Desynchronization-Resistant Anonymous Authentication Protocol for RFID Systems Utilizing Physically Unclonable Functions

Abstract

Radio frequency identification (RFID) systems are an indispensable part of many critical Internet of Things (IoT) applications, including supply chain management and access control. Ensuring strong security in these systems is critical to safeguarding sensitive information and protecting user privacy. In recent years, in order to meet the diversified security needs of RFID systems, authentication and key protocols based on physical unclonable functions (PUFs) have received wide attention. Nevertheless, existing protocols typically require RFID tags to pre-store an excessive number of secret credentials and impose considerable computational and communication overheads, which prove challenging for resource-constrained RFID tag. Additionally, certain lightweight protocols fall short of achieving their intended security and functional objectives, exhibiting insufficient anonymity and untraceability, and vulnerability to desynchronization attacks. To address these critical challenges, this paper first proposes a lightweight anonymous authentication and key agreement protocol designed for an ideal PUF environment. The proposed protocol integrates the arbiter PUF with cryptographic hash functions, providing robust resistance to potential attacks while minimizing system overhead. Subsequently, an enhanced protocol specifically tailored for noisy PUF scenarios is presented. This protocol employs a fuzzy extractor to reliably derive stable keys from noisy PUF responses, thereby mitigating the instability caused by inherent noise. Through comprehensive security analysis and formal verification, as well as performance evaluations compared with existing state-of-the-art protocols, both protocols are demonstrated to overcome the limitations of prior protocols and provide efficient and practically feasible solutions well suited for resource-constrained RFID environments.