低成本无源RFID安全关键技术研究
|
摘要
作为物联网(Internet of Things, IoT)的底层感知技术,射频识别(RFID)是普适计算领域最重要的技术之一。RFID最初是作为条形码技术的替代而引入的。尽管RFID比其他的识别技术具有很强的优势,但是与之相关的安全隐私问题也非常不容易解决,甚至已经成为了阻碍RFID技术普及应用的主要原因。
随着物联网的发展,RFID技术也已经渗入到了人们生活的各个方面,一些应用甚至涉及到了使用者的敏感信息,如人体植入、电子护照等。因此,RFID技术的安全问题已不再是单纯的数据安全,还涉及到了使用者的隐私权问题。RFID技术的安全隐私问题将成为该技术普及应用的重要阻碍。
根据能量获取方式,标签可以分为无源、有源和半有源标签,根据价格,又可以分为低成本标签和高成本标签。标准的密码学解决方案在安全性方面有较好的保障,但是在电路规模、能量消耗、内存容量等方面都有较高的要求。无源低成本标签由于受到价格和能量的限制,只能采用轻量级的密码技术,其安全隐私问题极难解决。
本论文对低成本无源标签的安全隐私问题进行了广泛深入地研究,并重点解决基于EPC1类2代(EPC Class1Generation2,简称EPC C1G2)的供应链系统安全隐私问题。
论文首先在查阅了大量国内外有关技术文献的基础上,对低成本RFID安全隐私问题的解决方法进行了研究,确定以基于哈希函数和伪随机数发生器(Pseudo Random Number Generator,PRNG)的轻量级解决方案为研究重点,并对低复杂性哈希函数、伪随机数发生器和轻量级RFID认证协议的研究现状进行了综述。然后对RFID的安全隐私问题及分类情况进行了介绍,确定安全隐私目标,并概述了EPC1类2代标准和其安全问题。自第三章开始,论文从电路设计、安全隐私协议设计和模型构造三个方面对基于低复杂性哈希函数和伪随机数发生器的安全隐私技术进行了深入的研究,并提出自己的解决方案。
本文首先提出了一种基于并行线性反馈移位寄存器(Linear Feedback Shift Register, LFSR)的轻量级通用哈希函数HMISR;然后以HMISR为基础,采用循环迭代方式构造了轻量级伪随机数发生器M-PRNG;并设计了基于通用哈希函数和伪随机数发生器的所有权转移隐私双向认证协议πOTP,在标准模型下证明了πOTP的安全性;最后构建了所有权转移隐私的UC模型,并证明了πOTP的UC安全性。
本文所做创新性工作主要包含以下五个方面。
(1)提出了一种适用于低成本无源RFID标签的低复杂性通用哈希函数HM-hash°哈希函数在认证协议中是非常重要的,许多轻量级RFID认证协议也采用哈希函数在认证过程中对标签的身份标识进行保护。但是针对低成本无源RFID标签的哈希函数硬件实现方法的研究却很少,仅有基于LFSR的Toeplitz哈希和循环冗余码(Cyclic Redundancy Code, CRC)哈希被提出来。H M-hash以并行线性反馈移位寄存器作为基本电路,采用并行压缩方式计算哈希值,利用压缩过程的信息损失而带来的单向性提供哈希函数的安全性。经过严格的理论证明,HM-hash具有最佳的平衡度,即平衡度为1,是一个规则哈希函数,且为强通用哈希函数族,可以保证其具有很高的安全性。在硬件实现上,HM-hash以LFSR为核心电路,结构简单,复杂性低,与基于LFSR的Toeplitz哈希相比,具有安全性高和硬件消耗低的优点(详见3.3和3.4节)。
(2)提出了一种适用于低成本无源RFID标签的低复杂性伪随机数发生器M-PRMG.为了提供标签认证过程中的随机性,RFID认证协议通常在标签中设置一个伪随机数发生器。此外在EPC C1G2标签中,伪随机数还用来帮助标签的防碰撞识别。目前针对适用于RFID标签的伪随机数发生器的研究大多是LFSR结合真随机数的方式,但是这种发生器的缺点是功耗过高,且效率低。另外一种适用于EPC C1G2的伪随机数发生器LAMED基于简单的异或等逻辑运算,安全性较差。本文以HM-hash为基础,提出一种基于单向函数迭代的伪随机数发生器M-PRMG。此类发生器的主要代表有BMY和GKL发生器。BMY发生器的主要优点是结构简单,效率高,种子长度与单向函数的输入可以保持线性关系,缺点是对单向函数有严格的限制,必须为单向置换。而GKL发生器通过在迭代过程中引入随机性因素,放松了对单向函数的要求,仅要求是规范单向函数,但是要求所采用的单向函数和通用哈希函数均为长度保持函数,其本质还是单向置换。本文结合了BMY和GKL两种发生器的优点,同时对GKL发生器的随机化迭代方式进行了扩展,采用规范单向函数和通用哈希函数为基础,提出了适用于LFSR标签的伪随机数发生器M-PRNG。M-PRNG的基本结构与BMY发生器类似,种子长度与单向函数的输入为线性关系,但是降低了BMY结构中的单向置换要求,采用规范单向函数,实现效率更高。在硬件实现上,M-PRNG的单向函数、通用哈希函数和核心断言函数均基于LFSR进行设计,硬件消耗比其他低复杂性伪随机数发生器都要低,如Grain、LAMED。经过证明,M-PRNG所产生的随机序列与真随机序列是不可区分的,从理论上证明了M-PRNG的安全性;对所产生的伪随机序列进行统计分析的结果表明,其随机性通过了NIST测试,并完全满足EPC C1G2对伪随机数的要求(详见4.3节)。
(3)建立了所有权转移隐私的标准模型和通用可组合(Universally Composable,UC)模型。安全隐私协议的设计需要基于特定的模型,包括敌手能力、安全隐私目标和系统设置,且协议的安全隐私属性也需要借助特定的模型进行验证。目前的安全隐私标准模型大多以前向隐私作为最高隐私性,关于所有权转移隐私标准模型的研究很少。本文对最常用的Vaudenay模型进行了扩展,增加了前向不可追踪性,建立了所有权转移安全隐私模型。根据基于RFID的供应链系统的安全隐私要求,对安全性、隐私性和正确性三个安全隐私需求进行了定义(详见5.2节),并在该模型下验证了协议πOTP的安全隐私性(详见5.5节)。UC模型是一种验证安全协议的特殊方式,当被证明为UC安全的协议作为复杂系统的组成部分时,该系统的安全性不用经过重新证明。RFID一般是作为复杂网络的组成部分,因此为了保证以RFID作为组成部分的系统安全性,论文对πOTP的UC安全性进行了验证。本文在前向隐私UC模型的基础上,重新设计了所有权转移隐私理想函数FOTP,首次建立了所有权转移UC模型(详见5.6.2节)。并构建了将真实协议转换到理想过程的模拟器,用逐次逼近法验证了协议πOTP,的UC安全性,保证了当RFID系统作为物联网组成部分时的系统安全性。
(4)提出了一种所有权转移隐私双向认证协议πOTP。所有权转移隐私是供应链领域特有的隐私保护问题,要求协议具有前向不可追踪性和后向不可追踪性。目前对所有权转移隐私协议的研究缺大多都需要借助可信第三方或单独的所有权转移环境,不能实现真正的所有权转移隐私性。由于所有权转移隐私性包含了前向隐私性,本文对OSK前向隐私协议进行了改进,使其可以抗击DoS攻击,同时又具有前向不可追踪性和双向认证性,设计实现了所有权转移隐私双向认证协议πOTP°为了实现匿名性,πOTP协议设有一个私有密钥,在每次应答时由伪随机数发生器进行更新,以保证标签的位置隐私性和不可跟踪性。为了实现双向认证性、正确性和隐私性,πOTP协议设有一个公有密钥,由安全的通用哈希函数产生,同时保持在标签和后端数据库中,每次成功认证后进行更新。πOTP以通用哈希函数、伪随机发生器作为密码技术,利用通用哈希函数的抗碰撞性和伪随机数与真随机数的不可区分性保证协议的安全隐私属性,是一种适用于低成本无源RFID标签的轻量级认证协议(详见5.4节)。
As a perception technology of the IoT (Internet of Tings), Radio Frequency Identification(RFID) technology is one of the most promising technologies in the field of ubiquitous computing. RFID technology is invited as the replacement of barcode technology. Although it offers many advantages over other identification systems, the associated security and privacy problem are not easy to be addressed and even become the impediment of the pervasive of the technology.
With the progress of IoT, RFID has been infiltrated into every aspect of people's lives, some applications even involving sensitive information of user's, such as human implantation, electronic passport, etc.. Therefore, the security problem of RFID technology is no longer a simple problem of data security; it also involves the problem of user privacy. Security and privacy problems of RFID technology will become an important obstacle to the technology popularization.
Tags can be divided into passive, active and semi-active according to the energy acquisition, and can also be divided into the low cost and high cost according to the price. Standard encryption solutions have good property in terms of safety, but the requirements of circuit size, energy consumption, and memory capacity are also high. Passive low cost tags can only use lightweight encryption technology due to price and energy constraints, and its security and privacy issues are extremely difficult to solve.
An extensive and deeply research on the security and privacy problems of passive low cost tags are conducted in this thesis, and mainly focus on the solving of security and privacy issues of supply chain system based on EPC Class1Generation2(EPC C1G2) RFID tags.
According to the research on the solving methods of RFID security and privacy issues conducted based on the consulting of plenty of domestic and foreign related literatures, we decide to take the lightweight solutions based on hash function and pseudo random number generator as the research objective and give a comprehensive review of the state of arts of low complexity hash function, pseudo random number generator and lightweight RFID authentication protocols. Then a survey on security and privacy problems of RFID and the EPC Class1Generation2standard and the security problems are given. Starting from the Chapter3, the thesis conducts a deeply research on the security and privacy technology based on low complexity hash function and pseudo random number generator from aspects of the design of circuit and protocol and the construction of security model, and also puts forward some improved solutions.
Firstly, a lightweight universal hash function HMISR based on parallel LFSR (Linear Feedback Shift Register) is proposed. Then taking HMISR as the main component, a lightweight pseudo random number generator M-PRNG is constructed using randomized iterates technology. Later, the thesis proposes a ownership transfer mutual authentication protoco πOTP based on universal hash function and pseudo random number generator and proves the security of πOTP under the standard model. Finally, a ownership transfer UC model is constructed and the UC security of πOTP is proved under the model.
The innovations of this thesis are summarized as follows:
(1) A universal hash function with low complexity that suitable for low cost passive RFID tags is proposed. Hash function is an important component of authentication protocol, and is usually used in many lightweight RFID authentication protocol for the protection of the tag identification. But there are rarely researches of hardware implementation of hash function suitable for low cost passive RFID tags. To the best of my knowledge, only two hash functions based on LFSR, Toeplitz hash and CRC hash, were proposed. Taking parallel LFSR as the basic component HM-hash provides the security of hash function using one-wayness brought by the information loss in the process of compression. As shown through strict theoretical proof, HM-hash is a regular hash function with balance equals to1. It is also an almost universal hash function family and can ensure its high security. Hardware implementation shows that the structure of HMhash is simple and is better than Toeplitz hash in aspects of security and hardware complexity (see Section3.3and3.4).
(2) A pseudo random number generator M-PRMG with low complexity that suitable for low cost passive RFID tags is proposed. Pseudo random number generators are usually used in RFID authentication protocols for providing randomness in the process of tag authentication. Moreover, pseudo random numbers are also used in EPC C1G2standard for anti-collision of the tags. The present research of PRNG suitable for RFID tags are mainly combination of LFSR and true random number. But the disadvantage of this kind of PRNG is high power consumption and low efficiency. A hardware implementation LAMED specifically tailored for EPC C1G2applications has been proposed. But the security of LAMED is poor with only simple logic XOR as the main operation. In this thesis, taking the universal hash function HM-hash as the basic component, a pseudo random number generator, namely PRNG, based on one-way function iteration is proposed. The main representatives of such kind of generators are BMY and GKL generator. The BMY is a generator with simple structure and high efficiency, the seed length is linear to the input of one-way function. But there is a disadvantage of BMY generator that the one-way function must be a one-way permutation. GKL generator is constructed from regular one-way functions through the technology of Randomized Iterate that introducing randomness in the process of iteration. But the one-way function used in GKL generator should be length preserving function which is one-way permutation in essence. In this thesis, a PRNG suitable for RFID tags, namely M-RPNG, is proposed.Using optimized Randomized Iterate technology, the M-RPNG has the advantages of both BMY and GKL generators. The security of the M-RPNG requires that the underlying function is regular one-way function and the randomization is introduced by universal hash functions in the process of iteration. When compared with BMY generators, the M-RPNG has the same linear seed length but looser requirement of one-way function requirement. In the aspect of hardware complexity, taking LFSR as the main structure of one-way function and universal hash functions, the M-RPNG has even lower hardware complexity when compared with other PRNG such as Grain, LAMED. The security of M-RPNG is theoretically proved through the proof of the indistinguishability of the sequence generated by M-RPNG and the true random sequence. The sequence generated by M-RPNG has passed all items of NIST test and completely compatible with EPC C1G2standard (see section4.3).
(3) A standard model and a Universally Composable (UC) framework of ownership transfer privacy are constructed. The design of security and privacy protocols should based on a specific model that including the capacity adversary, security and privacy objects and system settings. The security and privacy properties of the protocol should also be verified by the model. At present, the standard models of privacy and security mainly take forward privacy as the highest privacy requirement and seldom concerning about the ownership transfer privacy problem. In this thesis, by expand the most commonly used Vaudenay model to include forward untraceability, a ownership transfer privacy model is constructed. According to the security and privacy requirements in supply chain system, the model defines the properties of security; privacy and correctness (see section5.2). The security of the protocol πOTP,is verified under the model (see section5.5). The UC framework specifies a particular approach t security proofs, and guarantees the security of the complex system that be composed of protocols of UC security. Considering that RFID is usually as part of a complex network, the thesis verifies the UC security of the protocol πOTP in order to ensure the security of the system that taking RFID as constituent part. For the first time, the ownership transfer ideal functionality FOTP is designed and the ownership transfer UC framework is constructed in this thesis, on the basis of forward privacy UC framework (see section5.6.2). After the design of the emulator that transfers the real world protocol to the ideal process, the UC security of protocol πOTP is proofed by successive approximation method. The UC security of protocol πOTP ensures the system security of the IoT that is composed of RFID systems.
(4) An ownership transfer privacy mutual authentication protocol πOTP is proposed. Ownership transfer privacy, including forward untraceability and backward untraceability, is a specific privacy problem in supply chain. The main shortcoming of current research on ownership transfer privacy is that the protocols mostly need the help of a trusted third party or individual ownership transfer environment and can't realize the true ownership transfer privacy. In this thesis, a ownership transfer privacy protocol with mutual authentication, namely πOTP, is proposed by improving the OSK forward privacy protocol so that it can be against the DoS attack and has forward untraceability and mutual authentication. In order to achieve anonymity and ensure the location privacy and untraceability, there are one private key in the πOTP protocol that is updated in each response by the pseudo random number generator. In order to realize mutual authentication, usability and privacy, there are one public key in the πOTP protocol that maintained both in the tag and the back end database that is updated by universal hash function after each successful authentication. Taking universal hash function and PRNG as the cryptography elements, πOTP is a kind of lightweight authentication protocol suitable for low cost passive RFID tags. The security of πOTP is provided by the anti-collision of universal hash function and the indistinguishability of pseudo random numbers and the true random numbers (see section5.4).
随着物联网的发展,RFID技术也已经渗入到了人们生活的各个方面,一些应用甚至涉及到了使用者的敏感信息,如人体植入、电子护照等。因此,RFID技术的安全问题已不再是单纯的数据安全,还涉及到了使用者的隐私权问题。RFID技术的安全隐私问题将成为该技术普及应用的重要阻碍。
根据能量获取方式,标签可以分为无源、有源和半有源标签,根据价格,又可以分为低成本标签和高成本标签。标准的密码学解决方案在安全性方面有较好的保障,但是在电路规模、能量消耗、内存容量等方面都有较高的要求。无源低成本标签由于受到价格和能量的限制,只能采用轻量级的密码技术,其安全隐私问题极难解决。
本论文对低成本无源标签的安全隐私问题进行了广泛深入地研究,并重点解决基于EPC1类2代(EPC Class1Generation2,简称EPC C1G2)的供应链系统安全隐私问题。
论文首先在查阅了大量国内外有关技术文献的基础上,对低成本RFID安全隐私问题的解决方法进行了研究,确定以基于哈希函数和伪随机数发生器(Pseudo Random Number Generator,PRNG)的轻量级解决方案为研究重点,并对低复杂性哈希函数、伪随机数发生器和轻量级RFID认证协议的研究现状进行了综述。然后对RFID的安全隐私问题及分类情况进行了介绍,确定安全隐私目标,并概述了EPC1类2代标准和其安全问题。自第三章开始,论文从电路设计、安全隐私协议设计和模型构造三个方面对基于低复杂性哈希函数和伪随机数发生器的安全隐私技术进行了深入的研究,并提出自己的解决方案。
本文首先提出了一种基于并行线性反馈移位寄存器(Linear Feedback Shift Register, LFSR)的轻量级通用哈希函数HMISR;然后以HMISR为基础,采用循环迭代方式构造了轻量级伪随机数发生器M-PRNG;并设计了基于通用哈希函数和伪随机数发生器的所有权转移隐私双向认证协议πOTP,在标准模型下证明了πOTP的安全性;最后构建了所有权转移隐私的UC模型,并证明了πOTP的UC安全性。
本文所做创新性工作主要包含以下五个方面。
(1)提出了一种适用于低成本无源RFID标签的低复杂性通用哈希函数HM-hash°哈希函数在认证协议中是非常重要的,许多轻量级RFID认证协议也采用哈希函数在认证过程中对标签的身份标识进行保护。但是针对低成本无源RFID标签的哈希函数硬件实现方法的研究却很少,仅有基于LFSR的Toeplitz哈希和循环冗余码(Cyclic Redundancy Code, CRC)哈希被提出来。H M-hash以并行线性反馈移位寄存器作为基本电路,采用并行压缩方式计算哈希值,利用压缩过程的信息损失而带来的单向性提供哈希函数的安全性。经过严格的理论证明,HM-hash具有最佳的平衡度,即平衡度为1,是一个规则哈希函数,且为强通用哈希函数族,可以保证其具有很高的安全性。在硬件实现上,HM-hash以LFSR为核心电路,结构简单,复杂性低,与基于LFSR的Toeplitz哈希相比,具有安全性高和硬件消耗低的优点(详见3.3和3.4节)。
(2)提出了一种适用于低成本无源RFID标签的低复杂性伪随机数发生器M-PRMG.为了提供标签认证过程中的随机性,RFID认证协议通常在标签中设置一个伪随机数发生器。此外在EPC C1G2标签中,伪随机数还用来帮助标签的防碰撞识别。目前针对适用于RFID标签的伪随机数发生器的研究大多是LFSR结合真随机数的方式,但是这种发生器的缺点是功耗过高,且效率低。另外一种适用于EPC C1G2的伪随机数发生器LAMED基于简单的异或等逻辑运算,安全性较差。本文以HM-hash为基础,提出一种基于单向函数迭代的伪随机数发生器M-PRMG。此类发生器的主要代表有BMY和GKL发生器。BMY发生器的主要优点是结构简单,效率高,种子长度与单向函数的输入可以保持线性关系,缺点是对单向函数有严格的限制,必须为单向置换。而GKL发生器通过在迭代过程中引入随机性因素,放松了对单向函数的要求,仅要求是规范单向函数,但是要求所采用的单向函数和通用哈希函数均为长度保持函数,其本质还是单向置换。本文结合了BMY和GKL两种发生器的优点,同时对GKL发生器的随机化迭代方式进行了扩展,采用规范单向函数和通用哈希函数为基础,提出了适用于LFSR标签的伪随机数发生器M-PRNG。M-PRNG的基本结构与BMY发生器类似,种子长度与单向函数的输入为线性关系,但是降低了BMY结构中的单向置换要求,采用规范单向函数,实现效率更高。在硬件实现上,M-PRNG的单向函数、通用哈希函数和核心断言函数均基于LFSR进行设计,硬件消耗比其他低复杂性伪随机数发生器都要低,如Grain、LAMED。经过证明,M-PRNG所产生的随机序列与真随机序列是不可区分的,从理论上证明了M-PRNG的安全性;对所产生的伪随机序列进行统计分析的结果表明,其随机性通过了NIST测试,并完全满足EPC C1G2对伪随机数的要求(详见4.3节)。
(3)建立了所有权转移隐私的标准模型和通用可组合(Universally Composable,UC)模型。安全隐私协议的设计需要基于特定的模型,包括敌手能力、安全隐私目标和系统设置,且协议的安全隐私属性也需要借助特定的模型进行验证。目前的安全隐私标准模型大多以前向隐私作为最高隐私性,关于所有权转移隐私标准模型的研究很少。本文对最常用的Vaudenay模型进行了扩展,增加了前向不可追踪性,建立了所有权转移安全隐私模型。根据基于RFID的供应链系统的安全隐私要求,对安全性、隐私性和正确性三个安全隐私需求进行了定义(详见5.2节),并在该模型下验证了协议πOTP的安全隐私性(详见5.5节)。UC模型是一种验证安全协议的特殊方式,当被证明为UC安全的协议作为复杂系统的组成部分时,该系统的安全性不用经过重新证明。RFID一般是作为复杂网络的组成部分,因此为了保证以RFID作为组成部分的系统安全性,论文对πOTP的UC安全性进行了验证。本文在前向隐私UC模型的基础上,重新设计了所有权转移隐私理想函数FOTP,首次建立了所有权转移UC模型(详见5.6.2节)。并构建了将真实协议转换到理想过程的模拟器,用逐次逼近法验证了协议πOTP,的UC安全性,保证了当RFID系统作为物联网组成部分时的系统安全性。
(4)提出了一种所有权转移隐私双向认证协议πOTP。所有权转移隐私是供应链领域特有的隐私保护问题,要求协议具有前向不可追踪性和后向不可追踪性。目前对所有权转移隐私协议的研究缺大多都需要借助可信第三方或单独的所有权转移环境,不能实现真正的所有权转移隐私性。由于所有权转移隐私性包含了前向隐私性,本文对OSK前向隐私协议进行了改进,使其可以抗击DoS攻击,同时又具有前向不可追踪性和双向认证性,设计实现了所有权转移隐私双向认证协议πOTP°为了实现匿名性,πOTP协议设有一个私有密钥,在每次应答时由伪随机数发生器进行更新,以保证标签的位置隐私性和不可跟踪性。为了实现双向认证性、正确性和隐私性,πOTP协议设有一个公有密钥,由安全的通用哈希函数产生,同时保持在标签和后端数据库中,每次成功认证后进行更新。πOTP以通用哈希函数、伪随机发生器作为密码技术,利用通用哈希函数的抗碰撞性和伪随机数与真随机数的不可区分性保证协议的安全隐私属性,是一种适用于低成本无源RFID标签的轻量级认证协议(详见5.4节)。
As a perception technology of the IoT (Internet of Tings), Radio Frequency Identification(RFID) technology is one of the most promising technologies in the field of ubiquitous computing. RFID technology is invited as the replacement of barcode technology. Although it offers many advantages over other identification systems, the associated security and privacy problem are not easy to be addressed and even become the impediment of the pervasive of the technology.
With the progress of IoT, RFID has been infiltrated into every aspect of people's lives, some applications even involving sensitive information of user's, such as human implantation, electronic passport, etc.. Therefore, the security problem of RFID technology is no longer a simple problem of data security; it also involves the problem of user privacy. Security and privacy problems of RFID technology will become an important obstacle to the technology popularization.
Tags can be divided into passive, active and semi-active according to the energy acquisition, and can also be divided into the low cost and high cost according to the price. Standard encryption solutions have good property in terms of safety, but the requirements of circuit size, energy consumption, and memory capacity are also high. Passive low cost tags can only use lightweight encryption technology due to price and energy constraints, and its security and privacy issues are extremely difficult to solve.
An extensive and deeply research on the security and privacy problems of passive low cost tags are conducted in this thesis, and mainly focus on the solving of security and privacy issues of supply chain system based on EPC Class1Generation2(EPC C1G2) RFID tags.
According to the research on the solving methods of RFID security and privacy issues conducted based on the consulting of plenty of domestic and foreign related literatures, we decide to take the lightweight solutions based on hash function and pseudo random number generator as the research objective and give a comprehensive review of the state of arts of low complexity hash function, pseudo random number generator and lightweight RFID authentication protocols. Then a survey on security and privacy problems of RFID and the EPC Class1Generation2standard and the security problems are given. Starting from the Chapter3, the thesis conducts a deeply research on the security and privacy technology based on low complexity hash function and pseudo random number generator from aspects of the design of circuit and protocol and the construction of security model, and also puts forward some improved solutions.
Firstly, a lightweight universal hash function HMISR based on parallel LFSR (Linear Feedback Shift Register) is proposed. Then taking HMISR as the main component, a lightweight pseudo random number generator M-PRNG is constructed using randomized iterates technology. Later, the thesis proposes a ownership transfer mutual authentication protoco πOTP based on universal hash function and pseudo random number generator and proves the security of πOTP under the standard model. Finally, a ownership transfer UC model is constructed and the UC security of πOTP is proved under the model.
The innovations of this thesis are summarized as follows:
(1) A universal hash function with low complexity that suitable for low cost passive RFID tags is proposed. Hash function is an important component of authentication protocol, and is usually used in many lightweight RFID authentication protocol for the protection of the tag identification. But there are rarely researches of hardware implementation of hash function suitable for low cost passive RFID tags. To the best of my knowledge, only two hash functions based on LFSR, Toeplitz hash and CRC hash, were proposed. Taking parallel LFSR as the basic component HM-hash provides the security of hash function using one-wayness brought by the information loss in the process of compression. As shown through strict theoretical proof, HM-hash is a regular hash function with balance equals to1. It is also an almost universal hash function family and can ensure its high security. Hardware implementation shows that the structure of HMhash is simple and is better than Toeplitz hash in aspects of security and hardware complexity (see Section3.3and3.4).
(2) A pseudo random number generator M-PRMG with low complexity that suitable for low cost passive RFID tags is proposed. Pseudo random number generators are usually used in RFID authentication protocols for providing randomness in the process of tag authentication. Moreover, pseudo random numbers are also used in EPC C1G2standard for anti-collision of the tags. The present research of PRNG suitable for RFID tags are mainly combination of LFSR and true random number. But the disadvantage of this kind of PRNG is high power consumption and low efficiency. A hardware implementation LAMED specifically tailored for EPC C1G2applications has been proposed. But the security of LAMED is poor with only simple logic XOR as the main operation. In this thesis, taking the universal hash function HM-hash as the basic component, a pseudo random number generator, namely PRNG, based on one-way function iteration is proposed. The main representatives of such kind of generators are BMY and GKL generator. The BMY is a generator with simple structure and high efficiency, the seed length is linear to the input of one-way function. But there is a disadvantage of BMY generator that the one-way function must be a one-way permutation. GKL generator is constructed from regular one-way functions through the technology of Randomized Iterate that introducing randomness in the process of iteration. But the one-way function used in GKL generator should be length preserving function which is one-way permutation in essence. In this thesis, a PRNG suitable for RFID tags, namely M-RPNG, is proposed.Using optimized Randomized Iterate technology, the M-RPNG has the advantages of both BMY and GKL generators. The security of the M-RPNG requires that the underlying function is regular one-way function and the randomization is introduced by universal hash functions in the process of iteration. When compared with BMY generators, the M-RPNG has the same linear seed length but looser requirement of one-way function requirement. In the aspect of hardware complexity, taking LFSR as the main structure of one-way function and universal hash functions, the M-RPNG has even lower hardware complexity when compared with other PRNG such as Grain, LAMED. The security of M-RPNG is theoretically proved through the proof of the indistinguishability of the sequence generated by M-RPNG and the true random sequence. The sequence generated by M-RPNG has passed all items of NIST test and completely compatible with EPC C1G2standard (see section4.3).
(3) A standard model and a Universally Composable (UC) framework of ownership transfer privacy are constructed. The design of security and privacy protocols should based on a specific model that including the capacity adversary, security and privacy objects and system settings. The security and privacy properties of the protocol should also be verified by the model. At present, the standard models of privacy and security mainly take forward privacy as the highest privacy requirement and seldom concerning about the ownership transfer privacy problem. In this thesis, by expand the most commonly used Vaudenay model to include forward untraceability, a ownership transfer privacy model is constructed. According to the security and privacy requirements in supply chain system, the model defines the properties of security; privacy and correctness (see section5.2). The security of the protocol πOTP,is verified under the model (see section5.5). The UC framework specifies a particular approach t security proofs, and guarantees the security of the complex system that be composed of protocols of UC security. Considering that RFID is usually as part of a complex network, the thesis verifies the UC security of the protocol πOTP in order to ensure the security of the system that taking RFID as constituent part. For the first time, the ownership transfer ideal functionality FOTP is designed and the ownership transfer UC framework is constructed in this thesis, on the basis of forward privacy UC framework (see section5.6.2). After the design of the emulator that transfers the real world protocol to the ideal process, the UC security of protocol πOTP is proofed by successive approximation method. The UC security of protocol πOTP ensures the system security of the IoT that is composed of RFID systems.
(4) An ownership transfer privacy mutual authentication protocol πOTP is proposed. Ownership transfer privacy, including forward untraceability and backward untraceability, is a specific privacy problem in supply chain. The main shortcoming of current research on ownership transfer privacy is that the protocols mostly need the help of a trusted third party or individual ownership transfer environment and can't realize the true ownership transfer privacy. In this thesis, a ownership transfer privacy protocol with mutual authentication, namely πOTP, is proposed by improving the OSK forward privacy protocol so that it can be against the DoS attack and has forward untraceability and mutual authentication. In order to achieve anonymity and ensure the location privacy and untraceability, there are one private key in the πOTP protocol that is updated in each response by the pseudo random number generator. In order to realize mutual authentication, usability and privacy, there are one public key in the πOTP protocol that maintained both in the tag and the back end database that is updated by universal hash function after each successful authentication. Taking universal hash function and PRNG as the cryptography elements, πOTP is a kind of lightweight authentication protocol suitable for low cost passive RFID tags. The security of πOTP is provided by the anti-collision of universal hash function and the indistinguishability of pseudo random numbers and the true random numbers (see section5.4).
引文
[1]S. Devadas and S. Malik, A survey of optimization techniques targeting low power vlsi circuits[C], in Proceedings of the 32nd ACM/IEEE Conference on Design Automation,1995, p.242:247.
[2]Pedro Peris Lopez, Lightweight Cryptography in Radio Frequency Identification (RFID) Systems[D], Ph.D. Thesis, Carlos Ⅲ University of Madrid, Spain, Oct. 2008.
[3]D. Ranasinghe, D. Engels, P. Cole, Low-cost RFID systems:Confronting security and privacy, Auto-ID Labs Research Workshop,2004.
[4]EPCglobal Inc., Class 1 Generation 2 UHF RFID protocol for communication at 860Mhz-960Mhz version 1.0.9
[5]H. Y. Chien, SASI:A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity [J], IEEE Transactions on Dependable and Secure Computing,2007.4(4):p.337:340.
[6]P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador, and A. Ribagorda, M2AP:A minimalist mutual-authentication protocol for low-cost RFID tags[C], in Proc. Int. Conf. Ubiquitous Intell. Comput. (UIC 2006), vol 4159, Lecture Notes in Computer Science. Berlin, Germany:Springer-Verlag, pp.912-923.
[7]P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A. Ribagorda, EMAP:An Efficient Mutual Authentication Protocol for Low-Cost RFID Tags[C], Proceedings of the OTM Federated Conference and Workshop:IS Workshop, Nov. 2006.
[8]P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A. Ribagorda, LMAP:A Real Lightweight Mutual Authentication Protocol for Low-Cost RFID Tags[C], Proceedings of the Second Workshop RFID Security, Jul.2006.
[9]T. Li and R. Deng. Vulnerability analysis of EMAP-an efficient RFID mutual authentication protocol[C]. Proc. of AReS'07,2007.
[10]T. Li and G. Wang. Security analysis of two ultra-lightweight RFID authentication protocols[C]. In Proc. of IFIP-SEC07,2007.
[11]H.-Y. Chien and C.-W. Huang. Security of ultra-lightweight RFID authentication protocols and its improvements. SIGOPS Oper. Syst. Rev.,41(4):83-86,2007.
[12]H. M. Sun, W. C. Ting, and K. H. Wang, On the Security of Chien's Ultralightweight RFID Authentication Protocol, Cryptology ePrint Archive, In: http://eprint.iacr.org/2008/083.
[13]T. Cao, E. Bertino, and H. Lei, Security Analysis of the SASI Protocol[J], IEEE Transactions on Dependable and Secure Computing,2009.6(1):p.73:77.
[14]Hernandez-Castro, J.C., Tapiador, J.E., Peris, P., Li, T., Quisquater, J.-J.: Cryptanalysis of the SASI Ultralightweight RFID Authentication Protocol with Modular Rotations[C]. In:Proc. of WCC 2009, May 10-15 (2009)
[15]Yu-Jung Huang, Ching-Chien Yuan, Ming-Kun Chen, et al.Hardware Implementation of RFID Mutual Authentication Protocol[J]. In Transactions on Industrial Electronics of Institute of Electrical andElectronic Engineers (IEEE-2010),57(5):1573-1582,2010.
[16]Vijaykumar V R, Elango S. Hardware implementation of tag-reader mutual authentication protocol for RFID systems[J]. Integration, the VLSI Journal,2013.
[17]Feldhofer, M. and Rechberger, C. (2006). A Case Against Currently Used Hash Functions in RFID Protocols.[C] In Meersman, R. et al. (Eds.), On the Move to Meaningful Internet Systems 2006:OTM 2006 Workshops (p.372:381). Berlin: Springer-Verlag.
[18]Aumasson, J.P., Henzen, L., Meier, W., Naya-Plasencia, M.:Quark:A Lightweight Hash. In:Mangard and Standaert [37], pp.1-15
[19]A. Bogdanov, M. Knezevic, G. Leander, D. Toz, K. Varici, and I. Verbauwhede. SPONGENT:A lightweight hash function. In B. Preneel and T. Takagi, editors, CHES, volume 6917 of Lecture Notes in Computer Science, pages 312-325. Springer,2011.
[20]丁振华,李锦涛,冯波,基于Hash函数的RFID安全认证协议研究[J].计算机研究与发展,2009,46(4):583-592.
[21]S. E. Sarma, S. A. Weis, and D. W. Engels, "RFID Systems and Security and Privacy Implications", CHES 2002, LNCS 2523, pp.454-469, Springer-Verlag, 2003.
[22]S. A. Weis, Security and Privacy in Radio-Frequency Identification Devices[d]. MS Thesis, MIT, May 2003.
[23]S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engels, Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems[C], Security in Pervasive Computing 2003, LNCS 2802, p.201-212, Springer-Verlag,2004.
[24]Vaibhaw Dixit; Harsh K. Verma; Akhil K. Singh, Enhanced Hash Chain based Scheme for Security and Privacy in RFID Systems[J], International Journal of Computer Applications,2011.28(9):p.26:30.
[25]Berbain C, Billet O, Etrog J, Gilbert H. An efficient forward private RFID protocol[C], Proceedings of the 16th ACM conference on computer and communications Security (ACM CCS'09). Chicago,USA,2009:p.43-53.
[26]Krawczyk H. LFSR-based hashing and authentication[C]. In:Advances in cryptology-crypto'94. Lecture notes in computer science, Springer-Verlag; 1994, vol.839:p.129:139.
[27]M. Ohkubo, K. Suzuki, and S. Kinoshita. Efficient hash-chain based RFID privacy protection scheme[C]. In Ubiquitous Computing-Privacy Workshop,2004.
[28]G. Avoine and P. Oechslin. A scalable and provably secure hash based RFID protocol [C], The 2nd IEEE International Workshop on Pervasive Computing and Communication Security-PerSec 2005, p.110:114.
[29]Guo-Rui Li, Ying Wang, Cui-Rong Wang and Jing-Sha He, EMAP:An Efficient Mutual Authentication Protocol for Passive RFID Tags[J], International Journal of Automation and Computing,2012,9(1), p.108:112.
[30]Huang, A.L.; Penzhorn, W.T.; cryptographic hash functions and low power techniques for embedded hardware[C]. Industrial Electronics,2005. ISIE 2005. Proceedings of the IEEE International Symposium on. Vol.4:1789-1794.
[31]P.P. Deepthi, P.S. Sathidevi. Design implementation and analysis of hardware efficient stream ciphers using LFSR based hash functions[J]. Computers & Security,2009,28(3-4):p.229-241.
[32]Chien, H. Y., & Chen, C. H. Mutual authentication protocol for RFID conforming to EPC class 1 generation 2 standards[J]. Computer Standards and Interfaces,2007, 29:254-259.
[33]Yeh TC, Wang YJ, Kuo TC, Securing RFID systems conforming to EPC Class 1 Generation 2 standard[J], expert system with application,2010,37(12):7678-7683
[34]Larry Carter and Mark N. Wegman. Universal classes of hash functions[J]. Journal of Computer and System Sciences,1979.18(2):p.143:154.
[35]Rizomiliotis, P. Misusing universal hash functions:security analysis of a hardware efficient stream cipher model using LFSR based hash function[C]. Information Theory Workshop (ITW), p.1:5,2010 IEEE.
[36]G. Tsudik. YA-TRAP:Yet another trivial RFID authentication protocol[C]. In Proc. of PERCOM'06. IEEE Computer Society,2006.
[37]K. Rhee, J. Kwak, S. Kim, and D. Won. Challenge-response based RFID authentication protocol for distributed database environment[C]. In Proc. of SPC'05, volume 3450 of LNCS, p.70:84. Springer-Verlag,2005.
[38]S. Lee, T. Asano, and K. Kim. RFID mutual authentication scheme based on synchronized secret information[C]. In Symposium on Cryptography and Information Security,2006.
[39]C. Chatmon, T. Van Le, and M. Burmester. Secure anonymous RFID authentication protocols[C]. Technical Report TR-060112,2006.
[40]Garcia, F., Koning, G., Muijrers, R., van Rossum, P., Verdult, R., Wichers R. and Jacobs[C], B. (2008). Dismantling MIFARE Classic. In Jajodia, S. and Lopez, J. (Eds.), Computer Security-ESORICS 2008 (p.97:114). Berlin:Springer-Verlag.
[41]ECRYPT, "eSTREAM:ECRYPT Stream Cipher Project, IST-2002-507932,' Available at http://www.ecrypt.eu.org/stream/.
[42]M. Hell, T. Johansson and W. Meier. Grain-A Stream Cipher for Constrained Environments[C]. In Workshop on RFID and Light-Weight Crypto:Workshop Record, Graz, Austria, July 2005.
[43]Hell, M., Johansson, T., Meier, W.:Grain:a stream cipher for constrained environments. IJWMC 2(1),86-93 (2007).
[44]M. Hell, T. Johansson, and W. Meier. A stream cipher proposal:Grain-128. http://www.ecrypt.eu.org/stream/,2006.
[45]Dinur, I., G uneysu, T., Paar, C., Shamir, A. and Zimmermann, R. (2011), An experimentally verified attack on full Grain-128 using dedicated reconfigurable hardware, Cryptology ePrint Archive, Report 2011/282. http://eprint.iacr.org/2011/282.
[46]Simon Fischer, Shahram Khazaei, and Willi Meier. Chosen IV statistical analysis for key recovery attacks on stream ciphers[J]. In Serge Vaudenay, editor, AFRICACRYPT, volume 5023 of LNCS, p.236:245. Springer,2008.
[47]H. Zhang and X.Wang, Cryptanalysis of stream cipher Grain family, Cryptology ePrint Archive, Report 2009/109,2009, http://eprint.iacr.org/.
[48]W. Che, H.Deng, X. Tan and J. Wang. In:Networked RFID Systems and Lightweight Cryptography, Chapter 16, A Random Number Generator for Application in RFID Tags[J], p.279:287. Springer,2008.
[49]Melia-Segui, J., Garcia-Alfaro J. and Herrera-Joancomarti, J. Analysis and Improvement of a Pseudorandom Number Generator for EPC Gen2 Tags[C]. In Curtmola, R. et al. (Eds.), Financial Cryptography and Data Security 2010 Workshops, LNCS (p.34:46). Berlin: Springer-Verlag.
[50]Peris-Lopez, P., Hernandez-Castro, J., Estevez-Tapiador, J., & Ribagorda, J. (2009). LAMED—A PRNG for EPC class-1 generation-2 RFID specification[J]. Computer Standards & Interfaces,31(1), p.88:97.
[51]Chen, C.L. (1986). Linear Dependencies in Linear Feedback Shift Registers[J]. IEEE Transactions on Computers, C-35(12), p.1086:1088.
[52]A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography [M]. Boca Raton, FL:CRC Press,1996.
[53]Joux, A. (2009). Algorithmic Cryptanalysis[M]. Chapman & Hall,CRC, Taylor & Francis Group.
[54]Melia-Segui Joan; Garcia-Alfaro Joaquin; Herrera-Joancomarti Jordi. A Practical Implementation Attack on Weak Pseudorandom Number Generator Designs for EPC Gen2 Tags[J]. WIRELESS PERSONAL COMMUNICATIONS,59(1), 2011.
[55]Pillai, V., & Heinrich, H. (2007). An ultra-low-power long range battery/passive RFID tag for UHF and microwave bands with a current consumption of 700 nA at 1.5V[J]. IEEE Transactions on Circuits and Systems I Regular Papers,54(7), p.1500-1512.
[56]J. Saito, K. Imamoto, and K. Sakurai. Reassignment scheme of an RFID tags key for owner transfer [J]. Embedded and Ubiquitous Computing,2005.p.1303:1312.
[57]NJ Hopper, M Blum. A secure human-computer authentication scheme[C]. CMU Technical Report CMY-CS-00-139, May 2000.
[58]Ari Juels, Stephen A. Weis. Authenticating Pervasive Devices with Human Protocols[C].25th Annual International Cryptology Conference Proceedings, 2005. p.293:308.
[59]Bringer J, Chabanne H, and Dottax E. HB++:a lightweight authentication protocol secure against some attacks [C]. IEEE International Conference on Pervasive Services, Workshop on Security, Privacy and Trust in pervasive and Ubiquitous Computing.,2006. p.28:33.
[60]Selwyn P. HB and related lightweight authentication protocols for secure RFID Tag Reader authentication[C]. CollECTeR Europe Conference, Basel, Switzerland, June 2006.
[61]唐静;姬东耀.基于LPN问题的RFID安全协议设计与分析[J]电子与信息学报,2009,V31(2):439-443.
[62]Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin. Good Variants of HB+ Are Hard to Find[C].12th International Conference, FC 2008, Cozumel, Mexico, January 28-31,2008. p.156:170.
[63]Gilbert, H., Robshaw, M.,Sibert, H.. Active attack against HB+:a provably secure lightweight authentication protocol [J]. IEEE IET Electronics Letters,2005. 41(21):p.1169:1170.
[64]C. Yu Ng, W. Susilo, Y. Mu, and R. Safavi-Naini. Practical RFID Ownership Transfer Scheme[J]. Journal of Computer Security-Special Issue on RFID System Security,2010.
[65]S. Fouladgar and H. Afifi. An efficient delegation and transfer of ownership protocol for RFID tags[C]. In First International EURASIP Workshop on RFID Technology, Vienna, Austria,2007.
[66]C.H. Lim and T. Kwon. Strong and robust rfid authentication enabling perfect ownership transfer[C]. In Proceedings of Conference on Information and Communications Security, p.1:20, Raleigh, USA,2006.
[67]D. Molnar, A. Soppera, D. Wagner, A scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags[J], Lecture Notes in Computer Science, 2006. vol.3897, p.276:290.
[68]K. Osaka, T. Takagi, K. Yamazaki, and O. Takahashi. An Efficient and Secure RFID Security Method with Ownership Transfer[C]. In Computational Intelligence and Security,2006 International Conference on, volume 2, p.1090:1095. IEEE,2007.
[69]A. Fernandez-Mir, R. Trujillo-Rasua, and J. Castella-Roca. Scalable RFID Authentication Protocol Supporting Ownership Transfer and Controlled Delegation[C]. In Workshop on RFID Security-RFIDSec'11, Amherst, Massachusetts, USA, June 2011.
[70]M. Ohkubo, K. Suzuki, and S. Kinoshita. Cryptographic Approach to Privacy-Friendly Tags[C]. In RFID Privacy Workshop,2003.
[71]Maimut, D.; Ouafi, K. Lightweight Cryptography for RFID Tags[J], Security & Privacy, IEEE,2012.10 (2), P.76:79.
[72]S. Karthikeyan and M. Nesterenko, RFID security without extensive cryptography[C], in Proc.3rd ACM Workshop Sec. Ad Hoc Sensor Netw.,2005, p.63:67.
[73]可证明安全性理论与方法研究[J],软件学报,2005,vo116,no.10:1743-1756.
[74]Canetti R. Universally composable security:A new paradigm for cryptographic protocols[C], Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science (FOCS). Las Vegas, Nevada, USA,2001:p.136:145.
[75]O. Goldreich, S. Micali, and A. Widgerson, How to play any mental game[C], in 19th Symposium on Theory of Computing (STOC 1987). ACM Press,1987, p. 218:229.
[76]D. Beaver and S. Goldwasser, Multiparty computation with faulty majority [C], in Proc. Advances in Cryptology (CRYPTO 1989), ser. LNCS, vol.435. Springer, 1989, p.589:590.
[77]D. Beaver, Secure multi-party protocols and zero-knowledge proof systems tolerating a faulty minority[J]. Journal of Cryptology,1991.vol.4:2, p.75:122.
[78]D. Beaver, Foundations of secure interactive computing[C], in Proc. Advances in Cryptology (CRYPTO 1991), ser. LNCS, vol.576. Springer,1991, p.377:391.
[79]R. Canetti, Studies in secure multiparty computation and application[D], Ph.D. dissertation, Weizmann Institute of Science, Rehovot 76100, Israel, June 1995.
[80]R. Canetti, Security and composition of multi-party cryptographic protocols[J], Journal of Cryptology,2000.vol.13:1, p.143:202.
[81]Burmester, Mike, Van Le, Tri, de Medeiros, Breno. Provably Secure Ubiquitous Systems:Universally Compsable RFID Authentication Protocols[C]. In The Second International Conference on Security and Privacy for Emerging Areas in Communication Networks-Securecomm 2006.
[82]T. V. Le, M. Burmester, and B. de Medeiros, Universally composable and forward-secure rfid authentication and authenticated key exchange[C], in Proceedings of the 2nd ACM symposium on Information, computer and communications security, ser. ASIACCS'07. ACM,2007, p.242:252.
[83]M. Burmester, T. V. Le, B. D. Medeiros, and G. Tsudik, Universally composable rfid identification and authentication protocols[J], ACM Trans. Inf. Syst. Secur., 2009.12.
[84]M. Burmester and J. Munilla, Lightweight RFID authentication with forward and backward security, Information and System Security, ACM Transactions on,2011. 14(1):p.l:26.
[85]LI Hua, Wang Hongjun, SHANG Zhen, LI Qing-hua,XIAO Wei. Low-power UHF Handheld RFID Reader Design and Optimization[C]. in The 8th World Congress on Intelligent Control and Automation.2010:p.3068-3072.
[86]Kfir, Z., Wool, A..Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems[C]. In The First International Conference on Security and Privacy for Emerging Areas in Communications Networks-SecureComm 2005. p.47:58.
[87]Ari Juels, Stephen A. Weis. Definding Strong Peivacy for RFID[C]. Cryptology ePrint Archive, Report 2006, April 2006.
[88]Mike Burmester, Breno de Mederiros. RFID Security:Attacks,Countermeasures and Challenges[C]. In the Fifth RFID Academic Convocation-RFID Jounal LIVE, 2007, Orlando, Florida, USA, April-May 2007.
[89]P. Rotter. A Framework for Assessing RFID System Security and Privacy Risks[J]. IEEE Pervasive Computing Magazine,2008.7(2):p.70-77.
[90]O' Neill, M.:Low-cost SHA-1 hash function architecture for RFID tags[C]. In: Workshop on RFID Security RFIDsec. (2008).
[91]Juels, Ari, Weis, Stephen A. Defining Strong Privacy for RFID[C]. Pervasive Computing and Communications Workshops,2007. PerCom Workshops'07. Fifth Annual IEEE International Conference on. p.342:347.
[92]M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo random bits[C]. In 23th Annual Symposium on Foundations of Computer Science,1982. pages112-117.
[93]A. C. Yao. Theory and application of trapdoor functions[C]. In 23rd IEEE Symposium on Foundations of Computer Science,1982. pages 80-91.
[94]O. Goldreich, H. Krawczyk, and M. Luby. On the existence of pseudorandom generators[J]. SIAM Journal of Computing,1993.22(6):1163:1175.
[95]van Le, T., Burmester, M., de Medeiros, B.:Universally Composable and Forward Secure RFID Authentication and Authenticated Key Exchange[C]. Proceedings of the 2007 ACM Symposium on Information, Computer and Communications Security, Singapore, p.242:252. ACM, New York (2007).
[96]R. Anderson, Two remarks on public key cryptology, Technical Reports, UCAM-CL-TR-549. Univ. of Cambridge, http://www.cl.cam.ac.uk/TechReports/,2002.
[97]Mihir Bellare and Tadayoshi Kohno. Hash function balance and its impact on birthday attacks[C]. In Proceedings of EUROCRYP'04, volume 3027 of Lecture Notes in Computer Science. Springer-Verlag,2004.
[98]W. Nevelsteen and B. Preneel. Software performance of universal hash functions[C]. In EUROCRYPT,1997.volume 1233 of LNCS, p.24:41.
[99]J. Carter and M. Wegman, New hash functions and their use in authentication and set equality[J], Journal of Computer and System Sciences,1981,22:p.265:279.
[100]G. Brassard. On computationally secure authentication tags requiring short secret shared keys. Advances in Cryptology.1982:p.79:86.
[101]I. Damgard:A design principle for hash functions[C]. In:Advances in Cryptology CRYPTO 1989, Lecture Notes in Computer Science, Vol.435, ed. by G. Brassard (Springer, Berlin Heidelberg 1989) p.416:427.
[102]R. Merkle:One way Hash Functions and DES[C]. In: Advances in Cryptology CRYPTO 1989. Lecture Notes in Computer Science, Vol.435, ed. By G. Brassard (Springer, Berlin Heidelberg 1989) p.428:446.
[103]C. Meyer, M. Schilling:Secure program load with manipulation detection code[C], Proc.6thWorldwide Congress on Computer and Communications Security and Protection (SECURICOM 1988), Paris,1988, p.111:130.
[104]J.P. Steinberger:The collision intractability of MDC-2 in the ideal-cipher model[C]. In:Advances in Cryptology-EUROCRYPT 2007, Lecture Notes in Computer Science, Vol.4515, ed. by M. Naor (Springer, Berlin Heidelberg 2007) p.34:51.
[105]Bosselaers, B. Preneel (Eds.):Integrity Primitives for Secure Information Systems[C]. Final Report of RACE Integrity Primitives Evaluation RIPERACE 1040, Lecture Notes in Computer Science, Vol.1007 (Springer, Berlin Heidelberg 1995) p.31:67.
[106]H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, O. Kucuk, B. Preneel: MAME:A compression function with reduced hardware requirements[C]. In: Cryptographic Hardware and Embedded Systems-CHES Proceedings, Lecture Notes in Computer Science, Vol.4727, ed. by P. Paillier, I. Verbauwhede (Springer, Berlin Heidelberg 2007) p.148:165.
[107]V. Rijmen, P.S.L.M. Barreto:The WHIRLPOOL hash function, ISO/IEC 10118-3:2004 (2004), available at http://www.larc.usp.br/pbarreto/WhirlpoolPage.html
[108]ISO/IEC 10118-4:1998:Information technology-security techniques-hashfunctions. Part 4:Hashfunctions using modular arithmetic (1998).
[109]I. Damgard, L. Knudsen, S. Thomsen:DAKOTA hashing from a combination of modular arithmetic and symmetric cryptography[C]. In:ACNS, Lecture Notes in Computer Science, Vol.5037, ed. By S. Bellovin, R. Gennaro (Springer, Berlin Heidelberg 2008) p.144:155.
[110]Nandi, M.:Characterizing padding rules of MD hash functions preserving collision security[C]. In:ACISP'09. LNCS, vol.5594, p.171:184. Springer-Verlag, Berlin (2009).
[111]Yasuda, K.:How to Fill Up Merkle-Damgard Hash Functions.[C] In:Pieprzyk, J. (ed.):ASIACRYPT 2008. LNCS, vol.5350, p.272:289. Springer (2008).
[112]V.D. Agrawal, C.R. Kime, and K.K. Saluja. A Tutorial on Built-in Self-Test[J]. Part 1:Principles. Design & Test of Computers, IEEE,1993.10:p.73:82.
[113]T.W. Williams and W. Daehn, Aliasing errors in multiple input signature analysis registers[C], Proc. European Test Conf.,1988. p.338:345.
[114]Min, Y.; Malaiya, Y.K.; Jin, B.; analysis of detection capability of parallel signature analyzers[J], IEEE Transactions on Computers,1991,40(9):p.1075: 1081.
[115]O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions[J]. Journal of the ACM,1986.33(4):p.792-807.
[116]M. Naor. Bit Commitment Using Pseudorandomness[J]. Journal of Cryptology, 1991.4(2):151-158.
[117]M. Bellare and B. Yee, Forward-security in private-key cryptography, Cryptology ePrint Archive, Report 2001/035,2001, in http://eprint.iacr.org/.
[118]L. Blum and M. Blum, A comparison of two pseudo random number generators[C],in Proc. Crypto,1982, p.61-78.
[119]Iftach Haitner, Omer Reingold, and Salil Vadhan, Efficiency improvements in constructing pseudorandom generators from one-way functions[C], Proceedings of the 42nd Annual ACM Symposium on Theory of Computing (STOC),2010, p. 437:446.
[120]A. Desai, A. Hevia, and Y. L. Yin. A Practice-Oriented Treatment of Pseudorandom Number Generators[C]. In EUROCRYPT' 02, pages 368:383. Springer,2002.
[121]J. H_astad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function[J]. SIAM Journal of Computing,1999.29(4): p.1364:1396.
[122]R. Impagliazzo, L. Levin, and M. Luby. Pseudo-random Generation from one-way functions (Extended Abstracts)[C]. In STOC'89, p.12-24. ACM,1989.
[123]J. H_astad. Pseudo-Random Generators under Uniform Assumptions[C]. In STOC'90, p.395-404. ACM,1990.
[124]I. Haitner, D. Harnik, and O. Reingold. On the Power of the Randomized Iterate[C]. In CRYPTO'06. p.22:40. Springer,2006.
[125]T. Holenstein. Pseudorandom generators from one-way functions:A simple construction for any hardness[C]. In Theory of Cryptography, Third Theory of Cryptography Conference, TCC2006,2006.
[126]O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman. Security preserving amplification of hardness[C]. In 31st IEEE Symposium on Foundations of Computer Science,1990. p.318-326.
[127]A. Herzberg and M. Luby. Pubic randomness in cryptography[C]. In CRYPTO'92, LNCS, volume 740, p.421-432. Springer,1992.
[128]Alexandra Boldyreva, Virendra Kumar. A New Pseudorandom Generator from Collision-Resistant Hash Functions[C]. The Cryptographers'Track at the RSA Conference 2012, San Francisco, CA, USA, February 27-March 2,2012. Proceedings
[129]O. Goldreich and L. Levin. A Hard-Core Predicate for all One-Way Functions[C]. In STOC'89, p.25:32. ACM.
[130]L. A. Levin, One-way functions and pseudorandom generators[J], Combinatorica, 1987.7:p.357-363.
[131]James M. Hughes:Pseudo-random Number Generation Using Binary Recurrent Neural Networks[C], A Technical Report submitted to Kalamazoo College 2007.
[132]Abdi, H.. A neural network primer. Journal of Biological Systems,1994, 2:247:281.
[133]J.Walker, ENT Test suite, http://www.fourmilab.ch/random/, Oct.,1998.
[134]A statistical test suite for random and pseudorandom number generators for sryptographic applications. Apr.2010, http://csrc.nist.gov/publications/nistpubs/800-22-revla/sp800-22revla.zip
[135]A. Juels, Minimalist cryptography for low-cost RFID tags[C],The Fourth International Conference on Security in Communication Networks-SCN 2004, LNCS 3352, Springer-Verlag, p.149-164,2004.
[136]G. Avoine. Adversarial model for radio frequency identification,2005. Cryptology ePrint Archive, Report 2005/049. Referenced 2005 at http://eprint.iacr.org.
[137]J. Hermans, A. Pashalidis, F. Vercauteren, and B. Preneel, A new RFID privacy model[C], in Proceedings of the 16th European Symposium on Research in Computer Security, vol.6879 of Lecture Notes in Computer Science, p.568:587, Springer, Leuven, Belgium,2011.
[138]S. Vaudenay. On Privacy Models for RFID[J]. In K. Kurosawa, editor, ASIACRYPT 2007, volume 4833 of LNCS, p.68:87. Springer,2007.
[139]通用可组合的匿名HASH认证模型[J],中国科学(E辑:信息科学),2007年第37卷第2期:272-284.
[2]Pedro Peris Lopez, Lightweight Cryptography in Radio Frequency Identification (RFID) Systems[D], Ph.D. Thesis, Carlos Ⅲ University of Madrid, Spain, Oct. 2008.
[3]D. Ranasinghe, D. Engels, P. Cole, Low-cost RFID systems:Confronting security and privacy, Auto-ID Labs Research Workshop,2004.
[4]EPCglobal Inc., Class 1 Generation 2 UHF RFID protocol for communication at 860Mhz-960Mhz version 1.0.9
[5]H. Y. Chien, SASI:A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity [J], IEEE Transactions on Dependable and Secure Computing,2007.4(4):p.337:340.
[6]P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador, and A. Ribagorda, M2AP:A minimalist mutual-authentication protocol for low-cost RFID tags[C], in Proc. Int. Conf. Ubiquitous Intell. Comput. (UIC 2006), vol 4159, Lecture Notes in Computer Science. Berlin, Germany:Springer-Verlag, pp.912-923.
[7]P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A. Ribagorda, EMAP:An Efficient Mutual Authentication Protocol for Low-Cost RFID Tags[C], Proceedings of the OTM Federated Conference and Workshop:IS Workshop, Nov. 2006.
[8]P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A. Ribagorda, LMAP:A Real Lightweight Mutual Authentication Protocol for Low-Cost RFID Tags[C], Proceedings of the Second Workshop RFID Security, Jul.2006.
[9]T. Li and R. Deng. Vulnerability analysis of EMAP-an efficient RFID mutual authentication protocol[C]. Proc. of AReS'07,2007.
[10]T. Li and G. Wang. Security analysis of two ultra-lightweight RFID authentication protocols[C]. In Proc. of IFIP-SEC07,2007.
[11]H.-Y. Chien and C.-W. Huang. Security of ultra-lightweight RFID authentication protocols and its improvements. SIGOPS Oper. Syst. Rev.,41(4):83-86,2007.
[12]H. M. Sun, W. C. Ting, and K. H. Wang, On the Security of Chien's Ultralightweight RFID Authentication Protocol, Cryptology ePrint Archive, In: http://eprint.iacr.org/2008/083.
[13]T. Cao, E. Bertino, and H. Lei, Security Analysis of the SASI Protocol[J], IEEE Transactions on Dependable and Secure Computing,2009.6(1):p.73:77.
[14]Hernandez-Castro, J.C., Tapiador, J.E., Peris, P., Li, T., Quisquater, J.-J.: Cryptanalysis of the SASI Ultralightweight RFID Authentication Protocol with Modular Rotations[C]. In:Proc. of WCC 2009, May 10-15 (2009)
[15]Yu-Jung Huang, Ching-Chien Yuan, Ming-Kun Chen, et al.Hardware Implementation of RFID Mutual Authentication Protocol[J]. In Transactions on Industrial Electronics of Institute of Electrical andElectronic Engineers (IEEE-2010),57(5):1573-1582,2010.
[16]Vijaykumar V R, Elango S. Hardware implementation of tag-reader mutual authentication protocol for RFID systems[J]. Integration, the VLSI Journal,2013.
[17]Feldhofer, M. and Rechberger, C. (2006). A Case Against Currently Used Hash Functions in RFID Protocols.[C] In Meersman, R. et al. (Eds.), On the Move to Meaningful Internet Systems 2006:OTM 2006 Workshops (p.372:381). Berlin: Springer-Verlag.
[18]Aumasson, J.P., Henzen, L., Meier, W., Naya-Plasencia, M.:Quark:A Lightweight Hash. In:Mangard and Standaert [37], pp.1-15
[19]A. Bogdanov, M. Knezevic, G. Leander, D. Toz, K. Varici, and I. Verbauwhede. SPONGENT:A lightweight hash function. In B. Preneel and T. Takagi, editors, CHES, volume 6917 of Lecture Notes in Computer Science, pages 312-325. Springer,2011.
[20]丁振华,李锦涛,冯波,基于Hash函数的RFID安全认证协议研究[J].计算机研究与发展,2009,46(4):583-592.
[21]S. E. Sarma, S. A. Weis, and D. W. Engels, "RFID Systems and Security and Privacy Implications", CHES 2002, LNCS 2523, pp.454-469, Springer-Verlag, 2003.
[22]S. A. Weis, Security and Privacy in Radio-Frequency Identification Devices[d]. MS Thesis, MIT, May 2003.
[23]S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engels, Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems[C], Security in Pervasive Computing 2003, LNCS 2802, p.201-212, Springer-Verlag,2004.
[24]Vaibhaw Dixit; Harsh K. Verma; Akhil K. Singh, Enhanced Hash Chain based Scheme for Security and Privacy in RFID Systems[J], International Journal of Computer Applications,2011.28(9):p.26:30.
[25]Berbain C, Billet O, Etrog J, Gilbert H. An efficient forward private RFID protocol[C], Proceedings of the 16th ACM conference on computer and communications Security (ACM CCS'09). Chicago,USA,2009:p.43-53.
[26]Krawczyk H. LFSR-based hashing and authentication[C]. In:Advances in cryptology-crypto'94. Lecture notes in computer science, Springer-Verlag; 1994, vol.839:p.129:139.
[27]M. Ohkubo, K. Suzuki, and S. Kinoshita. Efficient hash-chain based RFID privacy protection scheme[C]. In Ubiquitous Computing-Privacy Workshop,2004.
[28]G. Avoine and P. Oechslin. A scalable and provably secure hash based RFID protocol [C], The 2nd IEEE International Workshop on Pervasive Computing and Communication Security-PerSec 2005, p.110:114.
[29]Guo-Rui Li, Ying Wang, Cui-Rong Wang and Jing-Sha He, EMAP:An Efficient Mutual Authentication Protocol for Passive RFID Tags[J], International Journal of Automation and Computing,2012,9(1), p.108:112.
[30]Huang, A.L.; Penzhorn, W.T.; cryptographic hash functions and low power techniques for embedded hardware[C]. Industrial Electronics,2005. ISIE 2005. Proceedings of the IEEE International Symposium on. Vol.4:1789-1794.
[31]P.P. Deepthi, P.S. Sathidevi. Design implementation and analysis of hardware efficient stream ciphers using LFSR based hash functions[J]. Computers & Security,2009,28(3-4):p.229-241.
[32]Chien, H. Y., & Chen, C. H. Mutual authentication protocol for RFID conforming to EPC class 1 generation 2 standards[J]. Computer Standards and Interfaces,2007, 29:254-259.
[33]Yeh TC, Wang YJ, Kuo TC, Securing RFID systems conforming to EPC Class 1 Generation 2 standard[J], expert system with application,2010,37(12):7678-7683
[34]Larry Carter and Mark N. Wegman. Universal classes of hash functions[J]. Journal of Computer and System Sciences,1979.18(2):p.143:154.
[35]Rizomiliotis, P. Misusing universal hash functions:security analysis of a hardware efficient stream cipher model using LFSR based hash function[C]. Information Theory Workshop (ITW), p.1:5,2010 IEEE.
[36]G. Tsudik. YA-TRAP:Yet another trivial RFID authentication protocol[C]. In Proc. of PERCOM'06. IEEE Computer Society,2006.
[37]K. Rhee, J. Kwak, S. Kim, and D. Won. Challenge-response based RFID authentication protocol for distributed database environment[C]. In Proc. of SPC'05, volume 3450 of LNCS, p.70:84. Springer-Verlag,2005.
[38]S. Lee, T. Asano, and K. Kim. RFID mutual authentication scheme based on synchronized secret information[C]. In Symposium on Cryptography and Information Security,2006.
[39]C. Chatmon, T. Van Le, and M. Burmester. Secure anonymous RFID authentication protocols[C]. Technical Report TR-060112,2006.
[40]Garcia, F., Koning, G., Muijrers, R., van Rossum, P., Verdult, R., Wichers R. and Jacobs[C], B. (2008). Dismantling MIFARE Classic. In Jajodia, S. and Lopez, J. (Eds.), Computer Security-ESORICS 2008 (p.97:114). Berlin:Springer-Verlag.
[41]ECRYPT, "eSTREAM:ECRYPT Stream Cipher Project, IST-2002-507932,' Available at http://www.ecrypt.eu.org/stream/.
[42]M. Hell, T. Johansson and W. Meier. Grain-A Stream Cipher for Constrained Environments[C]. In Workshop on RFID and Light-Weight Crypto:Workshop Record, Graz, Austria, July 2005.
[43]Hell, M., Johansson, T., Meier, W.:Grain:a stream cipher for constrained environments. IJWMC 2(1),86-93 (2007).
[44]M. Hell, T. Johansson, and W. Meier. A stream cipher proposal:Grain-128. http://www.ecrypt.eu.org/stream/,2006.
[45]Dinur, I., G uneysu, T., Paar, C., Shamir, A. and Zimmermann, R. (2011), An experimentally verified attack on full Grain-128 using dedicated reconfigurable hardware, Cryptology ePrint Archive, Report 2011/282. http://eprint.iacr.org/2011/282.
[46]Simon Fischer, Shahram Khazaei, and Willi Meier. Chosen IV statistical analysis for key recovery attacks on stream ciphers[J]. In Serge Vaudenay, editor, AFRICACRYPT, volume 5023 of LNCS, p.236:245. Springer,2008.
[47]H. Zhang and X.Wang, Cryptanalysis of stream cipher Grain family, Cryptology ePrint Archive, Report 2009/109,2009, http://eprint.iacr.org/.
[48]W. Che, H.Deng, X. Tan and J. Wang. In:Networked RFID Systems and Lightweight Cryptography, Chapter 16, A Random Number Generator for Application in RFID Tags[J], p.279:287. Springer,2008.
[49]Melia-Segui, J., Garcia-Alfaro J. and Herrera-Joancomarti, J. Analysis and Improvement of a Pseudorandom Number Generator for EPC Gen2 Tags[C]. In Curtmola, R. et al. (Eds.), Financial Cryptography and Data Security 2010 Workshops, LNCS (p.34:46). Berlin: Springer-Verlag.
[50]Peris-Lopez, P., Hernandez-Castro, J., Estevez-Tapiador, J., & Ribagorda, J. (2009). LAMED—A PRNG for EPC class-1 generation-2 RFID specification[J]. Computer Standards & Interfaces,31(1), p.88:97.
[51]Chen, C.L. (1986). Linear Dependencies in Linear Feedback Shift Registers[J]. IEEE Transactions on Computers, C-35(12), p.1086:1088.
[52]A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography [M]. Boca Raton, FL:CRC Press,1996.
[53]Joux, A. (2009). Algorithmic Cryptanalysis[M]. Chapman & Hall,CRC, Taylor & Francis Group.
[54]Melia-Segui Joan; Garcia-Alfaro Joaquin; Herrera-Joancomarti Jordi. A Practical Implementation Attack on Weak Pseudorandom Number Generator Designs for EPC Gen2 Tags[J]. WIRELESS PERSONAL COMMUNICATIONS,59(1), 2011.
[55]Pillai, V., & Heinrich, H. (2007). An ultra-low-power long range battery/passive RFID tag for UHF and microwave bands with a current consumption of 700 nA at 1.5V[J]. IEEE Transactions on Circuits and Systems I Regular Papers,54(7), p.1500-1512.
[56]J. Saito, K. Imamoto, and K. Sakurai. Reassignment scheme of an RFID tags key for owner transfer [J]. Embedded and Ubiquitous Computing,2005.p.1303:1312.
[57]NJ Hopper, M Blum. A secure human-computer authentication scheme[C]. CMU Technical Report CMY-CS-00-139, May 2000.
[58]Ari Juels, Stephen A. Weis. Authenticating Pervasive Devices with Human Protocols[C].25th Annual International Cryptology Conference Proceedings, 2005. p.293:308.
[59]Bringer J, Chabanne H, and Dottax E. HB++:a lightweight authentication protocol secure against some attacks [C]. IEEE International Conference on Pervasive Services, Workshop on Security, Privacy and Trust in pervasive and Ubiquitous Computing.,2006. p.28:33.
[60]Selwyn P. HB and related lightweight authentication protocols for secure RFID Tag Reader authentication[C]. CollECTeR Europe Conference, Basel, Switzerland, June 2006.
[61]唐静;姬东耀.基于LPN问题的RFID安全协议设计与分析[J]电子与信息学报,2009,V31(2):439-443.
[62]Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin. Good Variants of HB+ Are Hard to Find[C].12th International Conference, FC 2008, Cozumel, Mexico, January 28-31,2008. p.156:170.
[63]Gilbert, H., Robshaw, M.,Sibert, H.. Active attack against HB+:a provably secure lightweight authentication protocol [J]. IEEE IET Electronics Letters,2005. 41(21):p.1169:1170.
[64]C. Yu Ng, W. Susilo, Y. Mu, and R. Safavi-Naini. Practical RFID Ownership Transfer Scheme[J]. Journal of Computer Security-Special Issue on RFID System Security,2010.
[65]S. Fouladgar and H. Afifi. An efficient delegation and transfer of ownership protocol for RFID tags[C]. In First International EURASIP Workshop on RFID Technology, Vienna, Austria,2007.
[66]C.H. Lim and T. Kwon. Strong and robust rfid authentication enabling perfect ownership transfer[C]. In Proceedings of Conference on Information and Communications Security, p.1:20, Raleigh, USA,2006.
[67]D. Molnar, A. Soppera, D. Wagner, A scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags[J], Lecture Notes in Computer Science, 2006. vol.3897, p.276:290.
[68]K. Osaka, T. Takagi, K. Yamazaki, and O. Takahashi. An Efficient and Secure RFID Security Method with Ownership Transfer[C]. In Computational Intelligence and Security,2006 International Conference on, volume 2, p.1090:1095. IEEE,2007.
[69]A. Fernandez-Mir, R. Trujillo-Rasua, and J. Castella-Roca. Scalable RFID Authentication Protocol Supporting Ownership Transfer and Controlled Delegation[C]. In Workshop on RFID Security-RFIDSec'11, Amherst, Massachusetts, USA, June 2011.
[70]M. Ohkubo, K. Suzuki, and S. Kinoshita. Cryptographic Approach to Privacy-Friendly Tags[C]. In RFID Privacy Workshop,2003.
[71]Maimut, D.; Ouafi, K. Lightweight Cryptography for RFID Tags[J], Security & Privacy, IEEE,2012.10 (2), P.76:79.
[72]S. Karthikeyan and M. Nesterenko, RFID security without extensive cryptography[C], in Proc.3rd ACM Workshop Sec. Ad Hoc Sensor Netw.,2005, p.63:67.
[73]可证明安全性理论与方法研究[J],软件学报,2005,vo116,no.10:1743-1756.
[74]Canetti R. Universally composable security:A new paradigm for cryptographic protocols[C], Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science (FOCS). Las Vegas, Nevada, USA,2001:p.136:145.
[75]O. Goldreich, S. Micali, and A. Widgerson, How to play any mental game[C], in 19th Symposium on Theory of Computing (STOC 1987). ACM Press,1987, p. 218:229.
[76]D. Beaver and S. Goldwasser, Multiparty computation with faulty majority [C], in Proc. Advances in Cryptology (CRYPTO 1989), ser. LNCS, vol.435. Springer, 1989, p.589:590.
[77]D. Beaver, Secure multi-party protocols and zero-knowledge proof systems tolerating a faulty minority[J]. Journal of Cryptology,1991.vol.4:2, p.75:122.
[78]D. Beaver, Foundations of secure interactive computing[C], in Proc. Advances in Cryptology (CRYPTO 1991), ser. LNCS, vol.576. Springer,1991, p.377:391.
[79]R. Canetti, Studies in secure multiparty computation and application[D], Ph.D. dissertation, Weizmann Institute of Science, Rehovot 76100, Israel, June 1995.
[80]R. Canetti, Security and composition of multi-party cryptographic protocols[J], Journal of Cryptology,2000.vol.13:1, p.143:202.
[81]Burmester, Mike, Van Le, Tri, de Medeiros, Breno. Provably Secure Ubiquitous Systems:Universally Compsable RFID Authentication Protocols[C]. In The Second International Conference on Security and Privacy for Emerging Areas in Communication Networks-Securecomm 2006.
[82]T. V. Le, M. Burmester, and B. de Medeiros, Universally composable and forward-secure rfid authentication and authenticated key exchange[C], in Proceedings of the 2nd ACM symposium on Information, computer and communications security, ser. ASIACCS'07. ACM,2007, p.242:252.
[83]M. Burmester, T. V. Le, B. D. Medeiros, and G. Tsudik, Universally composable rfid identification and authentication protocols[J], ACM Trans. Inf. Syst. Secur., 2009.12.
[84]M. Burmester and J. Munilla, Lightweight RFID authentication with forward and backward security, Information and System Security, ACM Transactions on,2011. 14(1):p.l:26.
[85]LI Hua, Wang Hongjun, SHANG Zhen, LI Qing-hua,XIAO Wei. Low-power UHF Handheld RFID Reader Design and Optimization[C]. in The 8th World Congress on Intelligent Control and Automation.2010:p.3068-3072.
[86]Kfir, Z., Wool, A..Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems[C]. In The First International Conference on Security and Privacy for Emerging Areas in Communications Networks-SecureComm 2005. p.47:58.
[87]Ari Juels, Stephen A. Weis. Definding Strong Peivacy for RFID[C]. Cryptology ePrint Archive, Report 2006, April 2006.
[88]Mike Burmester, Breno de Mederiros. RFID Security:Attacks,Countermeasures and Challenges[C]. In the Fifth RFID Academic Convocation-RFID Jounal LIVE, 2007, Orlando, Florida, USA, April-May 2007.
[89]P. Rotter. A Framework for Assessing RFID System Security and Privacy Risks[J]. IEEE Pervasive Computing Magazine,2008.7(2):p.70-77.
[90]O' Neill, M.:Low-cost SHA-1 hash function architecture for RFID tags[C]. In: Workshop on RFID Security RFIDsec. (2008).
[91]Juels, Ari, Weis, Stephen A. Defining Strong Privacy for RFID[C]. Pervasive Computing and Communications Workshops,2007. PerCom Workshops'07. Fifth Annual IEEE International Conference on. p.342:347.
[92]M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo random bits[C]. In 23th Annual Symposium on Foundations of Computer Science,1982. pages112-117.
[93]A. C. Yao. Theory and application of trapdoor functions[C]. In 23rd IEEE Symposium on Foundations of Computer Science,1982. pages 80-91.
[94]O. Goldreich, H. Krawczyk, and M. Luby. On the existence of pseudorandom generators[J]. SIAM Journal of Computing,1993.22(6):1163:1175.
[95]van Le, T., Burmester, M., de Medeiros, B.:Universally Composable and Forward Secure RFID Authentication and Authenticated Key Exchange[C]. Proceedings of the 2007 ACM Symposium on Information, Computer and Communications Security, Singapore, p.242:252. ACM, New York (2007).
[96]R. Anderson, Two remarks on public key cryptology, Technical Reports, UCAM-CL-TR-549. Univ. of Cambridge, http://www.cl.cam.ac.uk/TechReports/,2002.
[97]Mihir Bellare and Tadayoshi Kohno. Hash function balance and its impact on birthday attacks[C]. In Proceedings of EUROCRYP'04, volume 3027 of Lecture Notes in Computer Science. Springer-Verlag,2004.
[98]W. Nevelsteen and B. Preneel. Software performance of universal hash functions[C]. In EUROCRYPT,1997.volume 1233 of LNCS, p.24:41.
[99]J. Carter and M. Wegman, New hash functions and their use in authentication and set equality[J], Journal of Computer and System Sciences,1981,22:p.265:279.
[100]G. Brassard. On computationally secure authentication tags requiring short secret shared keys. Advances in Cryptology.1982:p.79:86.
[101]I. Damgard:A design principle for hash functions[C]. In:Advances in Cryptology CRYPTO 1989, Lecture Notes in Computer Science, Vol.435, ed. by G. Brassard (Springer, Berlin Heidelberg 1989) p.416:427.
[102]R. Merkle:One way Hash Functions and DES[C]. In: Advances in Cryptology CRYPTO 1989. Lecture Notes in Computer Science, Vol.435, ed. By G. Brassard (Springer, Berlin Heidelberg 1989) p.428:446.
[103]C. Meyer, M. Schilling:Secure program load with manipulation detection code[C], Proc.6thWorldwide Congress on Computer and Communications Security and Protection (SECURICOM 1988), Paris,1988, p.111:130.
[104]J.P. Steinberger:The collision intractability of MDC-2 in the ideal-cipher model[C]. In:Advances in Cryptology-EUROCRYPT 2007, Lecture Notes in Computer Science, Vol.4515, ed. by M. Naor (Springer, Berlin Heidelberg 2007) p.34:51.
[105]Bosselaers, B. Preneel (Eds.):Integrity Primitives for Secure Information Systems[C]. Final Report of RACE Integrity Primitives Evaluation RIPERACE 1040, Lecture Notes in Computer Science, Vol.1007 (Springer, Berlin Heidelberg 1995) p.31:67.
[106]H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, O. Kucuk, B. Preneel: MAME:A compression function with reduced hardware requirements[C]. In: Cryptographic Hardware and Embedded Systems-CHES Proceedings, Lecture Notes in Computer Science, Vol.4727, ed. by P. Paillier, I. Verbauwhede (Springer, Berlin Heidelberg 2007) p.148:165.
[107]V. Rijmen, P.S.L.M. Barreto:The WHIRLPOOL hash function, ISO/IEC 10118-3:2004 (2004), available at http://www.larc.usp.br/pbarreto/WhirlpoolPage.html
[108]ISO/IEC 10118-4:1998:Information technology-security techniques-hashfunctions. Part 4:Hashfunctions using modular arithmetic (1998).
[109]I. Damgard, L. Knudsen, S. Thomsen:DAKOTA hashing from a combination of modular arithmetic and symmetric cryptography[C]. In:ACNS, Lecture Notes in Computer Science, Vol.5037, ed. By S. Bellovin, R. Gennaro (Springer, Berlin Heidelberg 2008) p.144:155.
[110]Nandi, M.:Characterizing padding rules of MD hash functions preserving collision security[C]. In:ACISP'09. LNCS, vol.5594, p.171:184. Springer-Verlag, Berlin (2009).
[111]Yasuda, K.:How to Fill Up Merkle-Damgard Hash Functions.[C] In:Pieprzyk, J. (ed.):ASIACRYPT 2008. LNCS, vol.5350, p.272:289. Springer (2008).
[112]V.D. Agrawal, C.R. Kime, and K.K. Saluja. A Tutorial on Built-in Self-Test[J]. Part 1:Principles. Design & Test of Computers, IEEE,1993.10:p.73:82.
[113]T.W. Williams and W. Daehn, Aliasing errors in multiple input signature analysis registers[C], Proc. European Test Conf.,1988. p.338:345.
[114]Min, Y.; Malaiya, Y.K.; Jin, B.; analysis of detection capability of parallel signature analyzers[J], IEEE Transactions on Computers,1991,40(9):p.1075: 1081.
[115]O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions[J]. Journal of the ACM,1986.33(4):p.792-807.
[116]M. Naor. Bit Commitment Using Pseudorandomness[J]. Journal of Cryptology, 1991.4(2):151-158.
[117]M. Bellare and B. Yee, Forward-security in private-key cryptography, Cryptology ePrint Archive, Report 2001/035,2001, in http://eprint.iacr.org/.
[118]L. Blum and M. Blum, A comparison of two pseudo random number generators[C],in Proc. Crypto,1982, p.61-78.
[119]Iftach Haitner, Omer Reingold, and Salil Vadhan, Efficiency improvements in constructing pseudorandom generators from one-way functions[C], Proceedings of the 42nd Annual ACM Symposium on Theory of Computing (STOC),2010, p. 437:446.
[120]A. Desai, A. Hevia, and Y. L. Yin. A Practice-Oriented Treatment of Pseudorandom Number Generators[C]. In EUROCRYPT' 02, pages 368:383. Springer,2002.
[121]J. H_astad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function[J]. SIAM Journal of Computing,1999.29(4): p.1364:1396.
[122]R. Impagliazzo, L. Levin, and M. Luby. Pseudo-random Generation from one-way functions (Extended Abstracts)[C]. In STOC'89, p.12-24. ACM,1989.
[123]J. H_astad. Pseudo-Random Generators under Uniform Assumptions[C]. In STOC'90, p.395-404. ACM,1990.
[124]I. Haitner, D. Harnik, and O. Reingold. On the Power of the Randomized Iterate[C]. In CRYPTO'06. p.22:40. Springer,2006.
[125]T. Holenstein. Pseudorandom generators from one-way functions:A simple construction for any hardness[C]. In Theory of Cryptography, Third Theory of Cryptography Conference, TCC2006,2006.
[126]O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman. Security preserving amplification of hardness[C]. In 31st IEEE Symposium on Foundations of Computer Science,1990. p.318-326.
[127]A. Herzberg and M. Luby. Pubic randomness in cryptography[C]. In CRYPTO'92, LNCS, volume 740, p.421-432. Springer,1992.
[128]Alexandra Boldyreva, Virendra Kumar. A New Pseudorandom Generator from Collision-Resistant Hash Functions[C]. The Cryptographers'Track at the RSA Conference 2012, San Francisco, CA, USA, February 27-March 2,2012. Proceedings
[129]O. Goldreich and L. Levin. A Hard-Core Predicate for all One-Way Functions[C]. In STOC'89, p.25:32. ACM.
[130]L. A. Levin, One-way functions and pseudorandom generators[J], Combinatorica, 1987.7:p.357-363.
[131]James M. Hughes:Pseudo-random Number Generation Using Binary Recurrent Neural Networks[C], A Technical Report submitted to Kalamazoo College 2007.
[132]Abdi, H.. A neural network primer. Journal of Biological Systems,1994, 2:247:281.
[133]J.Walker, ENT Test suite, http://www.fourmilab.ch/random/, Oct.,1998.
[134]A statistical test suite for random and pseudorandom number generators for sryptographic applications. Apr.2010, http://csrc.nist.gov/publications/nistpubs/800-22-revla/sp800-22revla.zip
[135]A. Juels, Minimalist cryptography for low-cost RFID tags[C],The Fourth International Conference on Security in Communication Networks-SCN 2004, LNCS 3352, Springer-Verlag, p.149-164,2004.
[136]G. Avoine. Adversarial model for radio frequency identification,2005. Cryptology ePrint Archive, Report 2005/049. Referenced 2005 at http://eprint.iacr.org.
[137]J. Hermans, A. Pashalidis, F. Vercauteren, and B. Preneel, A new RFID privacy model[C], in Proceedings of the 16th European Symposium on Research in Computer Security, vol.6879 of Lecture Notes in Computer Science, p.568:587, Springer, Leuven, Belgium,2011.
[138]S. Vaudenay. On Privacy Models for RFID[J]. In K. Kurosawa, editor, ASIACRYPT 2007, volume 4833 of LNCS, p.68:87. Springer,2007.
[139]通用可组合的匿名HASH认证模型[J],中国科学(E辑:信息科学),2007年第37卷第2期:272-284.