SquealingEuros:PrivacyProtectioninRFID-EnabledBanknotesAriJuels1andRav - PDF document

SquealingEuros:PrivacyProtectioninRFID-EnabledBanknotesAriJuels1andRavikanthPappu21RSALaboratoriesBedford,MA01730,USAe-mail:ajuels@rsasecurity.com2ThingMagic,LLCe-mail:ravi@thingmagic.comAbstract.Thankstotheirbroadinternationalacceptanceandavail-abilityinhighdenominations,thereiswidespreadconcernthatEurobanknotesmayprovideanattractivenewcurrencyforcriminaltrans-actions.Withthisinmind,theEuropeanCentralBankhasproposedtoembedsmall,radio-frequency-emittingidentication(RFID)tagsinEurobanknotesby2005asatrackingmechanismforlawenforcementagencies.TheECBhasnotdisclosedtechnicaldetailsregardingitsplan.Inthispaper,weexploresomeoftheriskstoindividualprivacythatRFIDtagsembeddedincurrencymayposeifimproperlydeployed.Ac-knowledgingthesevereresourceconstraintsofthesetags,weproposeasimpleandpracticalsystemthatprovidesahighdegreeofprivacyassurance.Ourschemeinvolvesonlyelementarycryptography.Itsef-fectivenessdependsonacarefulseparationoftheprivilegesoeredbyopticalvs.radio-frequencycontactwithbanknotes,andfullexploitationofthelimitedaccess-controlcapabilitiesofRFIDtags.Keywords:banknotes,cryptography,RFID,privacy1IntroductionIssuedundertheaegisoftheEuropeanCentralBank(ECB),theEuronowservesasacommoncurrencyforthesecondlargesteconomiczoneintheworld,havingsupplantedthephysicalcurrencyofmembernationsatthebeginningof2002.AmongthemanyintricatepolicydecisionsprecedingtheintroductionoftheEurowasthedeterminationofbanknotedenominations.TheECBoptedtoissuebanknotesuptotherelativelyhighdenominationsof200and500Euro.Atrst,thismayappeartobeastraightforwarddecisionaddressingtheconvenienceofconsumersandnancialinstitutions.Itcouldultimatelyprove,however,tohavefarreachingconsequencesastheEurobecomesacurrencyofinternationalstand-ingrivalingtheU.S.dollar.EvenbeforetheintroductionoftheEuro,concernarosethatthe500Eurobanknotemightemergeasamagnetforinternationalcrime[31].(Indeed,someeconomistsevenaccusedtheECBoftryingtoattractblack-marketactivitytoEuropeasanancialstimulus.)Atpresent,thephysi-calcurrencyofchoiceforinternationalblackmarkettransactionsistheUnited Statesone-hundred-dollarbill.The500Euronote,howeverenjoystheadvantageofsuperiorportability.Asimpleobservationisillustrative:enoughone-hundreddollarbillstollabriefcasewill,whendenominatedinve-hundred-Euronotes,tinamerehandbag.Asanapparentcounterpoisetothisthreat,theECBhasdisclosedplanstoincorporateRadioFrequencyID(RFID)tagsintoEurobanknotesby2005[32].AnRFIDtagisatinydevicecapableoftransmittingapieceofstaticinformationacrossshortdistances.WhiletheECBhasnotrevealedspecics,itmaybepresumedthatinthisproposal,lawenforcementocialswouldbeabletoemploymonitoringequipmenttolearntheserialnumbersofEurobanknotessurreptitiouslyatshortdistances.Deployedathighlytrackedlocationssuchasairports,suchasystemwouldpermittrackingofcurrency\rows,providingapowerfultoolforlawenforcementmonitoringillegalactivitysuchasmoneylaunderingandnarcoticstrade.ThedicultyofcreatingRFIDtagsisalsoseenasapotentialdeterrenttobanknoteforgery[29].Inthispaper,weconsidertheimpactoftheECBproposalontheprivacyofbearersofbanknotescarryingRFIDtags.Inbrief,theproblemisthatRFID-tagreadersareincreasinglyeasyandinexpensivetobuy.Ontheotherhand,RFIDtagsaretoolimitedintheircapabilitiestoenforcesophisticatedinformationdisclosurepoliciesashavebeenproposedforfullydigitalformsofcash(see,e.g.,[8,9,11,20]forexamples).Indeed,themostlikelycandidatefordeploymentinEurobanknotesistheHitachi-chip,whichsimplytransmitsa128-bitserialnumber[29].Ifbanknotestransmittheseserialnumberspromiscuously,thatis,toanyonepossessingareader,thenitispossibleforpettycriminalseasilytodetectthepresenceofbanknotescarriedbypassersby.Thiswouldbeespeciallyproblematicifonlyhigh-denominationEuronotesweretobetagged,asmightbethecasegiventheadditionalexpenseofRFIDtags.Worsestill,itwouldpossibleforanyonetotrackbanknotes,andthusthewhereaboutsandnancialdealingsofordinarycitizens.Suchtrackingwouldbefeasibleonlyatshortdistances,namelyafewmeters,butmightbedonewithoutanyknowledgeonthepartofthevictim.Thefactthatserialnumberscontainnoconsumerinformationwouldnotprovideaguaranteeagainstprivacyviolations.Wegiveacoupleofhypotheticalexamplesheretoillustratetheproblem:Example1.BarXwishestosellinformationaboutitspatronstolocalMerchantY.Thebarrequirespatronstohavetheirdrivers'licensesscannedbeforetheyareadmitted(ostensiblytoverifythattheyareoflegaldrinkingage).Atthistime,theirnames,addresses,anddatesofbirtharerecorded.3Atthesametime,BarXscanstheserialnumbersoftheRFIDtagsofbanknotescarriedbyitspatrons,therebyestablishingalinkbetweenidentitiesandserialnumbers.MerchantYsimilarlyrecordsbanknoteserialnumbersofcustomersfromRFID3The2-Dbarcodesondrivers'licensesincertainstatesalreadycarrydemographicinformation[3].Theautomatedharvestingofconsumerinformationbybarsandrestaurantsisanemergingpractice.Presumablytheinformationonthefrontofcards,includingthenameofthecardholder,canbeharvestedthroughopticalcharacterrecognition. tags.BarXsellstoMerchantYtheaddressandbirthdatedataithascollectedoverthepastfewdays(overwhichperiodoftimebanknotesarelikelynotyettohavechangedhands).IncaseswhereBarXandMerchantYholdcommonserialnumbers,MerchantYcansendmailingsdirectlytocustomers{indeed,eventothosecustomerswhomerelyenterorpassbyMerchantY'sshopswithoutbuyinganything.MerchantYcaneventailormailingsaccordingtotheagesoftargetedcustomers.PatronsofBarXandMerchantYmightbeentirelyunawareoftheinformationharvestingdescribedinthisexample.Example2.AprivatedetectivewishestoknowwhetherBobisconductinglarge-valuecashtransactionsatCarl'sstore.ShesurreptitiouslyinterceptstheserialnumbersonbanknoteswithdrawnbyBobandalsorecordstheserialnumbersofthosebroughtbyCarloutofhisstore.Ifthereisanyoverlapbetweensetsofnumbers,sheconcludesthatBobhasgivenmoneytoCarl.TheprivatedetectivemightreachthesameconclusionifBobleaveswithoutbanknotesthathecarriedintoCarl'sstore.TheprivatedetectivemightalsotrytoreduceherriskofdetectionbyreadingthebanknotesofBobandCarlatseparatetimes,e.g.,enroutetoorfromthebank.Aslightlybetterproposalasregardsconsumerprivacy,andstillwithinthecapabilityofevensimpleRFIDtags,isforbanknotesonlytotransmitserialnumbersonreceivingaspecial,staticlawenforcementkey.Theproblemwiththisapproachisthatthekeywouldalmostcertainlybecomepublicknowledge.Suchakeywouldhavetobeuniversal,thatis,embeddedineverylawenforce-mentmonitoringdevice.Moreover,amonitoringdevicewouldoperatebytrans-mittingthekeytotargetbanknotes.Thismeansthatthelaw-enforcementkeywouldneedtobetransmittedandmightthusbeeasilyintercepted.Asbanknotescannotbereprogrammedinsuchcases,thisapproachseemsunworkable.Anotherpossibleapproachistoemployacryptographicformofprivacypro-tection.RFIDtagsinbanknotescouldcarryandtransmittheirserialnumbersonlyinencryptedform.Thisapproachisstill\rawed,however,inthatthestaticciphertextonaserialnumberisitselfauniqueidentier.Inotherwords,theencryptedserialnumbermayitselfbeviewedasakindofmeta-serial-number,itselfpermittingthepromiscuoustracingofbanknotes.Moresophisticatedcryptographicsolutionsforprivacyprotectionarepos-sibleinprinciple.Forexample,inlieuofabasicRFIDtag,banknotesmightcarrysmall,clock-bearingdevicesthatonlyrespondtolawenforcementqueriesbearingadigitallysignedwarrantvalidwithinacertainperiodoftime.Again,however,giventherequirementsforextremelylowcostandsize,theRFIDtagsembeddedinbanknoteswillhavetopossessmuchmoreseverelylimitedcapabil-itiesthanthis.Indeed,themostadvancedcurrentgenerationofcheap,passiveRFIDtags,suchastheAtmelTK5552carryonlyabout992bitsofuser-accessiblememory,andcarrynointernalpowersource[13].4Thesetagsarecapableofonlyrudimentarycomputation,suchasbitstringcomparisonsonkeys.4Althoughthespeciedmodulesizeis5mm8mm,thisincludesanindestructiblecasingforuseinautomobiles.TheICitselfisabout1mm1mminsize,andthus 1.1OurapproachandgoalsWeproposeanapproachtoprivacyprotectionofRFIDtagsthatdoesinvolveacertainamountofcryptographicdesign,butisfairlysimple.Oursolution,more-over,doesnotrequireanycapabilitiesbeyondthelimitedonesofthecurrentgen-erationofRFIDtags.Weassumethatintensivecryptographicoperationstakeplaceinrelativelyhigh-powereddevicesforhandlingbanknotes,ratherthaninthebanknotesthemselves.Weusepublic-keyencryptionofserialnumbers(andassociateddigitalsignatures)inRFIDtagsinourscheme,withacorrespondingprivatekeystoredappropriatelybyalawenforcementagency.Thebasicideainourproposalistoemployre-encryptiontocauseciphertextstochangeinappearancewhiletheunderlyingplaintexts,i.e.,theencryptedserialnumbers,remainthesame.Wemayviewtheglobalstructureofourschemeasessentiallyanalogoustothatofamixnetwork,asintroducedby[10].Onecrucialdierence,however,isthattheentitiesperformingre-encryptioninourschemehaveknowledgeoftheserialnumbers,i.e.,theplaintexts.Thus,wedonotrequireanyspecialhomomorphicpropertiesfromthepublic-keyencryptionscheme.Thetermre-encryptiongenerallyrefersintheliteraturetouseofsuchhomomorphicpropertiestoenabletransformationofaciphertextvaluewithoutknowledgeoftheplaintext.Inthispaper,though,weemploythetermre-encryptionwiththeunorthodoxassumptionthattheplaintextisknown.Re-encryptionofciphertextsaddressestheproblemoftheirservingasmeta-serial-numbers,therebyenforcingprivacyevenifbanknotestransmitinformationpromiscuously.There-encryptionoperationmightbeperformedbyshopsandretailbanks,andevenbyconsumers.Someshopsnowmakeuseofopticalscan-ningdevicesforelectronicchequeconversion[14].Devicesofsimilarsizeandcostcanperformexactlytheoperationsrequiredbyourschemeforbanknoteprivacy.Thisapproach,though,introducesacoupleofproblems.First,howdoweensurethatre-encryptionisperformedonlyatappropriatetimesandnot,e.g.,byamaliciouspasserby?Second,howtoweensurethatre-encryptionisperformedproperly,andthatbanknoteholdersorhandlersarenotdeceptivelyembeddingfalseinformationinRFIDtags,orindeed,swappinginformationbe-tweenbanknotes?Weaddressthesetwocriticalproblemsinthispaper,amongothers.Oneoftheconsiderableadvantagesofourschemeisthe\rexibilityitpermitsinlawenforcementpolicy.ForbanknoteswithwhichtheyhaveonlymadecontactviaRFID,lawenforcementagentscanonlylearntheserialnumberonperforminganasymmetricdecryptionoperation.Becausetheprivatedecryptionkeyforthisoperationcanbedistributedinathresholdmannerusingstandardsecret-sharingtechniques[27],abroadrangeofpoliciescanbeusedtorestrictaccesstotracinginformation.Intermsofmanagementofthisprivatekey,ourschememaybeviewedasatypeofescrowonbanknoteserialnumbers,analogoustokeyescrowofthetraditionalcryptographictype.Serialnumbersarequasi-publicvalues,however,unlikethekeysthatarehandledbytraditionalescrowschemes.Thuspotentiallysuitableforembeddinginbanknotes.WecitetheAtmelTK5552,though,merelyasanexampleoftheexistingrangeofcapabilitiesinRFIDtags. weemployratherdierenttoolsforcreatingandverifyingtheescrowedvaluestobeginwith.Anyapproachofthekindwedescribehere{andindeed,webelieve,anyapproachthatprovideseectiveprivacyforRFIDtaggedbanknotes{mustpermitfairlywidespreadalterationofRFIDtaginformation.Withthisinmind,wenowprovidearoughenumerationofthepropertiesthatwefeelabanknote-tracingsystembasedonRFIDtaggingshouldprovide:1.Consumerprivacy:Onlylawenforcementagencies(andnoteventheCentralBank)shouldbeabletotracebanknoteseectivelyusinginfor-mationtransmittedbyRFIDtags.Thisshouldcertainlybethecaseeveniflaw-enforcementRFIDsignalsareintercepted,andshouldevenholdiflaw-enforcementeldmonitoringequipmentiscapturedandsuccessfullyreverseengineered.Tracingshouldonlybepossibleusinganappropriatelyprotectedprivatekey.Weformalizethisrequirementinsection5.2.Strongtracing:GiveninterceptionofvalidRFIDinformationfromagivenbanknote,lawenforcementshouldbeabletodeterminetheassociatedserialnumber.3.Minimalinfrastructure:Consumersshouldrequirenospecialequipmentforthehandlingofbanknotes.Merchantsandbanksshouldrequireonlyrela-tivelyinexpensivedevicesforthispurpose,andshouldnotrequirepersistentnetworkaccess.Thesystemshouldbebackwardcompatable,inthesensethatbanknotescan,ifdesired,beusedandexchangedwithoutreferencetoRFIDtags.4.Forgeryresistance:Aforgermustataminimummakeopticalcontactwithabanknoteinordertobeabletoforgeacopybearingthesameserialnumberandotherdata,e.g.,associateddigitalsignatures.Aforgershouldbeunabletoforgenewbanknoteswithpreviouslyunseenserialnumbers,andshouldbeunabletoalterthedenominationassociatedwithagivenbanknote.5.Privilegeseparation:Soastopreventwaywardormalicioustamperingwithbanknoteinformation,RFIDtagdatashouldonlybealterablegivenopticalcontactwithbanknotes,evenifreadablethoughRFIDcontactalone.6.Frauddetection:Ifinvalidlaw-enforcementinformationiswrittentoanRFIDtagonabanknote,thisshouldbewidelydetectable,particularlybyanymerchanthandlingthebanknote.1.2OrganizationInsection2,weprovideanintroductiontoRFIDtags,describingtheircharacter-isticsandcapabilities.Wedescribeourtrustassumptionsinsection3aswellasconceptualandcryptographicbuildingblocks.Weprovidedetailsofourproposedsysteminsection4.Insection5,weanalyzethesecurityofourscheme,propos-ingadenitionofprivacyandalsotouchingontherangeofnon-cryptographicattackspossibleinRFID-enabledsystems.Weconcludeinsection6withadis-cussionofsomeofthepracticalconsiderationsindeployingoursystemandsome openissues.Formaldenitionsandadditionalnotesareincludedintheappendixtothepaper.2APrimeronRFIDTagsAsexplainedabove,anRFIDtagisadevicecapableoftransmittingradio-frequencysignals,typicallyforthesimplepurposeofemittingastaticidentier,thatis,auniquelyidentifyingbit-string.Initssimplestform,anRFIDtagconsistsofasmallsiliconintegratedcircuitadjoinedtoanantenna,whichmaybeprintedonsubstrateroughlyasthinasapieceofpaper.Suchtagspresentlycostinthevicinityof$0.50perunit(U.S.).Thankstoemergingmanufacturingtechniques,however,theper-unitcostofRFIDtagspromisestodropto$0.05orless[25,26]inthenextseveralyears.Theirphysicalform,whilealreadyquitecompact,isintheprocessofreductiontoaslender,paper-thinstripjustseveralcentimetersinlength.Naturally,thecomputationalcapabilitiesofsuchsmall,inexpensivedevicesisquiteconstrained.Aswewillseebelow,mostoftheworkinanycommunicationwiththetagisperformedbythetagreader.ThecheapandcompactRFIDtagssuitableforinclusioninbanknotesareofatypeknownaspassive.Passivetagsdonothaveanyinternalpowersources;rather,theyaredependentontheRFeldfromthetagreaderfortheirpower.Inatypicalscenario,thereaderrsttransmitsRFradiationatagivenfre-quency.Thispowersthetagwhich,afterreceivingasucientamountofpower,modulatestheincomingradiationwithitsstoreddata.Thereaderthendemod-ulatesanddecodesthetag'sresponsetorecoverthedata.ExamplesofpassiveRFIDtagsincludeelectronicarticlesurveillance(oranti-theft)tagsembeddedincompactdiscsandbooks.Therearetwoother,moreheavyweightcategoriesofRFIDtagsknownassemi-passiveandactivetags.Semi-passivetagshaveabatteryonboard.Thisallowsthemtobereadfromalongerrange.Activetags,asdistinctfrompassiveandsemi-passivetags,arecapableofinitiatingthetransmissionfromtheirloca-tion;theydonotrequireareadertointerrogatethemrst.Theonlylimitationsontherangeatwhichsemi-passiveandactivetagscanbereadarepowerandreadersensitivity.Amobiletelephoneisanexampleofanactivetag;ithasauniqueidentityi.e.,thephonenumber,andiscapableofinitiatingtransmissiontoabasestationalongdistanceaway.Forsizeandcostreasons,however,itisimpracticaltoincludesemi-passiveoractivetagsinbanknotes.ThereareseveralbandsofthespectruminwhichRFIDtagsoperate.Thesebandsareusuallyregulatedbyquasi-governmentalorganizationsinvariouscoun-tries.IntheU.S.,theFederalCommunicationsCommission(FCC)isresponsibleforregulatingalltelecommunicationsbyradio,television,wire,satelliteandca-ble.ThemostcommonlyusedunlicensedfrequenciesinRFIDare125KHz(lowfrequencyorLF),13.56MHz(highfrequencyorHF),915MHz(ultrahighfre-quencyorUHF),and2.45GHz(microwave).Tomanyconsumers,LFtagsarefamiliarintheformofsmallplaquesmountedoncarwindshieldsforthepurposeofautomatictollpayment.Althoughtherehasbeennoformalannouncement regardingthefrequencyatwhichECBbanknotetagswilloperate,thereareseveralreasonstobelievethatthesetagswilloperateinthemicrowaveband.Amongthesereasonsare:(1)TheICsofmicrowavetagsareextremelysmall,allowingthemtobemanufacturedatverylowcost;(2)Theantennaeforthesetagsarealsomuchsmallerthanthosefortagsoperatingatalowerfrequency;andnally(3)Thesetagscanbeattachedtopapersubstrateswithease[29].Ingeneral,thenecessarysizeofthetagdecreasesasthefrequencyincreases,butthisleadstoasubstantialincreaseinthecomplexityofthetagreader.Fur-ther,therateatwhichinformationistransferredfromthetagtothereaderisdirectlyproportionaltothefrequency.Asapracticalmatter,thishasimplica-tionsfortheamountoftimethetaghastospendintheeldofagivenreader.Thelowerthedataratefromthetagtothereader,thelongerthetaghastospendintheeldofthereader.Forexample,acommerciallyavailabletagop-eratingat125KHztransmitsitsIDat7.8Kbps.Thismeansthatataghastoremainintheeldofthereaderforapproximately128ms.At13.56Mhz,thetag-to-readerdataratecouldbeontheorderof50Kbps,allowingasubstantiallydiminishedtimeintheeldtoreadthesameamountofdata.At915MHz,thetagtoreaderdatarateishigherstill,ontheorderof128Kbps.Thehightag-to-readerdatarateassumesgreaterimportanceastheamountofinformationstoredonthetagincreases.Thesmall,passivetagssuitableforinclusioninbanknotesmaybeconstructedwithelectrically-erasableprogrammablememory(EEPROM).AtypicalRFIDcommunicationprotocolallowsthereadertoperformseveraloperationsonthememoryofthesetags.Thesimplestpossiblecommandsthatthereadercanissuearereadandwrite,whereinthereadersimplyreadsorwritesthememoryonthetag.Manyprotocolssupportanti-collision,thatis,theabilityformultipletagswithuniqueidentitiestobesimultaneouslyreadbythesamereader.Atagmayalsoreceiveasleepcommandwhichrendersitunresponsivetofurthercommandsfromthereader.Thisstateismaintaineduntilthetagreceivesawakecommand,accompaniedbyatag-specickey.(Sleepisthusakeyedfunction.)Finally,atagmaybecompletelydeactivatedwithakillcommand,whichrendersthememorycompletelyinaccessibleforever.Wenotethattypicalpassivetagsavailabletodayhavememorycapacitiesofnomorethanafewkilobitsandtransmitatamaximumrateofaboutontheorderof100Kbps.OurproposedschemeisbasedonRFIDtagfunctionsataslightlyhigherlevelofsophistication,namelykeyed-readandkeyed-write.Theseareaccess-controlfunctionsappliedtoparticularmemorycells.AnRFIDtagwillonlypermitakeyed-readonaread-protectedmemorycellifitreceivesastaticsecretkey,andlikewiseforwrite-protectedmemorycells.ThecurrentgenerationofRFIDtagsdonotincludekeyedwrite.Thesefunctions,though,maybeeasilyenabledinthemanufacturingprocess,andareenvisionedfornearfuturegenerationsofRFIDtags.TheAtmelTK5552[13]isanexampleofacommerciallyavailabletagthatsupportsamajorityofthesefunctions. 3PreliminariesWehavestatedoursystemgoalsinthelistofrequirementsinsection1.Beforepresentingdetails,itisalsousefulforustogivealoosedescriptionofthetrustmodelmotivatingourconstruction.Inparticular,weassumetheparticipationoffourentitytypes,characterizedasfollows:1.CentralBank:TheCentralBank,denotedbyB,istheorganizationem-poweredtocreateandissuebanknotes.Balsofurnishesthedigitalsignaturesforbanknotes,asweshallsee.Weassumethattheprincipalsecurity-relatedaimoftheCentralBankistopreventforgery.Thus,forexample,theCentralBankhasaninterestinissuingbanknoteswithuniqueserialnumbersandinprotectingitsdigitalsigningkey.Wedonot,however,assumeaninterestonthepartoftheCentralBankinprotectingconsumerprivacyorensuringeectivetracingbylawenforcement.2.LawEnforcement:Thisentity,denotedbyL,consistsofoneormoreagencieswithaninterestintracingbanknote\rows.OursystemaimstoprovideahighdegreeofassurancethatthevaluesembeddedinbanknoteRFIDtagsfacilitatethistracing.Thelawenforcementagency,weassume,wishestoensurethatitsprivilegesarenotinfringedupon,i.e.,thattheabilityofotherentitiestotracebillsisminimized.3.Merchant:Merchantsareentitiesthathandlebanknotes,acceptingthemforpaymentandperhapsagreeingtoanonymizethemonbehalfofconsumersasafreeservice.Weassumethatmostmerchantsseektoensurecompliancewithlawenforcementrequirements,thatis,thattheywillreportirregular-itiesinbanknoteinformation.Weconsiderthepossibilitythatmerchantsmayattempttocompromiseconsumerprivacy.WeuseMtodenoteamer-chant,treatingMasagenericlabel.Retailbanksmayperformthesamerangeofbanknote-handlingoperationsasmerchants.4.Consumer:Thebearerofabanknote,theconsumer,denotedgenericallybyC,hasaninterestinprotectingherownprivacy.Thatis,theconsumerseekstorestricttracingofherbanknotesinthehighestpossibledegree.Towardthisend,weconsiderthatinsomecases,consumersmayevenbreachlawenforcementregulationsbycorruptingthetracinginformationcontainedonbanknoteRFIDtags.3.1BuildingblocksandconceptsPublic-keyencryption:Ourschemeemploysasitsbasisanarbitrarypublic-keycryptosystemprovidingchosen-ciphertextsecurityagainstadaptiveadversaries,ofwhichmanyareknownintheliterature.Wedonotdenethenotionhere,butinsteadreferthereaderto,e.g.,[4]foradiscussionofcryptosystemsecuritydenitions.Asexplainedabove,theideainoursystemistogenerateaciphertextContheserialnumberSforagivenbanknoteunderapublickeyPKLgeneratedbyL.Byemployingthecorrespondingprivatekey,LcanextractSfromC.Inordertoachievethedesiredsecurityguarantees,theencryptionoperationmust takeasinputarandomlygeneratedvalueknownasanencryptionfactor.WeletRdenotethesetofvalidencryptionfactorsforagivensecurityparameter.Notethatourprivacyandpracticalityrequirements(1-3)asstatedintheintroductiontothispapercanbefullysatisedwithasimplesysteminwhichaciphertextConauniqueserialnumberSforagivenbanknoteistheonlyinformationontheRFIDtag.Onreceivingabanknote,amerchantcanopticallyreadtheserialnumberfromthenote(usingascanningdevice),encryptitunderthepublickeyPKL,andreplacetheexistingciphertextwiththisnewone.Undertheassumptionofchosen-ciphertextsecurity,itisinfeasibleforanadversarytodeterminewhetherthenewciphertextindeedcorrespondswiththeoldone.(Inisolation,thispropertyisknownassemanticsecurity[18].)Re-encryptionthusprovidesthedesiredassuranceofconsumerprivacy.TheproblemwiththisapproachisthatanattackercancreateaciphertextonanyserialnumbershelikesandplaceitontheRFIDtag,causingthisfalseserialnumbertobepropagated.Thusourschemerequiressomeadditionalcomponentsfortestingthevalidityoftracinginformation.Digitalsignature:RatherthanencryptingtheserialnumberSforagivenban-knote,weinsteadproposeencryptingadigitalsignatureonSproducedbytheCentralBank.Thiscomponentofoursystemaddressesrequirement4,namelyforgeryresistance.Withuseofadigitalsignatureofthiskind,anattackercannotforgeserial-numberinformationfromscratchforplacementonanyRFIDtag.Oursystemcaninprincipleaccommodateanytypeofdigitalsignatureschemesecureagainstchosen-messageattack,asdenedin[19].WediscussparticularchoicessuitableforthelimitedmemoryofRFIDtagsinsection4.1.Opticalcontactvs.RFIDcontact:Thetworequirementsthatarenotsatisedbyeventheuseofdigitalsignaturesarerequirements5and6,thoseofprivilegeseparationandfrauddetection.Privilegeseparationisimportantsoastopreventremoteattacksonthebanknotesofpassersby,i.e.,erasureoralterationoftheirRFIDtaginformationthroughRFcontactalone.Frauddetectionisalsoquiteimportant.Withoutit,acriminalcanswaptheinformationofRFIDtagsondierentbanknotes,whilelawenforcementagentswillbeunabletodetectthistypeofattackwithoutphysicaloratleastopticalcontactwiththebanknote.Indeed,ifanattackerplantsaciphertextinabanknotecorrespondingtoaninvalidsignature,amerchantwillbeunabletodetectthisfact,sincethemer-chantcannotdecryptit.Ourview,however,isthattheabilityofmerchantstodetectinvalidciphertextsiscriticalinpreventingcriminaltamperingwithRFIDtags,aslawenforcementagenciesmaynotoftencomeinphysicalcontactwithindividualbanknotesincirculation.Toaddresstheseproblems,weexploitinoursystemdesigntheavailabilityoftwodierentchannels,ordatatypes,whichwedescribeasopticalandtransmis-sion.Opticalinformationissimplydataprintedonabanknote,andpresumedtobereadablebythedevicesperformingre-encryption,namelythebanknote-handlingmachinesofmerchants.Thisinformationmaybeencodedinhumanreadableform,andperhapsalternativelyinmachine-readableformasa2-Dbar code.WeassumethatitincludesaserialnumberSuniquetothebanknoteandalsoauniqueaccess-rightskeyD,whoseformwespecifylater;otherinformationsuchasthedenomination,series,andoriginofthenotemightalsobeincluded.Bytransmissioninformation,wemeanthecontentsoftheRFIDtagasreleaseduponsuccessfulquerybyanRFIDreader.Suchadistinctionbetweendierenttypesofphysicalcontactwithsecurity-systemcomponentsisnotoftenformallyidentiedinsecurityarchitecturedesign,butarisesfromtimetotime.Someexamplesincludesystemsusingbiometricauthentication,digital-rightsmanage-mentsystemsforCD-ROMs,andthe\resurrectingduckling"protocoldescribedin[28].AsexplainedinourprimeronRFIDtagsinsection2,oneoftheircapabilitiesiscontrolofread/writeaccessprivilegesbymeansofstatickeys.Inourproposedsystem,wethusrestrictaccessprivilegestotwomemorycellsintheRFIDtagforabanknote.PrivilegesforthesetwocellsareprotectedunderthekeyD,which,asstatedabove,canonlybeobtainedthroughopticalcontactwiththebanknote.TherstprotectedmemorycellisthatcontainingtheciphertextContheserialnumberandassociateddigitalsignatureforthebanknote.ThiscellisuniversallyreadableviaRF,butitswriteprivilegesarekeyedtoD.Ouraimhereistosatisfyrequirement5,thatofprivilegeseparation,therebylimitingadversarialalterationoftheciphertextC.Inthesecondprotectedmemorycellisstoredtheencryptionfactorrpartic-ulartothecurrentciphertextCintherstmemorycell.BothreadandwriteprivilegesforthissecondcellarekeyedunderD.AccesstothissecondcellpermitsvericationoftheciphertextC,anddoessowithoutknowledgeofthelaw-enforcementdecryptionkeyx,asexplainedbelow.Hence,byaccessingthecontentsofthissecondmemorycell,andreadingSopticallyfromabanknote,itispossibleforamerchanttoverifythattheciphertextCiscorrect.Thus,amerchantmakingopticalcontactwithabanknotecanverifythecorrectnessoflaw-enforcementinformation.Ontheotherhand,itisimportanttodenyaccesstotheencryptionfactorrtopartiesmakingRFcontactalonewithabanknote,astheycouldotherwiseextracttheserialnumberS.Hence,byplacingtheen-cryptionfactorinthesecondmemorycell,wesatisfyrequirement6,thatoffrauddetection,whilenotunderminingtheprivacyrequirementsofourscheme.AfterverifyingthecorrectnessoftheciphertextCcontainedinabanknoteshehasreceived,MmaythencreateanewciphertextC0withanew,randomencryp-tionfactorr0,andusewriteaccessprivilegesobtainedfromknowledgeofDtooverwriteCwithC0andrwithr0.TracingattacksbytheCentralBank:Asdiscussedlater,iftheCentralBankBdoesnotselectauniqueaccesskeyDforeachbanknote,thiscanfacilitateanattackwherebythebankdeterminesbanknoteserialnumbersthroughRFcontactalone.Intheextremecase,BcanassignthesamekeyDtoeveryban-knote.Inthiscase,Bcansuccessfullydeterminethere-encryptionfactorfortheciphertextCreadfromanybanknoteviaRFcontact,andthendecrypttheassociatedserialnumber.WeassumethattheCentralBankwishestoensureagainstforgery,andthereforeassignsauniqueserialnumberStoeachban- knote.Wedonot,however,entrustBwiththetaskofguardingagainstprivacyabusesonitsownpart.Instead,wehaveBcomputethekeyDinamannersuchthatmerchantscanverifyitscorrectcomputation,butsuchthatDstillcarriesasucientcryptographicguaranteeofuniqueness.Todoso,weleveragetheuniquenessofserialnumbersassignedbyB,alongwithaspecialpropertyonthedigitalsignatureschemeusedtosigntheseserialnumbers.Thisspecialproperty,knownassignatureuniqueness,meansessentiallythatasignercannotproduceasinglesignaturethatisvalidfortwomessages.DiscussionofthispropertyandaformaldenitionaregiveninappendixA.4OurSchemeSetup:WeletCS=(KG;Enc;Dec)denoteapublickeycryptosystemwithcomponentalgorithmsperformingkeygeneration,encryption,anddecryptionre-spectively.WealsomakeuseofadigitalsignaturesystemDS=(SKG;Sig;Ver)whoseconstituentalgorithmsarekeygeneration,signing,andvericationre-spectively.Formoreformalanddetaileddenitions,seeappendixA.Forasecurityparameterk1appropriateforlong-termsecurity,bankBgen-eratesadigitalsigningkeypair(PKB;SKB) SKG(1k1).Likewisethelawen-forcementagencyLgeneratesacryptosystemkeypair(PKL;SKL) KG(1k1).ThepublickeysPKBandPKLarepublishedforavailabilitytoallparticipat-ingentities.Alsopublishedisacollision-intractablehashfunctionh:f0;1g!f0;1g2k2foranappropriatesecurityparameterk2.Inwhatfollows,weletkde-notebitstringconcatenationonplaintexts,andlet2Rdenoteuniformrandomselectionfromaset.Banknotecreation:Foreverybanknoteitobeprinted,Bselectsauniquese-rialnumberSiandcomputesi Sig(SKB;[Sikdeni]).Here,deniistheban-knotedenomination,incorporatedintothedigitalsignaturetopreventattacksinvolvingforgerythroughalterationofabanknotedenomination.Adenomina-tionspeciermightalternativelybeincludedinSi.Additionally,BgeneratesanaccesskeyDi2f0;1gk2forthenote.ThekeyDiiscomputedash(i).Thesignature-uniquenessofthedigitalsignatureschemecombinedwiththecollisionintractabilityofhtogetherensuresthatDiisuniquetoeachbanknote.5BprintsSiandionthebanknoteinamannertofacilitateautomatedopticaldeciphermentbymerchantmachines,e.g.,2-Dbarcodes.Theserialnum-berSimightalsobeprintedinhuman-readableform.Additionally,Bcomputes5ItisimportantthatDibecomputedfromi,ratherthanSi.OtherwiseanattackerabletoguessserialnumberssuccessfullywouldbeabletodetermineDivalueswith-outevenmakingopticalcontactwithtargetbanknotes.Forexample,itmightbethatbatchesoffreshlyprintedbanknotescarryconsecutiveserialnumbers.Inthiscase,anattackermakingawithdrawalatabankwouldbeabletoguesstheserialnumbersofotherpatronsmakingwithdrawalsatroughlythesametime.IftheDivaluesofthesebanknotesarederivedfromserialnumbers,theattackercantracktheotherpatronsviaRFIDcontact. theciphertextCiasanencryptionofiandSi.Inparticular,BinsertsarandomlyselectedencryptionfactorriintomemorycelliandtheciphertextCi=Enc(PKL;[ikSi];ri)intomemorycell\ri.ItisusefultonotethatBneednotstoreaccesskeysorotherspecialinformationforindividualbanknotesinorderforourschemetowork.Thebankmaysimplyrecordserialnumbersanddenominationsaccordingtoitsnormalpolicy.Figure1providesaschematiclayoutofthedataincorporatedintoabanknoteinourscheme.Forvisualclarity,weomitsubscriptsinthisgure.Figure1.BanknotedataBanknotevericationandanonymization:Onreceivingabanknotejforpaymentand/oranonymization,theMerchantMrstveriesthecorrectnessoftheexistingcontentswiththefollowingsteps:1.MopticallyreadsSj;j;andDj.2.McomputesDj=h(j).3.MreadsCjfrom\rj,andperformsakeyedreadofjunderkeyDj,yield-ingthevaluerj.Ifthekeyedreadfails,thebanknoteissubmittedtolawenforcement.4.MchecksCj=Enc(PKL;[jkSj];rj).Ifnot,theinvalidciphertextisreportedtolawenforcement.Afterverifyingthecontentsofthebanknote,MreplacestheciphertextCjasfollows.5Mselectsr0j2RRandperformsakeyedwriteofr0jtojunderkeyDj.Ifthekeyedwritefails,thebanknoteissubmittedtolawenforcement.6McomputesC0j=Enc(PKL;[jkSj];r0j).MperformsakeyedwriteofC0jto\rjunderkeyDj.Mreportsanyfailureinthissteptolawenforcement.ForaremarkonreducingthecomputationalcostsforM,seeappendixB. Banknotetracing:ToobtaintheciphertextCfromatargetbanknote,Lneedsimplyreadthecontentsofthememorycell\rfromtheassociatedRFIDtag.FromtheciphertextC,Lcomputestheplaintext[kS]=Dec(SKL;C).ThenLcheckswhetherisavalidsignatureonS,i.e.,whetherVer(PKB;;[Skden])=`1'.(Thesecurityparameter1k1isrequiredherefortechnicalreasonsdiscussedinappendixA.)ProvidedthatCwascorrect,thenthiswillindeedbethecase,andLwillobtaintheserialnumberS.4.1AlgorithmandparameterchoicesAnespeciallyattractivechoiceofencryptionschemeCSforoursystemistheElGamalcryptosystem[17],thanksprimarilytoitsamenabilitytoencodingoverellipticcurves.Whencomputedoverappropriatelyparameterizedellipticcurves,ElGamalciphertextscanoergoodsecurityatquitecompactsizes{ontheorderof40bytes.ThisisausefulfeaturegiventhelimitedstorageavailableonRFIDtags.LetGdenoteanappropriateelliptic-curve-basedgroupwithprimeorderqandpublishedgeneratorP.WeassumethroughoutthatallcryptographicoperationstakeplaceoverG.ForbasicElGamalencryption,werequireagroupGoverwhichtheDecisionDie-Hellmanproblemispresumedtobehard;fortheFujisaki-Okamotoscheme,discussedbelow,therequirementonGcanberelaxedtotheComputationalDie-Hellmanassumption.LetSKL=x2RZqbeaprivatedecryptionkeyheldbylaw-enforcement.ThevaluePKL=Y=xPisthecorresponding,publishedpublicencryptionkey.Amessagem2f0;1gwforsuitablysmallwisencryptedunderPKLasfollows:Enc(PKL;m;r)=(;)=(m+rY;rP),wherer2RZq.Byitself,thisformofElGamalisnotsecureagainstadaptivechosen-ciphertextattacks.ProvidedthatCSisaone-wayencryptionscheme,thenitispossibletoemployatechniqueduetoFujisaki-Okamato[16]towardthisend.Leth1;h2:f0;1g!f0;1gwbetwocryptographichashfunctions.ForpublickeyPK,theFujisaki-OkamotosystemconvertsabasicencryptionschemeEnconplaintextm2f0;1gwintoahybridencryptionschemeEncasfollows:Enc(PK;m;)=(Enc(PK;;h1(km));h2()m);where2Rf0;1gwisarandomencryptionfactor.Thesecurityofthisschemedependsontherandomoracleassumptiononh1andh2.Althoughoursystemcaninprincipleaccommodateessentiallyanytypeofdigitalsignature,itisimportantforpracticalpurposesthatthesignaturebeshort.AparticularlyattractiveschemeisthatofBoneh,Shachem,andLynn[7],whichyieldssignaturesofroughly20bytesinlength.ThesecurityiscomparabletothatoftoECDSA,forwhichsignaturesareabouttwiceaslong.ThisschememakesuseoftheWeilpairingonaspeciallychosenelliptic-curve-basedgroup;asignatureconsistsofasinglepointontheellipticcurve.AnotherpossiblechoiceofdigitalsignatureschemeisQUARTZ[23],whichyieldssignaturesamere128bitsinlength.Thisscheme,however,isbasedonasomewhatlesswellunderstoodhardnessassumption,andhasaratherlongerpublickey.Yetanotherscheme thatyieldsevenshorterdigitalsignaturesisbasedontheMcEliececryptosystem[15].Thepublickeyforthislast,however,mustbeover1Mbinlengthtoachievegoodsecurity,andtheschemeissomewhatslow.Note:Chosen-ciphertextsecuritymayinfactberegardedasunnecessaryinoursystem,dependingontheextenttowhichlaw-enforcementinformationislikelytobedivulged.Inpractice,achosen-ciphertextattackwouldseemtobehardtomountagainstL,asitwouldrequireaccesstoprivatedetailsoflaw-enforcementtracingactivities.Ifplaintextsareindeednotlikelytobeavailabletoanattacker,thebasicEl-Gamalcryptosystemwouldbedeemedsucient.ProvidedthattheDecisionDie-Hellmanproblem[6]ishardoverG,ElGamalpossessesthepropertyofsemanticsecurity[30],whichisadequateforthesepurposes.Sampleparameters:EuropeanCentralBankplanspresentlycallforatotalavail-abilityof14.5billionbanknotes[1].Letussupposethatamaximumofonetrillion(slightlylessthan240)banknotesaretobeprintedoverthelifetimeofourscheme.ThusaserialnumberSimightbeencodedasa40-bitvalue.FortheBonehetal.signaturescheme,wemightuseaGDH(GapDie-Hellman)groupoverE=F3lyieldingasignaturesizeof154bits(withdiscrete-logsecurityequivalenttothatofasubgroupof151bits)[7].Thus,aplaintext[ikSi]inourschemewouldbe194bitsinlength.WemightthereforeletGbeanelliptic-curve-basedgroupof195-bitorder.ByemployingtheFujisaki-OkamotovariantonEl-Gamalwithn=195,wethenachieveaciphertextlengthof585bits.Theencryptionfactorrforaciphertextwouldbe195bitsinlength.Thusthetotalmemoryrequirementforourschemewouldbe780bits{welllessthanthe992-bitmemorycapacityof,e.g.,theAtmelTK5552RFIDtag.Asnotedabove,inthecasethatsemanticsecurityisdeemedsucientfortheunderlyingcryptosystemCS,thetotalmemoryrequirementcanbereducedto585bits.UseoftheQUARTZdigitalsignatureschemeortheMcEliecevariantwouldfurtherreducememoryrequirements.Otheroptimizationsarepossible.5SecurityAnalysisTherequirementsofstrongtracingandforgeryresistance{indeed,moregener-ally,requirements2-6{arestraightforwardenoughfromacryptographicpointofviewsothatwedonotformallydenethem.Forexample,requirement4isful-lledbytheresistanceoftheunderlyingsignatureschemetoforgery.Incontrast,therequirementofconsumerprivacy(requirement1)issomewhattrickiertocap-ture.ThecruxoftheproblemisthatthekeyDiforeverybanknoteisknowntotheCentralBankB.Additionally,asetofthesekeysmaybecomeknowntoamerchantM,astheyarereadinthecourseofhandlingabanknote.Inpractice,banknote-handlingmachinescouldberenderedtamper-resistantsoastominimizedisclosureofthesekeys.This,however,isnotafoolproofapproach, particularlyasanunscrupulousmerchantcancreatehisownbanknote-handlingmachine.6Thus,thestrongestdenitionofconsumerprivacyregardsanadversarywithknowledgeofabroadrangeofDivalues.GoodprivacyguaranteesmaystillbeattainableinthiscasebyobservingthatanattackinvolvingreadingofabanknoteusingkeyDimusttakeplaceonthe\ry,i.e.,duringRFIDcontactwiththebanknote.Inotherwords,eveniftheadversaryknowsthekeysDiforallbanknotes,shemustguesswhichkeyDicorrespondstoagiven,targetbanknoteandthentransmitthatkeytothebanknotetolearntheencryptionfactorri.PassiveRFIDtagsgenerallytransmitatamaximumrateofaround100Kbps,asexplainedinsection2.Thusanadversarycanexpecttobeabletomakeonlyasmallnumberofon-lineguessesinmostcases{probablyjustseveraldozenwithafairlyhigh-powerreaderoperatedagainstapasserby.WeshouldnoteadditionallythatiftheFujisaki-Okamotoconstructionisemployedforencryption,thenevenknowledgeoftheencryptionfactorriforaciphertextCidoesnotimmediatelyyieldthecorrespondingserialnumberSi.Theserialnumbercanbedeterminedfromthepair(Ci;ri),butrequiresapotentiallyexpensivebrute-forceattack.Thisattackmaytakeplaceo-line,however,andiswithinthecapabilitiesofadeterminedattacker.Thus,thispartialconcealmentofSidoesnotprovidesucientsecurityperse.Ourdenitionofprivacyaimstocapturethecapabilitiesofaverystrongadversary.WeconsidertheguessingsuccessofanadversarywithknowledgeofallkeyvaluesDi.Additionally,asBitselfmightpotentiallyconstitutetheadversary,weassumethatthisadversarymaychoosethedigitalsigningkeysandserialnumbersofbanknotesinthesystem.Anotherpowerweassumeonthepartoftheadversaryisthatofmountingachosen-ciphertextattackontheunderlyingcryptosystem.7TheadversarymayreadtheciphertextCifromabanknote,whereupontheaimoftheadversaryistoguessthecorrespondingkeyDi.ThekeyDiinourschemewouldyieldtheencryptionfactorfortheassociatedciphertext,andthustheserialnumber.Alternatively,theadversarymighttrytoguessiorSidirectly,butgivenourstrongassumptionsaboutthepoweroftheadversary,thisimpliestheabilitytoguessDi.WecharacterizethesuccessofanadversaryAintermsofthefollowingexperiment.Weomitthevaluedenhereforclarity.LetHdenoteafamilyofhashfunctionsandf;k2 Hdenoteselectionofahashfunctionfromthisfamilyundera(possiblyrandomized)selectionalgorithmfandsecurityparameterk2.6Topreventforgeryofsuchmachines,itispossibletocreatetamper-resistantmodulesthatderiveare-encryptionfactorr0jfromanembedded,merchant-specickeyM.Forexample,forbanknotej,themachinemightcomputer0j=h0(M;Sj),whereh0isasuitablecryptographichashfunction.Thiswouldenablelawenforcementauthoritiestodetectunauthorizedbanknote-handlingmachines.7Asexplainedabove,byremovingtheassumptionthatanadversarycanmountanadaptivechosen-ciphertextattack,wecanreducethesizeoftheciphertextinoursystemfromjustover800toabout600bitsinpractice. ExperimentS-guess(A;G;CS;DS;H;f);[k1;k2]1.Thekeypair(PKL;SKL) KG(1k1)andhashfunctionhf;k2 Harese-lected.2.Areceivesasinputthepair(PKL;h).3.AoutputsapublicsigningkeyPKB.4.Aoutputsasequencef(Si;i)gn=1.5.IfVer(PKB;Si;i)=`0'foranyi,orSi=Sjforanyi6=j,thentheoutputoftheexperimentis`0'.6.Fori2RZnandr2RR,AisgiveninputC=Enc(PKL;[ikSi];r).7.Aoutputsaguess~DatDi=h(i).If~D=Di,theoutputoftheexperimentis`1'.Otherwise,itis`0'.Additionallyinthisexperiment,Ahasaccesstoencryptionanddecryptionor-aclesforPKLatanytimeduringsteps2-5onanyciphertext,andsubsequentlyonanyciphertextotherthanC.Notethatanadversarythatsimplychooses~D2RfDign=1cansucceedtriv-iallywithprobability1=n.Thus,foranyadversaryA,letusdenetheadvantageoftheadversaryforxedcryptographicprimitivechoicestoS-guessasAdvS-guess(A;k1;k2)=pr[S-guess(A;G;CS;DS;H;f);[k1;k2]=`1']1=n:Claim1:SupposethatCSisapublic-keycryptosystemwithadaptivechosen-ciphertextsecurityandDSadigital-signatureschemewithresistancetoadap-tivechosen-messageattackandsignatureuniqueness.Further,supposethatthehashfunctionfamilyHunderfiscollision-resistant.8ThenthequantitymaxA[AdvS-guess(A;k1;k2)]isnegligiblewhentakenoveralladversarieswithrunningtimepolynomialink1andk2.Proof:[sketch]Giventheuniquenessofallelementsinthesetofserialnum-bersfSign,andthesignatureuniquenessofDS,thesetfign=1comprisesuniqueelements.Itfollowsfromthecollisionresistanceofh,then,thatallele-mentsofthekeysetfDign=1areuniquewithoverwhelmingprobability.Undertheadaptive-chosen-ciphertextsecurityofCS,theadversarycandeterminetheserialnumberScorrespondingtociphertextCwithonlynegligibleadvantage.Hence,theadversarycansuccessfullyguessDiwithonlynegligibleadvantage.utOurdenitionandproofarestraightforwardlyextensibletothescenarioinwhichAispermittedmultipleguessesatDi,insteadofjustone.AnothertypeofadversaryworthconsideringisacasualonethatdoesnothaveknowledgeofanykeysDi.ItisclearthatsuchanadversarycandetermineSiwithoverallprobabilityonlynegligibleink2,evenifpermittedapolynomialnumberofRFIDtagqueries.8Inpracticeuseofaxed,standardhashfunctionlikeSHA-1wouldbeacceptable.Ifdesired,thishashfunctioncanadditionallybekeyedwitharandomvalueboundtoeachindividualbanknote,eectivelyakindofsalt. 5.1Furtherwork:OtherattacksWehavecharacterizedtherangeofpossiblecryptographicattacksagainstcon-sumerprivacyinoursystem.Anotherpotentialproblemforconsumerprivacy,asmentionedabove,isthefactthatRFIDtagsmaybetraythepresenceofEuronotesonabearer.Wedonothaveacomprehensivesolutiontothisproblem.OnepossibleapproachisforRFIDtagstositnormallyinapartially\sleep"state,inwhichtheydonot\wake"fortransmissionunlesstheyreceiveeitherDiorauniversallaw-enforcementkey.Wehavealreadynotedtheshortcomingsofemployingauniversallaw-enforcementkey,butthismightstillbeausefulsupplementaryprivacy-protectingmeasure.AnalternativeistoembedRFIDtagsinbanknotesofdierentdenominations-ortoprovidecheapspoongtagsbybanksandshopsorwalletmanufacturers.Anotherrangeofattackstoconsiderarepossibleevasionsbyconsumers,thatis,violationsofthesystemrequirementofstrongtracing.Merchantsarecapableofdetectinginvalidciphertextsinbanknotes.Itiseasilypossibleforthebearerofabanknote,however,toinsertafakeciphertextintothebanknoteforusewhilesubjecttopossiblelaw-enforcementmonitoring,e.g.,beforetravellingthroughpublicplaces.Thebearercanthenreintroduceavalidciphertextpriortospendingordepositingthebanknote.Indeed,thefakeciphertextusedinthisattackmightbe\lifted"fromapasserby.Onepossibilityformitigatingthisriskistoomitifromtheopticalinformationonthebanknote,andtoconstructciphertextssothattheycanbedecryptedusingri.Inthiscase,anattackerwhoseparatesthevalidsignatureifromabanknoteandstoresitexternallyrunssomeriskoflosingthesignatureandtherebyinvalidatingthebanknoteifsheisnotcareful.Bankpolicymightrequirepresentationofsomeproofofidentityinorderforinvalidatedbanknotestobeexchangedforvalidones.Thepossibilityofintroducingfakeciphertextsintobanknotesresultsfromthewritecapabilitiesinourproposedsystem.Averysimilarattack,however,wouldbeeasytomounteveninasystemwithRFIDtagsbearingstaticinformation.AnattackermightwithlittledicultycreateRFdeviceswiththepurposeoftransmittingfakeserialnumberinformation{informationthatmay,again,beobtainedfrompassersby.AnevenmorebasicattackispossibleinanysystememployingRFIDtags:Anattackercansimplyshieldthetagsfromdiscovery.IsolationofbanknotesinaFaradaycagewouldconstituteasimpleandeectiveattackofthiskind.Westress,therefore,thatanyformofbanknotetracingusingRFIDtagshasshortcomingsexploitablebyaknowledgeableattacker,andthatfurtherworkisrequiredtoaddresssuchproblems.6ConclusionWehaveproposedabanknotesystemdesignthatappealstothecapabilitiesofthecurrentgenerationofRFIDtagstoachievestrongerconsumerprivacy.Itmustbestressedthatthesystemdoesnotprovidecomprehensiveprivacyprotection.Re-encryptionofconsumerbanknotesbymerchants,afterall,may notoccurconvenientlywithashighaleveloffrequencyasdesiredbysomeconsumers.Ourproposaldoes,however,goconsiderablyfartherthanexistingonestowardaddressingafundamentalprivacyissue.OurobservationsmayalsoprovidesomeusefulinsightintohowfutureRFID-tagarchitecturescanoerenhancedfunctionalityatthehardwarelevelinsup-portofbothsecurityandprivacy.WewouldlikeRFIDtagsinoursystemtooutputread-protectedinformationrapidlyonpresentationofacorrectkeyDi.Ontheotherhand,animportantfeatureinprotectingconsumerprivacyinoursystemistheinabilityofanattackertomountarapidon-lineattackinvolvingguessingofDi.Inasense,RFIDtagsnaturallylimittherateofon-lineattacksduetotheirslowprocessingandtransmissioncapabilities.Ideally,however,thisratelimitingmightbeimproved.Forexample,anRFIDtagmightbedesignedtoswitchtoalowdataratemodewhiletransmittingallpubliclyavailableinforma-tiononpresentationofaninvalidkeyDi,therebydelayingsubsequentguessingbyanattacker.ItisourbeliefthatthisfeaturecouldbeincorporatedintoRFIDtagsatlittlecost.Ourdenitionofforgeryresistancestatesthatanattackershouldbeabletoforgeabanknoteataminimumonlyonmakingopticalcontact.Thisisthebestthatcanbeachievedbasedondataprotectionalone.Furtherprotectionagainstforgerymustrelyonphysicalprotectionmechanisms.Thereareahostofanti-forgerydevicesalreadyincorporatedintoEuroandotherbanknotes[2].Bycombiningdatasecurityandphysicalsecuritytechniques,however,stillbetterforgeryresistanceispossible.Anumberofresearchershaveinvestigatedtheuseofdistinctivecharacteristicsofphysicalmediaas\ngerprints"topreventdeviceorobjectcloning,e.g.,[12,22].Itisourbeliefthatthepatternsofspecialbersorotherinclusionsinbanknotesmaybeusedsimilarly.Byincorporatingsucha\ngerprint"readingintothedigitalsignatureassociatedwithagivenbanknote,abindingmaybeachievedbetweenthephysicalembodimentofthenoteandthedigitaldata.Thisbindingmightbecheckedbymerchantscanningmachinestocreateatrulyformidableobstacletobanknoteforgery.ThisrepresentsjustoneofthemanypossiblewaysinwhichRFIDtagsmightoeracloserintegrationofthephysicalanddigitalworlds.AcknowledgmentsTheauthorsextendtheirthankstoBurtKaliskiandMarkusJakobssonfortheirhelpfulcomments.References1.EuropeanCentralBankEuroFAQ,2002.Eurocirculationdiscussedathttp://www.euro.ecb.int/en/section1/frequently/printing.html.2.EuropeanCentralBankEuroFAQ,2002.Eurosecurityfeaturesdiscussedathttp://www.euro.ecb.int/en/section/recog.html. 3.RegistryofMotorVehiclesreforms:ProgressreportIII,2002.Availableathttp://www.state.ma.us/rmv/rmvnews/progrpt3.htm.4.M.Bellare,A.Desai,D.Pointcheval,andP.Rogaway.Relationsamongnotionsofsecurityforpublic-keyencryptionschemes.InCRYPTO'98,pages26{45.Springer-Verlag,1998.LNCSno.1462.5.M.BellareandP.Rogaway.Randomoraclesarepractical:Aparadigmfordesign-ingecientprotocols.In1stACMConferenceonComputerandCommunicationsSecurity,pages62{73.ACM,1993.6.D.Boneh.TheDecisionDie-Hellmanproblem.InANTS'98,pages48{63.Springer-Verlag,1998.LNCSno.1423.7.D.Boneh,H.Shacham,andB.Lynn.ShortsignaturesfromtheWeilpairing.InASIACRYPT'01,pages514{532,2001.LNCSno.2139.8.S.Brands.Untraceableo-linecashinwalletswithobservers(extendedabstract).InCRYPTO'93,pages302{318.Springer-Verlag,1993.LNCSno.773.9.E.Brickell,P.Gemmell,andD.Kravitz.Trustee-basedtracingextensionstoanonymouscashandthemakingofanonymouschange.InSODA'95,pages157{166,1995.10.D.Chaum.Untraceableelectronicmail,returnaddresses,anddigitalpseudonyms.CommunicationsoftheACM,24(2):84{88,1981.11.D.Chaum,A.Fiat,andM.Naor.Untraceableelectroniccash.InCRYPTO'88,pages319{327.Springer-Verlag,1988.LNCSno.403.12.D.Clarke,B.Gassend,M.vanDijk,andS.Devadas.Securehardwareprocessorsusingsiliconphysicalone-wayfunctions.InR.Sandu,editor,ACMCCS'02,2002.Toappear.13.AtmelCorporation.AtmelTK5552datasheet,2001.Availableathttp://www.atmel.com/atmel/products/prod227.htm.14.Epsoncorporation.Epsoncheque-imagingscanner:TM-H6000IIwithTransScan,2002.Specicationsavailableathttp://pos.epson.com/pointofsale/stationprinters/tmh6000iiTransScan.15.M.Finiasz,N.Sendrier,andN.Courtois.HowtoachieveaMcEliece-baseddigitalsignaturescheme.InAsiacrypt'01,pages157{174.Springer-Verlag,2001.LNCSno.2248.16.E.FujisakiandT.Okamoto.Secureintegrationofasymmetricandsymmetricen-cryptionschemes.InCRYPTO'99,pages537{554.Springer-Verlag,1999.LNCSno.1666.17.T.ElGamal.Apublickeycryptosystemandasignatureschemebasedondiscretelogarithms.IEEETransactionsonInformationTheory,31:469{472,1985.18.S.GoldwasserandS.Micali.Probabilisticencryption.J.Comp.Sys.Sci,28(1):270{299,1984.19.S.Goldwasser,S.Micali,andR.Rivest.Adigitalsignatureschemesecureagainstadaptivechosen-messageattacks.SIAMJournalonComputing,17(2):281{308,1988.20.M.Jakobsson.Privacyvs.Authenticity.PhDthesis,UniversityofCaliforniaatSanDiego,1997.21.S.JareckiandA.Odlyzko.Anecientmicropaymentsystembasedonprobabilis-ticpolling.InR.Hirschfeld,editor,FinancialCryptography'97,pages173{191.Springer-Verlag,1997.LNCSno.1318.22.R.Pappu,B.Recht,J.Taylor,andN.Gerschenfeld.Physicalone-wayfunctions.Science,2002.Toappear. 23.J.Patarin,N.Courtois,andL.Goubin.QUARTZ,128-bitlongdigitalsignatures.InCT-RSA2001,pages282{297.Springer-Verlag,2001.LNCSno.2020.24.R.Rivest.Electroniclotteryticketsasmicropayments.InR.Hirschfeld,editor,FinancialCryptography'97,pages307{314.Springer-Verlag,1997.LNCSno.1318.25.S.Sarma.Towardstheve-centtag.TechnicalReportMIT-AUTOID-WH-006,MITAutoIDCenter,2001.Availablefromhttp://www.autoidcenter.org/.26.S.Sarma.Radio-frequencyidenticationsystems.InB.Kaliski,editor,CHES'02.Springer-Verlag,2002.Toappear.27.A.Shamir.Howtoshareasecret.CommunicationsoftheAssociationforCom-putingMachinery,22(11):612{613,November1979.28.F.StajanoandR.Anderson.Theresurrectingduckling:Securityissuesforad-hocwirelessnetworks.In7thInternationalWorkshoponSecurityProtocols,pages172{194.Springer-Verlag,1999.LNCSno.1796.29.K.Takaragi,M.Usami,R.Imura,R.Itsuki,andT.Satoh.Anultrasmallindi-vidualrecognitionsecuritychip.IEEEMicro,21(6):43{49,2001.30.Y.TsiounisandM.Yung.OnthesecurityofElGamal-basedencryption.InPKC'98,pages117{134.Springer-Verlag,1998.LNCSno.1431.31.C.P.Wallace.Thecolorofmoney.TimeEurope,158(11).10September2001.Availableathttp://www.time.com/time/europe/biz/magazine/0,9868,173522,00.html.32.J.Yoshida.EurobanknotestoembedRFIDchipsby2005.EETimes.19December2001.Availableathttp://www.eetimes.com/story/OEG20011219S0016.ADenitionsArandomizedpublic-keycryptosystemcomprisesatripleofalgorithms,CS=(KG;Enc;Dec),denotingkeygeneration,encryption,anddecryptionrespectively.ThesystemparametersincludedescriptionsofMandC,namelythemessageandciphertextspacesforthealgorithm,aswellasadecryptionofthesetRofencryptionfactors(fordiscretelogsystems,typicallythesetofintegersZq,whereqistheorderofthegroup).Weassumesystemparameterspublishedinadvancebyatrustedparty.Thekeygenerationalgorithm(PKenc;SKenc) KG(1k)israndomized;ittakesasinputasecurityparameterkandoutputsapublic/privatekeypair(PKenc;SKenc).(AsweassumethegroupGisxedinadvance,thesecurityparameterkheremayberegardedashavingapredeterminedupperbound.)TheencryptionalgorithmC Enc(PK;m;r)isadeterministicalgorithmthattakesasinputapublickeyPK,amessagem2f0;1g,andanencryptionfactorr2R.ThealgorithmEncoutputsaciphertextC2C.Finally,thedecryptionalgorithmm Dec(SK;C)takesasinputaprivatekeyandciphertextandoutputsthecorrespondingplaintext.Asexplainedabove,weassumethatCShasadaptivechosen-ciphertextsecurity.(Themostpracticalcryptosystemswithchosen-ciphertextsecurityachievetheirsecurityundertherandom-oraclemodel[5].)Adigitalsignatureschemeisatripleofpolynomial-timealgorithms,DS=(SKG;Sig;Ver),denotingkeygeneration,signing,andvericationrespectively.WealsoassumeadescriptionPKsig;kofthesetofpossiblepublickeysPKsigfor agivensecurityparameterk;weassumeanecientlycomputablemembershiptestthereon.Thekeygenerationalgorithm(PKsig;SKsig) SKG(1k)takesasunaryinputasecurityparameterkandoutputsarandomlyselectedpublic/privatekeypair(PKsig;SKsig)suchthatPKsig2PKsig;k.Thesigningalgorithm Sig(SKsig;m)takesasinputtheprivatesigningkey~SKsigandamessagem2f0;1gandoutputsadigitalsignature.ThesecurityparameterkisassumedtobeknownhereortobederivablefromPKsig.Thevericationalgorithmf0;1g Ver(PKsig;;m)takesasinputthepublickeyandapurporteddigitalsignature/messagepair.Itoutputs`1'ifthesignatureisvalidformandalsoPKsig2PKsig;k;otherwise,itoutputs`0'.Thesecurityparameterisinputheretoenablevericationofthevalidityofthepublicsigningkey{atechnicalrequirementtoachieveprivacyaccordingtoourdenitionabove.Weassumeinoursecurityanalysisthatthedigitalsignatureschemeemployedinoursystemisfullyresistanttochosen-messageattacks.Thispropertymaybeusedtodefendagainstforgeryofbanknotesbearingpreviouslyunseenserialnumbers.9Asmentionedabove,topreventtracingattacksbyBwedorequireanun-orthodoxpropertyonthedigitalsignaturealgorithmDSthatwecallsignatureuniqueness.Inparticular,itshouldbeinfeasibletogeneratekeys,amessagepair(m1;m2),andasignaturesuchthatthesignatureisvalidforbothmes-sages.Moreformally:Denition1.LetDSbeadigitalsignatureschemeandAbeanadversar-ialalgorithmwithrunningtimepolynomialinsecurityparameterk.Wedeneadoublesignaturetobeatuplef(PKsig;SKsig);(m1;m2);gwiththeprop-ertythatVer(PKsig;;m1)=1andVer(PKsig;;m2)=1.Inotherwords,thesignatureisvalidfortwodistinctmessagesunderpublickeyPKsig.LetAdvDS(A;1k)betheprobabilityunderDSthattheoutputA(1k)foragivenadversaryAisavaliddoublesignature.WesaythatDShasthepropertyofsignatureuniquenessifmaxA[AdvDS(A;1k)]isnegligible,i.e.,lessthan1=kcforanypositiveintegercforsucientlylargek.Thepropertyofsignatureuniquenessisanunusualonetoconsiderinadigitalsignaturescheme,asitassumesthattheadversarymaybethesigner,ratherthanaforger.10Observethatevenif,asisusuallythecase,adigitalsignaturealgorithmrstinvolvesapplicationofacollision-intractablehashfunctionhto9Infact,onemightarguethatoursystemmightemployadigitalsignatureschemethatisresistantonlytoknown,i.e.,passivemessageattacks.Thisisbecausetheprocessofprintingbanknotesandassigningserialnumberspresumablydoesnotadmitinputfromanattacker.Nonetheless,giventheminimaloverheadrequiredforadigitalsignatureschemethatisfullyresistanttochosen-messageattacks,itmakessensetoemploysuchascheme.10Theattackmightinvolvenon-repudiationofanunorthodoxkindinwhichthesignerrepudiatesasignatureononemessagebyevidencinganothermessagewiththesamesignature.Asthiswouldinculpatethesigner,itisunclearwhetherthispropertyshouldnormallybeofconcerninadigitalsignaturescheme. atargetmessage,thepropertyofsignatureuniquenessdoesnotimmediatelyfollow.Thisisbecauseanadversarymaystillbeabletogenerateakeypairandassociatedsignaturethatarevalidforbothh(m1)andh(m2).Thankfully,mostsignatureschemesnaturallypossessthepropertyofsignature-uniquenessundertheassumptionofcollision-resistanceontheunderlyinghashfunction.Forexample,theBoneh,Shachem,andLynn[7]scheme,whichtsintoourproposedsystemquitenaturally,mayreadilybeseentopossesssignatureuniqueness.Thisistruegiventhecollision-resistanceontheunderlyinghashfunctionformappingtoelliptic-curvepointsinthesignaturescheme,andprovidedthatthetrivialpublickey(l;q;P;P)(usingthenotationof[7])isexplicitlyexcluded,whichweassumehere.FortheRFIDtagassociatedwiththebanknotebearingserialnumberi,welet\ridenotethecontentsofthememorycellintendedtocontaintheciphertextCandletidenotethememorycellintendedtocontaintheencryptionfactorfortheciphertext.Thecell\riisreadablewithoutanyspecialprivileges,butwrite-protected.Thememorycelli,ontheotherhand,hasbothreadandwriteprotection.RemarkonComputationalCostsforMThecheckbyMinstep4ofthebanknotevericationandanonymizationproto-coliscomputationallyexpensive.Itmaybedeemedsucient,though,forMtoperformthischeckonaprobabilisticbasis,soastoreduceon-linecomputationalcosts.Theideaofprobabilisticauditingofthiskindhasalreadybeenproposedinasimilarsetting,namelyforelectroniccash[21,24].Toensuremerchantcompliance,Mshouldthenberequiredtoperformthecheckifthebanknotedatasatisfysomepredicate.ItisimportantthatthispredicatenotbecomputablebytheholderCofabanknote,asCmightthenavoidpresentingtoMabanknotesubjecttoverication.Ontheotherhand,thebehaviorofthemerchantandthusthepredicateoutputmustbeauditablebylawenforcementauthorities.OnepossibleapproachisforeachmerchantMtoholdasecretkeyMassignedbyL.Mwouldthenberequiredtochecktheciphertextonabanknoteifh00(M;Si)=Zp,whereZisthemaximumvalueintherangeofasuitablecryptographichashfunctionh00andp2[0;1]isaminimumauditingprobabilityselectedbyL.Inthiscase,ifitbecomesknowninthecourseofacriminalinvestigationthatMdidnotcheckabanknotewithserialnumberSi,LcandeterminewhetherornotMbehavedcorrectly.Probabilisticauditingisoflimitedbenetifthenewencryptionoperationmustbeperformedon-linebyMineveryinstance.WenotethatifbasicElGamalisused,ratherthantheFujisaki-Okamotovariantdescribedbelow,how-ever,thenthecomputationallyintensivestep6canbelargelyperformedoine.Inparticular,theencryptionfactorr0andthevaluesr0jYandr0jPmaybepre-computed.Inthiscase,theonlinecomputationalrequirementofstep6isonlyonemodularmultiplication(oraddition,overanellipticcurve).ThisarticlewasprocessedusingtheLATEXmacropackagewithLLNCSstyle