In this pa-

Figure 1. The singulation protocol incorpo-rating Choi and Roh’s method.

Figure 2. Resolution of an induced collisionunder Choi and Roh’s method.

41

per, our main contribution is to introduce a randomized bitencoding scheme that alleviates this ‘same-bit’ problem tooffer a stronger protection over the tag identifier. Further-more, we point out some observed weaknesses in the sys-tem proposed by Choi and Roh, and propose modificationsto further strengthen the scheme.

There exists a few other related works that rely on sim-ilar concepts to enforce security in RFID systems. In [4],Juels, et al. proposed the ‘blocker’ tag, which is a devicethat simulates RFID tags during tree-walking singulation.The blocker tag works by responding to singulation queriesof a reader such that the reader is led to traverse the en-tire tree. This way, the presence of actual tags that are tobe protected is hidden from unauthorized readers. In [5],Rieback et al. proposed a mechanism known as “selectiveRFID jamming”, in which a battery-powered mobile deviceis used to selectively transmit jamming signals to block re-sponses from tags. The mobile device holds an access con-trol list (ACL), which specifies the queries that may be al-lowed from readers. In [3], Castelluccia and Avoine madeuse of the concept of RFID signal masking to create a proto-col for exchanging secrets between a tag and a reader. Thiswas achieved with the help of a noisy tag, which generatesand transmits noise when a normal tag is transmitting somecodes to the reader. The noise that is transmitted collideswith the codes such that an eavesdropper cannot completelyrecover the bit values transmitted by the tag.

3 The Proposed System Model

In this section, we describe our proposed system modelfor protecting the unique identifier of an RFID tag duringsingulation. As in [1] and [2], we assume that each tag takespart in the singulation process with a randomly generatedpseudo-identifier, instead of its actual identifier. However,while these two works focus on the tree-walking scheme,we contend that the backward channel protection methodcan be extended to Aloha-based singulation schemes aswell. For example, in the case of slotted Aloha, a tagwould randomly generate a pseudo-identifier, transmit it ina selected time slot and then listen for an acknowledge-ment (ACK) from the reader. The reader selects a pseudo-identifier in a collision-free slot and responds with an ACKcontaining the selected pseudo-identifier. Upon receivingthe ACK, the selected tag responds by transmitting its ac-tual unique identifier to the reader.

Under the backward channel protection method in [1],the reader transmits a secret mask while the tag is trans-mitting its actual identifier to induce a collision that hidesthe identifier from an eavesdropper. The masked identifiercan only be completely recovered with knowledge of thesecret mask. In this paper, we shall refer to this process ofprotecting the identifier as ‘privacy-masking’. The system

proposed for privacy-masking in [1] suffers from a majorflaw – it protects the tag identifier from an eavesdropperwhen an authorized reader is singulating with the tag, but itdoes not offer any protection against an unauthorized readerthat attempts to singulate with the tag. An unauthorizedreader can simply interrogate the tag to obtain the uniqueidentifier or it can misbehave and refuse to transmit a mask,thereby exposing the tag identifier to eavesdropping. Thesethreats can be prevented by having the reader authenticateitself to the tag prior to the reporting of the tag identifier.However, implementing a secure tag-reader authenticationscheme while attempting to preserve the tag’s privacy is ahighly challenging task and generally too costly to be im-plemented on low-cost tags.

In this paper, we propose that privacy-masking be per-formed by a separate trusted device that is capable of au-thenticating the reader. This is motivated by existing worksin [3], [5] and [6]. When a reader performs singulationwith a tag, this trusted device would be activated to carryout privacy-masking. Henceforth, we shall refer to such adevice as the ‘trusted masking device’ (TMD). Prior tosingulation, the TMD would first perform mutual authenti-cation with the reader and thereafter, set up a session key tobe used to generate the masks for privacy-masking duringsingulation. Ideally, the TMD is possessed by and comesunder the control of the tag owner. During operation, theTMD should be kept in close proximity to the tags that areto be protected. Under such a system, the unique identifierof an RFID tag is protected against eavesdroppers as wellas unauthorized readers (or interrogators). Figure 3 depictsthe singulation protocol under our proposed system model.One possible method that can be used to generate the masksis to make use of a secure one-way keyed hash function asfollows:

Mi = HK(RNi) (1)

where HK is a keyed hash function with secret session keyK , and RNi is the pseudo-ID during singulation.

4 The “Same-Bit” Problem

The “same-bit” problem, which was noted in [3], oc-curs when the tag and the TMD transmit the same bit tothe reader such that a collision is avoided and the bit canbe properly decoded by any receiver (see Figure 2). Undersuch a situation, an eavesdropper can identify the bit thatwas transmitted. Due to this “same-bit” problem, each sin-gulation session would disclose some bits of the tag identi-fier to an adversary.

Given a randomly generated mask, the probability thata bit transmitted by the tag collides with the correspondingbit in the transmitted mask is 0.5. When a collision occurs,

42

Figure 3. The singulation protocol under ourproposed system model.

the probability that the eavesdropper makes a correct guessto the value of the bit is 0.5. When a collision is avoided,the corresponding probability is 1. Hence, the probabilitythat an eavesdropper makes a correct guess to a transmittedbit under privacy-masking is given by

Prob(correct guess to a transmitted bit under

privacy-masking)= 0.5(1) + 0.5(0.5)= 0.75 (2)

The probability that an eavesdropper makes a correct guessto an l-bit identifier under privacy-masking is

Prob(correct guess to an l-bit identifier under

privacy-masking)= (0.75)l (3)

To effectively protect a tag’s unique identifier from disclo-sure, it is necessary for l to be large. However, for low-cost RFID tags with memory constraints, this may not bea feasible solution. For example, tags that conform to theEPC Class-1 Gen-2 standard [7] contain an electronic prod-uct code (EPC) that is 96 bits but 16 of these bits are usedfor protocol control (PC) and another 16 bits are set asidefor a cyclic redundancy check (CRC) code, leaving only 64bits for identification purposes. Moreover, these 64 bits are

Figure 4. Privacy-masking with the random-ized n-bit encoding scheme.

not completely random since they are product-related codesand an adversary with some background knowledge wouldhave a higher chance of guessing the masked code correctly.Hence, stronger protection mechanisms need to be in placeand this can be achieved with our proposed randomized bitencoding scheme.

5 The Randomized Bit Encoding Scheme

5.1 Overview

Under the original backward channel protection method,a tag would transmit its l-bit identifier to the reader, withthe reader transmitting an l-bit mask at the same time toperform privacy-masking. With randomized bit encoding,each bit of the identifier would first be encoded into an n-bit codeword, where n ≥ 2. Hence, a tag’s l-bit identifierwould be encoded into an (l × n)-bit codeword before it istransmitted (see Figure 4). Specifically, with randomizedn-bit encoding, the set of n-bit strings {0, 1}n is first di-vided into two mutually exclusive sets ψn

0 and ψn1 such that

ψn0 ∪ ψn

1 = {0, 1}n and |ψn0 | = |ψn

1 | = 2n−1. To encodea source bit b, we randomly select an n-bit string from ψn

0

if b = 0 and we randomly select an n-bit string from ψn1

if b = 1. Hence, an l-bit string will be randomly encodedinto an (l × n)-bit string. The TMD would then transmitan (l × n)-bit mask to perform privacy-masking. Figure 5shows the entire process of privacy-masking with random-ized bit encoding.

43

Figure 5. The various processes involved in protecting the transmission of data with randomizedn-bit encoding and privacy-masking.

5.2 Examples of Randomized 2-bit Encod-ing Schemes

One possible 2-bit encoding can be described as follows:let ψ2

0 = {00, 01} and ψ21 = {10, 11}. Then a ‘0’ will

be encoded into the 2-bit codeword ‘00’ or ‘01’ with prob-ability 0.5 each. Similarly, a ‘1’ will be encoded into ‘10’or ‘11’ with probability 0.5 each. Another possible 2-bit en-coding would be to haveψ2

0 = {00, 11} and ψ21 = {01, 10}.

Figure 6 illustrates these two randomized 2-bit encodingschemes, together with tables showing the resulting 2-bitword received for each possible combination of 2-bit code-word and 2-bit secret mask. The words (in the tables) thatare shaded dark gray and in white font correspond to words,which if received by an adversary would allow the adver-sary to uniquely identify the actual source bit. For example,under Scheme I, if an adversary receives ‘00’, ‘0x’ or ‘01’(note that ‘x’ refers to the situation whereby a collision oc-curs such that the bit cannot be properly decoded and itsvalue is unknown), he would know for sure that the valueof the actual source bit is ‘0’. If the adversary receives ‘10’,‘1x’ or ‘11’, he can be sure the value of the actual source bitis ‘1’. However, if the adversary receives ‘x0’, ‘x1’ or ‘xx’,he would have to make a random guess since the source bitis equally likely to be a ‘0’ or a ‘1’. This is based on the as-sumptions that the adversary does not have any knowledgeabout the secret mask, each mask value is equally likely,and each source bit is equally likely to be ‘0’ or ‘1’. For therest of this paper, we shall assume that these assumptionshold.

5.3 Measuring the Amount of PrivacyProtection

A good randomized encoding scheme (under privacy-masking) is one that results in the received words providingthe greatest amount of uncertainty to the actual source bitswhen the secret mask is unknown. The greater the amountof uncertainty, the more difficult it is for an eavesdropper to

Figure 6. Two possible randomized 2-bit en-coding schemes and the resulting words re-ceived under privacy-masking.

guess the source bits. Here, we introduce two key defini-tions:

Definition 1. The entropy of a word W , produced as aresult of privacy-masking between an n-bit codewordC thatcorresponds to a source bit b and a random n-bit secret maskM , is defined to be the amount of uncertainty to the actualvalue of b given W , when both C and M are unknown. Foran n-bit word W that is received under privacy-masking,let p0 denote the probability thatW corresponds to a sourcebit of value ‘0’ and p1 denote the probability that W cor-responds to a ‘1’, where p0 + p1 = 1. The entropy of W ,denoted by HW , can then be given as follows:

HW

={

0 if p0 or p1 = 0;−(p0 log2 p0 + p1 log2 p1) otherwise.

For example, under Scheme I of Figure 6, H0X = 0 andHX1 = −(0.5 log2(0.5)+0.5 log2(0.5) = 1. Furthermore,

44

note that for any word W , 0 ≤ HW ≤ 1.Definition 2. The average entropy under privacy-

masking with a randomized n-bit encoding scheme is de-fined to be the average entropy of all possible words thatcan be received under privacy-masking with the encodingscheme. The average entropy under privacy-masking, de-noted by ξ, is given as follows:

ξ =∑

w∈φn

pwHw (4)

where φn = {0, 1,x}n denotes the set of all possible re-ceived words under privacy-masking with the randomizedn-bit encoding (for example, φ2 = {00, 01, 0x, 10, 1x, 11,x0, x1, xx}), pw represents the probability of occurence ofthe received word w, and Hw represents the entropy of w.

Referring back to Figure 6, the average entropy underprivacy-masking with Scheme I encoding is

ξ for Scheme I encoding

= (4)(

116

× 0)

+ (2)(

216

× 0)

+ (2)(

216

× 1)

+ (1)(

416

× 1)

= 0.5 (5)

The average entropy under privacy-masking with Scheme IIencoding is given by

ξ for Scheme II encoding

= (4)(

116

× 0)

+ (4)(

216

× 1)

+ (1)(

416

× 1)

= 0.75 (6)

For privacy-masking without encoding, the average entropycan be given by

ξ for no encoding

= (2)(

14× 0

)+

(24× 1

)

= 0.5 (7)

Hence, Scheme I offers as much privacy protection as noencoding at all. In fact, given that 2-bit encoding requiresthe transmission of an extra bit for every source bit, SchemeI actually performs worse than no bit encoding. Scheme II,with a higher average entropy, offers stronger privacy pro-tection than Scheme I or no bit encoding. We now introducetwo more definitions:

Definition 3. An optimal randomized n-bit encodingscheme is one which results in the highest average entropyunder privacy-masking, i.e. there is no other randomizedn-bit encoding scheme that gives a higher average entropy.

Definition 4. We define a bit disclosure under privacy-masking with a randomizedn-bit encoding scheme to be theevent whereby an adversary can uniquely identify the actualvalue of the source bit given an n-bit word that is producedas a result of privacy-masking between an n-bit codewordcorresponding to the source bit and a randomly generatedn-bit secret mask. For example, under Scheme I in Figure6, a bit disclosure occurs when W =‘00’, ‘0x’, ‘01’, ‘10’,‘1x’ or ‘11’.

Based on the collision characteristics of our systemmodel, we observe that when C and M are the same n-bit string, i.e. C = M , then the received word W is suchthat W ∈ {0, 1}n and all the bits are available in clear toan eavesdropper. Assuming that the mapping of a source bitto codewords under the randomized n-bit encoding schemeis also known to the eavesdropper (i.e. the sets ψn

0 and ψn1

are known), the eavesdropper would be able to determinethe actual source bit that was transmitted. Hence, a bit dis-closure occurs. From this observation, we can establish anupper bound on the average entropy provided by privacy-masking with a randomized n-bit encoding scheme as fol-lows:

ξ for randomized n-bit encoding

=∑

w∈φn

pwHw

=∑

w∈{0,1}n

pwHw +∑

w∈φn\{0,1}n

pwHw

=∑

w∈{0,1}n

pw × 0 +∑

w∈φn\{0,1}n

pwHw

=∑

w∈φn\{0,1}n

pwHw

≤∑

w∈φn\{0,1}n

pw (since Hw ≤ 1)

= 1 −∑

w∈{0,1}n

pw

= 1 − 2n

2n × 2n

= 1 − 12n

(8)

From (6) and (8), we find that Scheme II in Figure 6 is ac-tually an optimal randomized 2-bit encoding scheme, sincethe average entropy provided by Scheme II is 0.75 = 1− 1

22 .Figure 7 shows a randomized 3-bit encoding scheme, whereψ3

0 = {000, 011, 101, 110} and ψ31 = {001, 010, 100, 111}.

The average entropy of this scheme is

ξ for the 3-bit encoding scheme in Figure 7

= (8)(

164

× 0)

+ (12)(

264

× 1)

45

Figure 7. An optimal randomized 3-bit encod-ing scheme.

+ (6)(

464

× 1)

+ (1)(

864

× 1)

= 0.875 (9)

Since 1− 123 = 0.875, the scheme in Figure 7 is an optimal

randomized 3-bit encoding scheme. In general, we find thatif a randomizedn-bit encoding scheme produces codewordssuch that bit disclosures occur only for those received wordsin φn where all the n bits are in clear (i.e. the cases whenC = M and W ∈ {0, 1}n), and the entropy of all otherpossible received words is maximum (equal to 1), then theencoding scheme is an optimal one.

5.4 Constructing an Optimal Randomizedn-bit Encoding Scheme

In the optimal randomized 2-bit and 3-bit encodingschemes shown in Figures 6 and 7, ψ2

0 and ψ30 contain bi-

nary strings with even Hamming weight (i.e. an even num-ber of ‘1’s in the binary string) while ψ2

1 and ψ31 contain

binary strings with odd Hamming weight. We claim thatan optimal randomized n-bit encoding scheme can be con-structed by partitioning {0, 1}n into two mutually exclusivesets ψn

0 = πneven and ψn

1 = πnodd, where πn

even denotesthe set of all n-bit strings with even Hamming weight andπn

odd denotes the set of all n-bit strings with odd Hammingweight.

To prove the claim, we first show by mathematical in-duction that πn

even and πnodd have the same cardinality, i.e.

|πneven| = |πn

odd| = 2n−1. For n = 1, this is trivial sinceboth π1

even = {0} and π1odd = {1} have cardinality 1 =

21−1. Assume that the result, i.e. |πneven| = |πn

odd| = 2n−1,is true for all n < k. Consider n = k. For all k-bitstrings, the last bit is either ‘0’ or ‘1’ and the first k − 1bits form a substring such that this substring is either anelement of πk−1

even or an element of πk−1odd . Let πk−1

even#0 de-note the set of k-bit strings formed by appending a ‘0’ to

every string in πk−1even. Hence, |πk−1

even#0| = |πk−1even| = 2k−2

and every string in πk−1even#0 has even Hamming weight (ap-

pending a bit ‘0’ does not change the Hamming weightof the string). Likewise, |πk−1

odd #0| = |πk−1odd | = 2k−2

and every string in πk−1odd #0 has odd Hamming weight.

A ‘1’ appended to a (k − 1)-bit string with even Ham-ming weight would produce a resulting k-bit string withodd Hamming weight. Doing the same to a (k − 1)-bit string with odd Hamming weight would produce a re-sulting k-bit string with even Hamming weight. Hence,|πk−1

even#1| = |πk−1even| = 2k−2 and every string in πk−1

even#1has odd Hamming weight. |πk−1

odd #1| = |πk−1odd | = 2k−2 and

every string in πk−1odd #1 has even Hamming weight. Fur-

thermore, we observe that πk−1odd #0

⋂πk−1

even#1 = {} andπk−1

odd #0⋃πk−1

even#1 = πkodd. Then, |πk

odd| = |πk−1odd #0| +

|πk−1even#1| − |πk−1

odd #0⋂πk−1

even#1| = 2k−2 + 2k−2 − 0 =2k−1. Similarly, we can show that |πk

even| = 2k−1, fromwhich we can conclude that πk

even and πkodd have the same

cardinality. Hence, we have shown by mathematical induc-tion that πn

even and πnodd have the same cardinality for all

integers n ≥ 1.Next, we go on to consider the resulting n-bit word

W ∈ φn produced under privacy-masking with random-ized n-bit encoding, where ψn

0 = πneven and ψn

1 = πnodd,

from the perspective of an eavesdropper. We assume thatthe eavesdropper does not have any knowledge of the se-cret mask but possesses complete information over ψn

0 andψn

1 . Note that a received word W has maximum entropy,i.e. HW = 1, when p0 = p1 = 0.5 (where p0 and p1 areas defined earlier – see Definition 1). In other words, Whas maximum entropy when based on ψn

0 and ψn1 and the

resulting space of received words under privacy-masking,there is an equal likelihood of W encoding a ‘0’ or a ‘1’.For the proposed scheme, W can take the following cases:

• Case 1: All the bits in W are masked. In this case,none of the bits in W are disclosed. Since |πn

even| =|πn

odd| = 2n−1, W has an equal likelihood of beingproduced from a codeword in ψn

0 = πneven or ψn

1 =πn

odd, i.e. the actual source bit is equally likely to bea ‘0’ or a ‘1’. Hence, W has maximum entropy, i.e.HW = 1.

• Case 2: k (0 < k < n) out of n bits in W aremasked. In this case, the eavesdropper has to con-sider all possible k-bit combinations to the maskedbits. Let Ck be the k-bit substring formed by the kbits in the codeword C that correspond to the maskedbits inW . Without loss of generality, consider the casewhereby there is an even number of ‘1’s in the n − kdisclosed bits in W . Then, Ck ∈ πk

even implies thatC ∈ ψn

0 = πneven, i.e. the actual source bit is ‘0’. Sim-

ilarly, Ck ∈ πkodd implies that C ∈ ψn

1 = πnodd, i.e. the

actual source bit is ‘1’. Since |πkeven| = |πk

odd|, there

46

is an equal likelihood that Ck ∈ πkeven or Ck ∈ πk

odd,i.e. the actual source bit is equally likely to be a ‘0’ ora ‘1’. Hence, W has maximum entropy.

• Case 3: All the bits in W are disclosed. In this case,the codeword is revealed to the eavesdropper. Withknowledge of ψn

0 and ψn1 , the actual source bit is re-

vealed to the eavesdropper and a bit disclosure occurs.

From these three cases, we find that bit disclosures occuronly when all the bits in W are disclosed, and for all othercases of W , the entropy of W is maximum. Under thisscheme, the average entropy is given by

ξ for the randomized n-bit encoding scheme

where ψn0 = πn

even and ψn1 = πn

odd

=2n × 2n − 2n

2n × 2n× 1

= 1 − 12n

(10)

Hence, the randomized n-bit encoding scheme, in whichψn

0 = πneven and ψn

1 = πnodd, is an optimal one.

6 Analysis and Discussion

Figure 8 shows the graph of average entropy underprivacy-masking with optimal n-bit encoding for variousvalues of n. From the graph, we find that optimal 2-bitencoding provides a substantial improvement in average en-tropy (from 0.5 to 0.75) and optimal 7-bit encoding achievesan average entropy that is close to the maximum entropy of1. Table 1 gives the results from simulation experimentsconducted to compare the amount of privacy protection of-fered under privacy-masking with no encoding, optimal 2-bit encoding and optimal 3-bit encoding. In the experi-ments, we simulate the transmission of the 96-bit uniqueidentifier of an EPC Class-1 Gen-2 compliant RFID tag un-der privacy-masking with and without randomized bit en-coding. The encoding schemes used were constructed basedon the method described in section 5.4, i.e. partitioningthe sets {0, 1}2 and {0, 1}3 into subsets of odd and evenHamming weights. The results in Table 1 show that the ran-domized bit encoding schemes provide significant improve-ments against guessing attacks on the unique tag identifier.

While we have seen that randomized bit encoding has thepotential to improve the amount of privacy protection on theunique identifiers of tags, this comes at a price of having totransmit more bits for every bit of the unique identifier. Inparticular, for a 96 bits identifier, randomized n-bit encod-ing results in the transmission of a total of 96n bits. Whilea greater value of n increases the amount of protection, theamount of overhead is also increased. Hence, the tradeoff

Figure 8. Average entropy under privacy-masking with optimal randomized n-bit en-coding against n. (Note that n=1 representsthe case without encoding.)

Table 1. Performance Comparison of Back-ward Channel Protection Method With andWithout Randomized Bit Encoding.

Optimal OptimalNo Encoding 2-bit 3-bit

Encoding Encoding

Averagenumber of 48.04 23.94 12.01bits disclosed

Probability 3.65 2.03 5.12of correct ×10−15 ×10−22 ×10−26

guess to EPC

47

between the amount of privacy protection offered and thesingulation overhead needs to be carefully balanced.

To investigate the amount of overhead incurred underrandomized n-bit encoding, we examine the scheme whenit is used with the singulation protocol and tag inventoryingprocedure defined in section 6.3 of the EPC Class-1 Gen-2specifications 1 [7]. Simulations were conducted in C++ tosimulate the inventorying of a batch of m tags by a singlereader. In the simulations, the reader communicates withthe batch of tags using the Slotted-Aloha-basedQ-protocol(refer to pp. 42, 43 and 84 in [7]) for singulation and col-lision resolution. The simulation starts off with the readersending out a Select command, followed by a Query com-mand (refer to pp. 34 and 44 in [7]) to the batch of tags,and ends when all the m tags in the batch have been in-ventorised, i.e. have their unique identifier reported to thereader. The total time taken for inventorying the entire batchof m tags is measured. Figures 9 and 10 show the resultsobtained.

From the results, we find that if there are less than 60 tagsin the batch, then the total time required to singulate all thetags in the batch would be less than 1s. Hence, under hu-man perception, there would not be a significant differencebetween randomized 7-bit encoding or no encoding. How-ever, in the unlikely situation that the usage application isa time-critical or time-sensitve one, whereby an extremelystrict timing constraint (of less than 1s) has to be met, thenthe parameter n (for n-bit encoding) would have to be care-fully selected. In this case, we may need to sacrifice someamount of privacy to reduce the singulation overhead. Forapplications that require the singulation of more than 60tags at any one time, the singulation overhead could posea problem since the differences in time taken for singula-tion between various values of n becomes more significantwhen the number of tags to be singulated is large. Hence,it would be essential to balance the tradeoff between theamount of privacy protection and the singulation overheadby choosing an appropriate value for n.

7 Conclusion

In this paper, we presented the randomized bit encodingscheme for strengthening the privacy protection offered toRFID tags under the previously proposed privacy-maskingmethod by Choi and Roh [1]. A more secure system modelfor the privacy-masking protection was proposed to pro-tect the unique identifier of RFID tags against disclosure to

1In particular, section 6.3.1.5 in [7] describes the link timings for thecommunication between a compliant reader and a compliant tag, and sec-tion 6.3.2.8 describes the inventorying procedure. Figures 6.4 (pp. 25),6.11 (pp. 29), 6.16 (pp. 34) and 6.21 (pp. 44), as well as Tables 6.11(pp. 32), 6.12 (pp. 32) and 6.13 (pp. 34) provide the useful and relevantinformation.

Figure 9. Graph of total singulation timeagainst number of tags.

Figure 10. Graph of percentage singulationoverhead against number of tags.

48

eavesdroppers and unauthorized interrogators. We defineda metric to measure the amount of protection offered by thescheme and described a method to construct an optimal ran-domized n-bit encoding scheme. With the use of theoreti-cal analysis and simulations, we showed that the proposedscheme provides significant improvements towards protect-ing the unique tag identifiers against disclosure. In addition,we also examined the related performance issues by con-ducting simulations to investigate the amount of overheadincurred under the scheme.

References

[1] Wonjoon Choi, and Byeong-hee Roh, “Backward ChannelProtection Method for RFID Security Schemes Based onTree-Walking Algorithms”, Int’l Conf. on Comp. Sc. andApps (ICCSA 2006), pp. 279-287, 2006.

[2] S. A. Weis, Security and Privacy in Radio Frequency Identi-fication Devices, Masters Thesis, MIT, May 2003.

[3] C. Castelluccia, and G. Avoine, “Noisy Tags: A Pretty GoodKey Exchange Protocol for RFID Tags”, 7th Int’l Conf. onSmart Card Research and Advanced App., Apr 2006.

[4] A. Juels, R. L. Rivest, and M. Szydlo, “The Blocker Tag:Selective Blocking of RFID Tags for Consumer Privacy”, inProc. of ACM CCS ’03, pp. 103-111, ACM Press, Oct 2003.

[5] M. R. Rieback, B. Crispo, and A. S. Tanenbaum, “Keep onBlockin’ in the Free World: Personal Access Control forLow-Cost RFID Tags”, in Proc. of the 13th Int’l Workshopon Security Protocols, Apr 2005.

[6] A. Juels, P. Syverson, and D. Bailey, “High-Power Proxiesfor Enhancing RFID Privacy and Utility”, in Proc. of the 5thWorkshop on Privacy Enhancing Technologies (PET ’05),2005.

[7] EPCglobal, EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at860MHz-960MHz Version 1.0.9.

49