Efficient Mobile RFID Authentication Protocol for Smart Logistics Targets Tracking

Target tracking is one of the problems existing in the supply chain management. The use of radio frequency identification (RFID) in target tracking helps improve the monitoring accuracy and status visibility of the tracked target. For mobile RFID system, its three entities have to authenticate each other’s identity in order to guarantee the data transmission security. The mobile RFID authentication protocol cannot achieve both high security and low complexity at the same time. For this problem, a new efficiency mobile RFID authentication protocol is proposed in this paper, which implements secure authentication among different communication entities by different operation modes. For example, the protocol adopts Hash Function between reader and cloud server, and exchange-cross bitwise operation between tag and cloud server, to achieve low computing cost at tag-end while improving the security of mobile communication data. At the cloud server end, the protocol proposed in this paper adopts index data table as the storage mode, which further improves the could server efficiency in retrieving the authentication of tags and readers, and reduces the risks of sensitive data disclosure. According to the security analysis, this protocol can resist impersonation attack, replay attack, trace attack and other attacks launched by attackers. Its security performance is further proved by BAN logic, proverif tool and random oracle model. On the other hand, the simple operation at the tag-end of the protocol lowers the tag cost to a larger extent.


I. INTRODUCTION
Traditional target tracking in the logistics management system is mainly to track the location of the cargo, not the status of the goods. Therefore traditional target tracking is not applicable for cold chain and pharmaceutical logistics processes. During recent years, a target tracking system based on RFID sensor network has been proposed, which achieves position and property tracking of the mobile targets by RFID and sensor technologies. It enables legal users to completely and visually master the cargo status, thereby delivering cargo in accurate amount and appropriate conditions at specific site [1]. In the target tracking system based on RFID sensor network, sensors are responsible for searching information around the target and write into RFID tag. Then the RFID reader inside the smart phone of the driver sends the private The associate editor coordinating the review of this manuscript and approving it for publication was Giorgio Montisci . data collected by the sensors to the cloud server. RFID, which is featured in non-contact recognition, satisfactory applicability in various environments, and large data capacity [2], [3], improves the visibility of object status in the tracking system, and greatly enhances the performance of the target tracking system [4]. The market scale of using RFID in smart logistics system in China had been expanded from 68 billion in 2018 to 100 billion in 2020.
With the increase of use, data transmitted in RFID system has been expanding day by day, which highlights the urgent demands on data security and privacy protection [5], [6]. Impersonated tags or the interception of tag information may lead to cargo data disclosure, threatening user data security and endangering economic benefits [7]. To improve the data transmission security, identities of all related communication entities in RFID system must be authenticated to achieve mutual trust among communication entities [8]. Most identity authentication protocols are based on an assumption that the communication channel between reader and server is private and secure. Therefore, the mutual authentication is only achieved between two entities of reader and tag, such as the EPC gen2 protocol [9]. However in the target tracking system, data between RFID reader and cloud server are transmitted by wireless network, for which, the channel is not secure. In this case, a protocol that can achieve mutual authentication a mong the three communication entities, namely tag, reader, and cloud server, is required.
The authentication protocol for mobile RFID system is a protocol to achieve mutual authentication among three entities in the system. It is a security measure to prevent fake entity from passing the RFID target detection, which is significantly important for protecting RFID system security and data privacy. According to the computing costs, the authentication protocols can be divided into three types: heavy-weight protocol, light-weight protocol, and ultra-lightweight protocol [10]. The heavy-weight protocol has been eliminated from RFID system because of its complicated encryption operation. The light-weight protocol is designed to execute operations at the tag-end, such as the one-way Hash Function, Physical Unclonable Function, and pseudo random number generating. The ultra-light-weight protocol is designed to run simple bitwise operation at the tag-end, such as ''and'', ''xor'', ''bit-replacing'', and ''shift'', etc.
As for the light-weight authentication protocol based on Physical Unclonable Function mentioned in the literature [11], although the key generated by the Physical Unclonable Function cannot be copied, the replay of the message intercepted during the communication process can result in inconsistent information between tag and key in cloud server database, making it unable to resist desynchronized attack initiated by the attacker. Information in the light-weight authentication protocol mentioned in the literature [12] are mostly transmitted by plain text, including the generated random numbers and the random numbers used by encryption. Attackers can acquire the private information of the encrypted tags in the authentication message by method of exhaustion, which is actually a loophole for brute force attack. For the light-weight mobile authentication protocol based on bitwise operation mentioned in the literature [13], although the bitwise operation can reduce computing cost and communication cost, the random numbers used for computing the authentication information is transmitted by plain text, so that the attackers can acquire the key information of the tag and the reader-writer, it cannot resist impersonated attack. For the light-weight authentication protocol based on Hash function mentioned in the literature [14], the way of using Hash function to compute the authentication information improves the security of the RFID system, but the complicated Hash operation for the tags also enhances the computing cost.
It has been found from the literature [15], [16], [17], [18] that, SASI protocol [19] frequently uses ''or'' and ''and'' operations when generating secret information, so that its computing results are highly correlated and cannot resist tracked attack, denial of service (DoS) attack, and algebraic attack. It has been pointed out in the literature [20], [21] that, Gossamer protocol [22] cannot resist the DOS attack. And due to its complicated computing and significant power dissipation, it is not suitable for low-cost tag use. In [23], by improving the SASI protocol [19] and making up the security loophole in Gossamer protocol [22], a new ultra-lightweight RFID authentication scheme is put forward, in which, the reader and the background database are not mutually authenticated and can easily be subjected to the impersonated attack of the reader and tag. In [24], a new ultra-light-weight mobile authentication protocol is proposed, which encrypts the transmitted information based on bit rearrangement operation to reduce the protocol computation cost. However, the tag information in the tag identification phase is transmitted in clear text, which is easy to be intercepted by attackers to launch tracking attacks, and the protocol security cannot be guaranteed.A new ultra-light-weight authentication protocol is proposed in literature [25] based on word synthetic operation, which encrypts information by word synthesis. It greatly reduces computational complexity and protocol cost. However the reader of this protocol doesn't authenticate the tag, so the both-way authentication among all communication entities isn't achieved. Literature [26] describes a new ultra-light-weight authentication protocol based on bit replacement, which encrypts the transmitted information by bit replacement. But it cannot guarantee the timeliness of information transmission, and cannot resist replay attack. Moreover, the server bears too much operation loads when verifying reader and tag, so that it could cost a long authentication time if it needs to verify a large number of tags.
For the above problems, an efficient ultra-light-weight mobile authentication protocol is proposed in this paper, which implements secure authentication among different communication entities by different operation modes, and adopts index data table to store ciphertext at cloud server end for authentication purpose. It helps improve the security of the protocol and reduces the tag complexity, and is suitable for being used in low-cost RFID system. This scheme consumes only a little computing and storage resources, satisfies the demands on tag anonymity and both-way entity authentication, and resist impersonated attacks, replay attacks, tracked attacks, and brute force attacks by timestamps and random numbers.

II. DETAILED DESCRIPTION ABOUT THE PROTOCOL
A new ultra-light-weight mobile RFID two-way authentication protocol is proposed in this paper. Similar to other mobile RFID authentication protocols, the protocol in this paper is also designed based on the assumption that the tag, reader, and cloud server communicate via wireless transmission, bearing the risks of being attacked. Both the cloud server and the reader have certain computing capability and large storage space, but the tag is weak in the two aspects [27].

A. INSTRUCTIONS TO SYMBOLS
This section gives the specific meanings of all symbols used in the protocol, as shown in Tables 1.
As for the protocol proposed in this paper, the exchange-cross bitwise operation is adopted at its tag end. Multiple protocols that have been proposed adopt left-shift operation: suppose the data length is L, when the hamming distance of the data approaches 0 or L, the attacker needs only to move data less than L/2 to acquire plain text data. This means great probability of attack success. However the adoption of first-exchange-then-cross operation tackles the above shortcoming. It was firstly proposed by literature [28].
Eac(X , Y ) is defined as below: X , Y are two binary sequences with the same number of bits. The number of bits is even. Put the latter L/2 bits of the binary sequence X at the front of thew newly composed sequence Z , and put the first L/2 bits of the binary sequence Y at the latter of the sequence Z . This is how the new sequence Z is formed. Then the sequence Z shall be traversed, cross and exchange the number on the odd bit with the number of adjacent even bit of Z to obtain the cross-exchange operation results. For example, if X = 10110010, Y = 01100101, and L = 8, then according to the above-mentioned definition, it can be obtained: Z = 00100110, Eac(X , Y ) = 00011001. Specifically, please refer to the Fig. 1.
The exchange-cross operation is implemented based on per-bit operation, which can meet the requirement of reduced computation while ensuring privacy and information security. Compared with the hash function or mode-square operation used at the tag side in other literatures, the exchange-cross operation is less computationally intensive and can largely reduce the computational overhead of tags.
To crack the exchange-cross operation, the attacker has to be able to crack the values of the two numbers involved in the exchange-cross operation. Here, the number of encrypted parameter bits is taken as L=128 bits for cracking analysis. According to the protocol in the text, it is known that: the protocol of the tag, the key and other information are sent in cipher text, that is, it is impossible for the attacker to get the detailed values of these encrypted information. In the premise that the attacker does not obtain the specific values of the encryption parameters, the attacker can only crack according to the known exchange-cross rules, and the correct probability of X and Y obtained after the correct cracking is completed is: For the first 64 bits of X , the probability of correctly breaking each bit is 1 2 , so the probability of getting X correct is 1 2 64 , and similarly, the probability of getting the last 64 bits of Y correct is also 1 2 64 . In summary, the probability that an attacker wants to correctly break all the bits of the swap-andcross operation is 1 2 128 . If the number of encrypted parameters exceeds 128 bits in the application process, the probability that an attacker can correctly crack it will be smaller than 1 2 64 , so the swap-and-cross operation has strong information cracking resistance and can provide the security required for encryption.

B. PROTOCOL DESCRIPTION
This section shows the detailed description about the proposed protocol. It is composed of three stages, including the initial stage, the authentication stage, and the update stage. In the initial stage, the administrator assigns initial values for legal mobile readers and tags; in the authentication stage, mutual authentication is achieved among all three entities of tag, mobile reader and cloud server; and in the update stage, the main task is to update the fake name identifiers and keys for tags,mobile readers and cloud server.
The administrator assigns a pseudonym identifier (STID) for each legal tag, and the cloud server generates relevant privacy key t for it, then calculate message C = Rot(key t ⊕ STID, key t ), O = ket t ⊕ STID, C will be used as an index, meanwhile O is stored in the index data table as index content. Through the secure channel, < STID, ket t > is stored in Tag.  Let STID old = key old t = C old = O old = 0 in the server data table.The initialization process is shown in Figure. 2, with the double arrow representing the secure channel.
Since the untrusted cloud server may disclose the stored privacy data, the data in the index data table is stored in form of ciphertext instead of being directly stored as STID, key t . In order to resist synchronous attack, the index value and content of previous round are also stored. The index data table at the cloud server end helps improve the efficiency of data retrieval. And the information stored in form of ciphertext avoids the risk of sensitive data disclosure of the cloud server. Tables 2 shows the detailed information in the index data table, in which, C is used as the index value while the ciphertext O is the index content. In this table, the index value C is selected by the exhaustive search algorithm, while the index content O is effectively and quickly located by the index value C, preventing the cloud server from conducting two exhaustive searches for STID. In this process, the search time increases linearly with the increase of the number of RFID tags, which has a certain impact on the scalability of the RFID system. After the ending of each session,key t and STID need to be updated, which improves the security and ensures accuracy.

2) READER
The administrator assigns a reader pseudonym identifier (STID) for each legal mobile reader, and the cloud server generates a relevant privacy key key r . Similar to the label storage mode, the reader information is also stored by index data table. h(SRID) and Rot(key r , SRID) are stored in index data table as index value and index content respectively. < SRID, key r > is stored in reader by secure channel. In the server memory, let h(SRID old ) = Rot(key old r , SRID old ) = 0.

D. AUTHENTICATION STAGE
The mutual identity authentication process and the communication among tag, reader, and cloud server are introduced in details in this section. The communication this time is firstly initiated by the reader.The detailed authentication process is shown in the Fig. 3.
First, the reader generates a random number a. Message A is computed according to the STID stored in reader memory and the generated random number a.Then inquiry message Query and A are sent to the tag.
After the tag receives the message A, the Hamming weight of the STID stored in the tag is calculated, and a * is restored from the received message A. Then message B = Rot(STID, a * ⊕ t), C = Eac(key t ⊕ STID, key t ), M = a * ⊕ C is calculated by STID, key t stored in the memory and a * obtained by restoration. Finally, Message B and M are sent to the reader.
After receiving Message B, since the Hamming weight of a ⊕ t is known, the STID * can be obtained according to the message B.Then it will look for STID new = STID * in memory. If there is no STID new = STID * , it will keep searching if there's STID old = STID * . If neither exists, it will stop authentication. If there's the required data, it means successful authentication of reader to tag.
will be calculated by SRID and key r in the memory, the current time T R , and random number a. Finally, Message M and N of the tag, Message D, E, and F calculated by the reader, and the timestamp T R of the reader are sent to the server.

4) CLOUDSERVER → READER : G, H, I, T s
Once the server receives messages M , N , D, E, F, and T R , it will check T R first to see if it satisfies the conditions of t ≤ T R ≤ 2t or not. If it satisfies, the server will perform authentication to the reader. The first thing to do is to restore a * = D⊕h(T R ). Since the Hamming weight of a * ⊕T R is known, the h(SRID * ) can be obtained according to the message E. Then it will look for h(SRID new ) = h(SRID * ) in the cloud server database, if there is such data, the Rot(SRID, key r ) that the index corresponds to can be obtained. Then it will compare if the calculated Message F * = h(Rot(SRID, key r ) ⊕ a) is consistent with the received Message F or not. If the two are consistent, the authentication of cloud server to reader passes, otherwise, the authentication fails, and the authentication process ends. If there's no h(SRID new ) = h(SRID * ), it will search for h(SRID old ) = h(SRID * ) in the database. If the data exists, it will judge if the F * calculated by index content and the Message F are the same or not. If they are the same, the authentication of cloud server to reader passes and enter the next step of tag authentication, otherwise the authentication fails and ends.
When the server authenticates the tag, the server calculates C * according to the received Message M and the restored a * ,C * = a * ⊕M , and looks for C new = C * in server database.  If there is such data, the server's authentication to tag passes, otherwise, it will search for C old = C * in the database, if this data exists, the cloud server authentication to tag passes, and Otherwise it indicates failure of tag authentication, and the authentication process ends.
Once the cloud server's authentication to tag and reader passes, it will generate a random number b, and calcu- and then send Message G, H , I , and timestamp T s to the reader.

5) READER → TAG : I, J, T s
After the reader receives the message G, H , it will restore b * according to the received Message G,b * = G ⊕ h(a ⊕ h(STID)),then calculate H * by the key r stored in the memory, the generated random number b and the restored b * ,H * = h((a * ∥ b * ) ⊕ Rot(SRID, key r )), and make comparison on the calculated H * and the received H to see if the two are the same or not. If the two are equal, it means the reader's authentication to server passes. Then calculate J = Rot(b * ⊕ a, b * ⊕ STID), and send Message I , J and T s to the tag. Otherwise the server authentication fails and the authentication process ends.

6) TAG
When the tag receives the Message I , J , it will restore b * according to the received Message I , b * = I ⊕Eac(Rot(key t ⊕ STID), key t ⊕ STID),calculate J * by the stored STID and restored a * and b * ,J * = Rot(b * ⊕ a * , b * ⊕ STID),then compare the calculated J * and the Message J to see if the two are equal. If they are the same, it means successful authentication of server and reader at tag end, and the authentication process completes. If they are not the same, it means either the reader or the server, or both the two fail the authentication, and the authentication process ends.

E. UPDATE STAGE
The detailed update process is shown in the Fig. 4.
⊕ key new t , key new t ),then send the left half of the message X to the Reader for update consistency verification.
2) READER → CLOUDSERVER : X _L, Y _L After the Reader receives the message X _L,it will calculate  X _L of the Tag,the left half of the Message L calculated by the reader are sent to the cloud server.
,then it will compare if the calculated Message X * _L, Y * _L is consistent with the received Message X _L, Y _L or not.If the two are consistent,the cloud server will update the h(SRID new , Rot(SRID new , key new r )), h(SRID old ), After receiving the message Y * _R,the received Y * _R and the Y _R calculated by the reader are compared,and if they are equal,the server is proved to be consistent with its updated content,then the reader updates the SRID, STID new , STID old , key r in memory,otherwise it is not updated.

5) TAG
After the tag receives the message X * _R,it will compare the received X * _R with the X R calculated by the tag,and if the two are equal,proving that the server is in agreement with its updated content,the tag updates the STID, key t in memory,otherwise it does not update.

III. NON-FORMAL SECURITY ANALYSIS A. TAG ANONYMITY
The anonymity of the tag is the basis for the RFID system to prevent identity tracking. In the protocol proposed in paper, the secret data of the tag are STID and key t . In the process of mutual authentication, both the two are encrypted before being transmitted. If an attacker wants to get STID, it must get the random number a generated by the reader, but the random number a is transmitted together with STID in encrypted form, so that the attacker cannot acquire STID. If the attacker wants to get key t , it needs to get the random number a generated by the reader and the STID, or get the random number b generated by the server and the STID. This is obviously impossible. Therefore, tag anonymity can be achieved in the protocol.

B. IMPERSONATION ATTACK
The attacker may initiate impersonation attack in three ways: attacker impersonates tag, reader, or server. In the first case of impersonated tag, information sent with tag every time contains random number generated by the reader, therefore the sent Message B and M are featured in timeliness and cannot be used to impersonate tag by replay. Another impersonation method is to impersonate information. But the impersonated Message B and M contain no correct STID and key t , so that the reader can identify the fake tag by simple calculation after receiving the fake information. This is how the protocol resists impersonation attack. In the second case of impersonated reader, if the attack impersonates reader by intercepting message and transmitting, since the message contains timestamp T R , it cannot pass even the first step verification of the server, so that the attacker can not impersonate reader by replaying message. And if the attacker impersonates reader by making fake information, due to the lack of correct SRID and key r , the fake information sent to the server can be easily figured out. Therefore, it is impossible to impersonate reader by fake information. The protocol of this paper can resist attack of impersonated reader. And in the third case of impersonated server, the fake server must restore a * in Message D, and find the correct privacy information from the database to calculate Message G, H , and I . But the attacker can neither restore the information, nor acquire the database information, therefore the protocol of this paper can resist attack from fake server. In a word, the protocol proposed in this paper can resist impersonation attack.

C. REPLAY ATTACK
Replay attack refers to that the attacker replays the intercepted information and sends to one party of the communication, attempting to pass the verification and acquire privacy information. In this protocol, both the reader and the server generate one new random number respectively in each authentication period. The authentication information of each round would be operated by the new random number of current round. Even if the attacker intercepts data successfully, it can not pass the authentication of the reader and server by replay in the next round of authentication. Therefore, it can be deemed that the protocol in this paper can resist the replay attack.

D. DESYNCHRONIZED ATTACK
There are three types of desynchronized attacks: 1: the server updates, but the tag doesn't update;2. The tag updates, but the server doesn't update; 3. Desynchronization occurs in the tag sending channel, and the tag continuously starts two sessions within a short period of time. In the first case, an attacker intercepts the message X * R sent by the server at the updating stage, then the tag doesn't update for it receives no message.Since the server updates key t ,the keys at both sizes are different.However, the server stores C and O of previous round of authentication,even the tag uses the updated key t ,it can pass the authentication, resisting the desynchronization attack. In the second case, the attacker cannot obtain the privacy information of the tag and the random number generated by the server, and cannot forge messages to make the tag updated while the server does not update. In the third case, the parameters transmitted in the message {B, M } are generated using random numbers and time series, which are different in each session. Suppose the attacker intercepts {B1, M 1, t1}{B2, M 2, T 2} in two consecutive sessions, since B1 and B2 are generated using different time series, B1 ⊕ M 1! = B2 ⊕ M 2, the tag cannot be traced, which satisfies the unlinkability requirement under desynchronization attack. In a word, this protocol can resist desynchronization attacks.

E. UNTRACEABILITY
Attackers obtain tag ids by intercepting status information to track tag traces and violate user privacy.To achieve traceability,the attacker must monitor successive session for a long time, thus finding out relevance among tag information and acquiring tag STID to track. In this protocol, Message B and M are correlated with a, STID, key t . The authentications of the three elements vary at each round, so that the three elements in two rounds of session are non-related. In this case, it is impossible for the attacker to achieve tracked attack. In this protocol, the pseudonym identifier of the tag is different from the tag identifier. The tag identity identifier is unique and unchanged, but the pseudonym identifier of the tag would be updated after each round of authentication, so that the tag can be hardly tracked or located. So the protocol can be considered as untraceable.

F. BRUTE FORCE ATTACK
To acquire privacy information, the attacker sometimes directly uses the method of exhaustion to figure out relative privacy information. In this protocol, the privacy information is encrypted by random numbers before being transmitted among three entities. Each piece of exchanged information is calculated by two or more unknown numbers, so that the attacker cannot acquire any useful privacy information by brute force according to the intercepted information. For example, the calculation of Message F = h(Rot(SRID, key r ) ⊕ a) uses three unknown numbers, so that it cannot exhaust its contained privacy information by brute force. Therefore, it can be deemed that the protocol can be used to resist brute force attack.

H. PHYSICAL ATTACK AND CLONE ATTACK
In a physical attack, an attacker which has physical access to a tag can retrieve certain useful information stored in the tag. An attacker may then attempt to trace all previous communications of the flagged user. The information stored by tags in this protocol is updated during each round of authentication, and new random numbers are used to generate messages in each round of authentication, so all previous communications of tags cannot be tracked. Therefore, it can be considered that the protocol can resist physical attacks. Cloning attacks generally occur in RFID systems where a group of tags use the same key for identity authentication. In the scheme proposed in this paper, each tag has its own {ID, key}. Suppose that the ID of a tag is leaked, since each tag has different secrete parameters, the attacker cannot use the leaked tag information to clone other tags. Therefore, the RFID authentication protocol in this paper can resist clone attack.
In order to facilitate further analysis,we compared the security of this protocol with some proposed protocols and the results are shown in Tables 3, in which '' √ '' means the corresponding property is satisfied,while ''×'' means the corresponding property is not satisfied.

IV. FORMAL SECURITY ANALYSIS A. BAN LOGIC
The BAN logic analysis method [29] is adopted to perform formal analysis and verification for the protocol proposed in this paper. BAN logic is modal logic based on belief. During the reasoning process of BAN logic, the belief of the entities participating in the protocol changes and develops with the information exchanges. When analyzing the protocol by BAN logic, the protocol message is firstly converted into formula of BAN logic, namely conducting the ''idealization step'' for the protocol. The second step is to perform rational assumption according to the specific situation. Finally it should perform reasoning according to the reasoning rules of the logic to judge if the protocol can achieve the anticipated objective or not. As a formal analysis method, BAN logic has been widely used in authentication protocols, which is featured in visual, simple, and efficient characteristics [30]. P◁X :It indicates that P has seen X , P has received a message containing X , and P can read and repeat X . P |∼ X :It means that P has said X and that P has sent a message containing X at some point in time. This assertion contains two meanings: on the one hand, it means that the message X was sent by P, on the other hand, it means that P can confirm the meaning of the message X ,it can recognize the message and interpret it correctly. P |⇒ X :It indicates that P has control, or jurisdiction, over X . #(X ) :It represents that X is fresh, meaning that it has not been transmitted before the protocol is executed. P k ↔ Q :It indicates that P and Q can communicate using a shared key K and that K is a good key. This assertion implies the exclusivity of the key, that is, only P,Q or a trusted third party knows that K. | k − → P :Represent that K is the public key of P. P x ⇔ Q :It represents that X is a shared secret between P and Q and that X is unknown to any subject other than P and Q and the subjects they believe in.
{X } k :Represent the result of encrypting X with key k. ⟨X ⟩ Y :It represents the combination of X and Y . In practice, it represents a simple cascade of X and Y .

2) REASONING RULES OF BAN LOGIC
There are 21 inference rules in BAN logic, and this paper only lists a few inference rules used in the proof process of this protocol.
This rule is a message implication rule, representing that P believes that Q has sent message X if P believes that k is a shared key between P and Q and P receives a message {X } k encrypted with K encrypting X .
This rule is a temporary value check rule, indicating that P believes X if P believes that X is fresh and P believes that Q has sent X before.
These two are freshness rules, representing that if P believes that X is fresh, then P believes that the overall information containing X is also fresh.
This rule is a jurisdictional rule and represents that P believes X when P believes that Q has the right to control X and P believes that Q also believes X .
↔ Q This rule is the session key rule, where X is a necessary element for computing the key k. If P believes the freshness of k and P believes that Q believes X , then it is possible to determine that P believes that the key between P and Q is k.
This rule is a message meaning rule. It means that Y is a shared secret of P and Q. When P receives a message X encrypted with Y , P can determine that Q must have sent X .
This rule is a receive message rule, which represents that when a subject P receives a formula and that subject knows the associated key, then that subject has received a component of that formula.

3) PROTOCOL ABSTRACTION DESCRIPTION
This subsection describes the authentication process between thesis protocol entities using some formal expressions, where T stands for tag, R stands for reader, and S stands for server.

6) SPECIFIC PROCESS TO PROVE THE PROTOCOL
The next part shows all details of the formal proof of the protocol. It can be obtained from the protocol abstraction process (1) that: According to the assumption P 3 ,STID is the unique key between reader and server.There's no other entity knowing the STID except the reader and the tag. Combing with rule R 8 , it can be obtained: It can be obtained by equation (2) combing with Suppose P 3 and Rule R 1 : Message A = Rot(a, STID) indicates that A is a whole containing random number a.Combining the assumption P 4 and rule R 4 , it can be obtained: It can be obtained by formula (3)(4) combining with rule R 2 : It can be obtained by formula (5), assumption P 6 and rule R 5 : Till now, proof for goal G 1 is over. Similarly, it can be obtained by protocol abstraction process (5) that: According to the assumption P 2 , it can be obtained that key t is the unique key between tag and server. Combining with rule R 8 , it can be obtained that: Equation (9) combined with assumption P 2 and rule R 1 can be obtained: Message I is a whole containing random number b,According to assumption P 5 and rule R 4 , it can be obtained that: It can be obtained according to equation (10)(11) and rule: It can be obtained by formula (12), assumption P 14 and rule R 5 : Till now, proof for goal G 2 is over. Similarly, G 3 − G 11 can also be proved. It can be obtained according to assumption P 5 and rule R 4 : It can be obtained by combining with the formula (14) and the assumption P 5 , as well as the rule R 6 : Till now, proof for goal G 12 is over. Similarly,G 13 − G 15 can also be proved. In a word, all security objectives of the protocol can be performed with formal proof, which indicates that the protocol proposed in this paper satisfies the logic security requirement.

B. PROVERIF
In this section, the proverif is used for security analysis. Proverif modeling is performed according to the authentication processes for tag, reader and cloud server. And then an identity verification protocol model simulation is built up. The overall process is as follows: (1)Define the public channel pch and secure channel sch for identity authentication, and define the variables applied in the protocol. They are global variables, but [private] limits and makes them unable to be directly obtained by attacker; next, define string join operation, XOR operation, modular operation, hash function and other functions and equations. A series of related queries are compiled to validate the security requirements. The detailed functional definitions are shown in the Fig. 5 and Fig. 6.
(2)The specific process of the tag is as shown in the Fig. 7.
(3)The specific process of the reader is as shown in the Fig. 8.
(4)The specific process of cloud server is as shown in the Fig. 9.
(5)The Proverif verification results are as shown in the Fig. 10 and Fig. 11. It can be concluded that, STID, SRID, T _key, R_key can resist the attacks from attackers, and the proposed protocol passes the proverif verification.

C. RANDOM ORACLE MODEL
In this section, the security of our proposed protocol is formally evaluated by the random oracle model proposed in [34] and [35]. A random prediction is a mathematical function that responds to each query by uniformly selecting random   responses from a random domain. For the same input, the oracle machine will have the same output every time.
Reveal 1: A one-way hash function with anti-collision properties behaves as a random oracle that passes input x from its corresponding digest y = h(x). Reveal 2: hamming weight is a random oracle model, which can deliver n under the condition of providing W (n).
Proposition 1: Assuming that the one-way hash function and Hamming weight behaviors are almost similar to random oracle, it is proved that the proposed scheme is secure and hard for attackers to launch attacks of extracting reader identity, key and generating random parameters.
Proof: the goal is to construct an attacker for the proposed protocol. The attacker shall be able to extract the reader's ID, key, and secret random number using Reveal oracle 1 and Reveal oracle 2 described in Algorithm 1. The success probability of experiment EXP1 = 1] | is the probability of experiment results equaling 1. The dominance function of this experiment is Adv1(t1,Q r1 ,Q r2 )=max(success1), which represents the number of Reveal 1 and Reveal 2 displayed by querying all attackers of Q r1 and Q r2 within polynomial execution time t1. If and only if Adv1(t1,Q r1 ,Q r2 ) ≤ ε(ε is a sufficiently small value greater than 0), the protocol of this study is certified to be secure and hard for attacker A to illegally acquire privacy data.
Assuming that A can solve the described hamming and invert the one-way hash function, then the above condition does not hold and the attacker can obtain the key and identity ID of the tag and win. However, according to the performance of hash function and the method of calculating hamming weight, it is impossible to export the input x of hash function and obtain 128-bit key by the hamming weight within limited polynomial time, therefore, Adv1(t1,Q r1 ,Q r2 ) ≤ ε(ε ≥ 0), proving that the protocol proposed in this paper is secure Accept key r as the secret key of the Reader 14: Accept a as the secret parameter of the Reader 15: Accept SRID as the identity ID of the Reader Accept key t as the secret key of the Tag 10: Accept STID as the identity ID of the Tag 11: Return 1(success) 12: else 13: Return 0(Failure) 14: end if when facing any attacker who tries to extract secrete parameters.
Proposition 2: Assuming that the one-way hash function and Hamming weight behavior are random oracle, then it is proved that the proposed scheme is secure and hard for attacker to extract tag identity and key.
Proof: The Proof of Proposition 1 is similar to that of the Proposition 1: it is assumed that the attacker can use Reveal oracle 1 and Reveal oracle 2 which are described in Algorithm 2 to extract the identity and key of the tag. The same as the previous experiment, the success probability of EXP2  of experimental result equals 1. The dominance function of this experiment is Adv2(t2,Q r1 ,Q r2 )= max(success2), which represents the number of Reveal 1 and Reveal 2 displayed by querying all attackers of Q r1 and Q r2 during the polynomial execution time t2. The protocol of this paper is deemed as secure, and hard for attacker A to illegally acquire privacy data. If and only if Adv2(t2,Q r1 ,Q r2 )≤ ε (ε is a sufficiently small value greater than 0).
Assuming that A can solve the described hamming and invert the one-way hash function, then the above dominant function inequality condition does not hold and the attacker can obtain the key and identity ID of the tag and win. However, according to the performance of hash function and the method of calculating hamming weight, it is impossible to obtain 128-bit key by hash function input and hamming weight within limited polynomial time, therefore, Adv2(t2,Q r1 ,Q r2 )≤ ε(ε ≥ 0),proving that the protocol proposed in this paper is secure when facing any attacker who tries to extract secrete parameters.

V. PERFORMANCE ANALYSIS
In this section, the protocol of this paper is compared with other similar protocols in terms of performance, including the comparison of communication cost, protocol computation cost and tag cost. The specific comparison results are described as follows. Tables 5 show the specific comparison results of communication cost between the proposed protocol and other similar protocols. Protocol communication cost includes interaction times and communication data length. The protocol proposed in this paper has a medium number of interactions in the authentication phase and a low total length of communication data. The protocol proposed in literature [37] only implements two-party authentication for RFID systems, and the default server and reader are integrated and not applicable to mobile RFID systems, so its communication data length is lower than that of the protocol in this paper. Although the protocol in literature [31] has a slightly lower communication cost than the protocol in this paper, it does not implement two-party authentication between the cloud server, reader, VOLUME 11, 2023    and tag, and there is a security vulnerability of impersonating a reader. In conclusion, the protocol proposed in this paper actually shows lower communication cost than other similar protocols under the premise of ensuring the security of mobile RFID system.

B. COMPARISON OF COMPUTATION COST AMONG PROTOCOLS
In this section, the computation cost and execution time of RFID tags, RFID readers, and cloud servers are defined, and the difference between the proposed protocol and other similar protocols are showed as well. The computations of this protocol and other protocols are done by hash, XOR, random number, and modular operation, etc. Among all these operations, the ''XOR'' operation, ''and'' operation, and ''ring shift left'' are all bitwise operation, which is actually a type of lightweight computation having little impact on overall computation. Therefore the computation of bitwise operation can be ignored, while focusing more on the dominating operations featured in dense computations in the protocol. In this paper, Random is used to represent the computations of random number, PRNG is used as the computation to create pseudo-random numbers, Hash is used to represent the computation of Hash functions, Msg is used to represent the computation of modulo squared, Bro is used to represent the computation for bit substitution, Cro is applied to represent the computation of bit crossing, Rot is used to represent the computations for ring shift left, puf represents the computation of the physical incompressible function, and eac represents the computation of the exchange and recrossing. The computation time of a single random, such as random, PRNG, Hash, msg and puf are 0.125, 0.083, 0.065, 0.046 and 0.226, respectively.
It can be seen from the Table 6 that, The protocol proposed in literature [26] shows the lowest total computation cost and the shortest execution time, but this protocol uses a complex hash function on the tag side, has high computation cost on the tag side, the tag id is transmitted in clear text and not updated, cannot guarantee security, and the total length of the communication data is the longest, so even though this protocol has the lowest computation cost and execution time, it is not the best choice. The protocol proposed in literature [38] has a shorter execution time than the protocol in this paper, but its total length of communication data is longer than the protocol in this paper and it is not resistant to brute force attacks. In conclusion, the computational cost and execution time of the protocol proposed in this study are kept low while ensuring security and low communication data length.

C. COMPARISON ON TAG COST
Most complex computation of RFID authentication protocol is carried out on the server. The tag is the most restrained entity with the weakest computing power in the system, which makes its computation and storage an important concern. Table 7 shows the comparison of the computational and storage costs of the proposed protocol with other protocols on the tag. It can be seen from the table that, the protocol proposed in literature [26] uses random number operation on the tag, the one proposed in literature [31] adopts pseudo-random number operation on the tag, the one proposed in literature [32] uses modular square operation on the tag, and the protocol proposed in literature [35], [36], [37] applies hash function on the tag. The cost of these operations is higher than that of the bit operation used in the protocol of this study. The simple bit operation on the tag consumes less computing cost, which meets the requirements of low-cost tags in the RFID system. Meanwhile, for the protocol proposed in this paper, only STID and are stored on the tag, consuming lower storage cost. Speaking of this storage cost, though it is higher than that required by protocol proposed in literature [36], the protocol of literature [36] is two-party authentication, while the protocol proposed in this paper is three-party authentication, so the protocol in this paper is more competitive than other protocols in terms of tag storage cost among the three-party RFID authentication protocols.

VI. CONCLUSION
An efficient mobile RFID authentication protocol is proposed in this paper. It can be applied in a low-cost RFID system to provide a secure environment for the secure storage and communication of private data in the system, and resist various known attacks. For this protocol, the Hash Function is used at the high-performance reader end to calculate authentication information, and the exchange-cross bitwise operation is used at the performance-restricted tag end to calculate the authentication information. The Hash Function helps improve the security of the authentication information while the exchange-cross bitwise operation guarantees low computation cost at tag end and the tag anonymity. The cloud server stores the encrypted information in form of index data table, which enhances the cloud server's retrieval efficiency during its authentication to the tag and the reader, and reduces the risk of sensitive information disclosure of the cloud server. By doing so, the safe and efficient identity authentication among tag, reader, and server is perfectly achieved. According to the non-formal security analysis, the efficient mobile RFID authentication protocol designed in this paper is featured in enhanced security function and capability in resisting known attacks like impersonation attack, replay attack, and tracked attack, etc. In this paper, the protocol security is further proved by BAN logic formal analysis, proverif tool, and random oracle model, while the low computing cost of the protocol and the low storage cost of the tag-end are also proved by the performance analysis. In a word, this is a safe, efficient, and low-cost RFID mobile authentication protocol applicable to the target tracking system.
The lightweight authentication protocol currently uses security analysis to prove the security, and the subsequent research work is to establish a security model to prove the security of the authentication protocol under the standard model. The protocol proposed in this paper does not support the integration with physical identification systems (e.g., fingerprints) for the time being, and the next research direction is to gradually adjust the protocol to achieve the integration with physical identification systems in practical applications.
CONG XU received the B.S. degree in network engineering from the Shandong University of Science and Technology, in 2020, where she is currently pursuing the M.D. degree in computer science and technology. Since 2020, she has been conducting research of information security with the Data Security Laboratory, School of Computer Science and Technology, Shandong University of Science and Technology. Her research interests include wireless and mobile communications, protocol analysis and model detection, cryptography, and information security.
WENXUE WEI received the Ph.D. degree in network engineering. He teaches the courses which include the Internet of Things technology and application, network security theory and application, data communication and computing network, and network security technology. His research projects include intelligent storage management system based on the Internet of Things, network public opinion collection and analysis systems, and 863 key projects ''Digital Mining Key Technology and Software Development.'' He has published more than 30 papers in important academic journals at home and abroad, including 11 papers included in SCI and EI and one monograph. His main research interests include information security, the Internet of Things engineering, and digital mine.
SHUANGSHUANG ZHENG received the B.S. degree in information and computing science from Taishan University, in 2020. She is currently pursuing the M.D. degree in software engineering with the Shandong University of Science and Technology. Since 2020, she has been working of image processing research with the Data Security Laboratory, School of Computer Science and Technology, Shandong University of Science and Technology. She has published a paper in the journal Laser and Optoelectronics Progress, in 2022. Her research interests include information security, image processing, and in-depth learning.