RFID Authentication Scheme Based on Hyperelliptic Curve Signcryption

The implementation of efficient security mechanisms for Radio Frequency Identification (RFID) system has always been a continuous challenge due to its limited computing resources. Previously, hash-based, symmetric-key cryptography-based and elliptic curve cryptography based security protocols were proposed for RFID system. However, these protocols are not suitable because some of them failed to fulfil the RFID security requirements, and some of them produce high computational overhead. Recently researchers have focused on developing an efficient security mechanism based on Hyper Elliptic Curve Cryptography (HECC) which provides high security with 80 bits lower-key size. In this paper, we propose an efficient RFID authentication scheme (RFID-AS) based on hyperelliptic curve Signcryption. The proposed RFID-AS provides the required security features for the RFID system as well as security from potential attacks. We validated the security of proposed RFID-AS by using formal security analysis techniques, such as the Real-Or-Random (ROR) model and Automated Validation of Internet Security Protocols and Applications (AVISPA). Furthermore, the results reveal that the computational, communication and storage overheads of the proposed RFID-AS is much less than the other recently proposed schemes. Compared to the most recently published work based on ECC Signcryption, our scheme is 70% efficient in terms of computational overhead, 42.7% efficient in terms of communication overhead, and 57.7% efficient in terms of storage overhead. Therefore, the proposed RFID-AS is more efficient as compared to the recently published work in this domain. Hence, it is an attractive solution for resource-limited devices like RFID tags.


I. INTRODUCTION
The rapidly evolving computing age has enabled all sorts of possibilities to automate processes and recognize items that have now become crucial components of computing due to the fact it saves time and produces minimal errors as they pave the way to substantial productivity benefits. As of now, The associate editor coordinating the review of this manuscript and approving it for publication was Shaohua Wan . bar codes, voice recognition, optical character recognition, smart cards, magnetic stripes, chip cards, biometrics, and RFID are among the multitude of technologies that have been developed to incorporate Automatic Identification and Data Capture (AIDC). RFID has been proved to be the most popular AIDC technology in recent years [1]. According to Jia et al. [2], the use of RFID has grown exponentially with the development of IoT, as the core technology behind it. RFID is a wireless communication technology  [5], [6].
using radio frequency electromagnetic signals to detect and identify objects bearing tags [3]. There are three main communication components in an RFID system, namely: server, tag (transponder) and reader (Interrogator), as shown in Figure 1. In an RFID system, the basic communication session begins when the reader broadcasts radio waves to interrogate the tag and the tag responds to the reader's signal. RFID tags are classified into three distinct types: active tags, semi-passive tags and passive tags as shown in Table 1. An active tag carries onboard power-source that keeps the tag active to transfer its data to an even larger range while a semi-passive tag has a minuscule onboard power-source; however, it only activates the tag in the presence of a nearby RFID reader. On the other hand, a passive tag has no onboard power-source. It can obtain the power required for activating the tag from the nearby RFID reader. In general, an RFID tag contains a unique ID number, location information, object description such as price, date, etc. The ID helps the server to identify the tag distinctively in the presence of many tags. When a tag-carrying object enters the RFID reader region, its data is collected wirelessly and sent to the server for storage and user application requirements.
Khattab et al. [4] have discovered that when compared to various parameters, RFID outperforms other AIDC techniques, including data density, machine readability, human readability, cost, reading speed, range, moisture effect, and distraction of sight. However, RFID systems have some limitations, including less storage capacity and low processing speed of the tag. With such inadequate computational resources, designing and implementing security schemes that provide security features has been very demanding. Furthermore, the information is being transmitted between tags and readers wirelessly and is susceptible to attacks by the eavesdropper and illegitimate reader due to insecure wireless channels.
Several authors have addressed security concerns and challenges for RFID. Guizani et al. [7] and Kannouf et al. [8] presented an overview of RFID system threats and attacks. Khattab et al. [9] carried out a detailed analysis of RFID system attacks. They categorized RFID attacks into particularly three types: physical attacks, device attacks, and channel attacks. To prevent physical attacks, it is possible to avoid tag alteration or tampering by establishing a protected zone around the device using the device's sealed tamper-resistant case. Additionally, by using spread spectrum technologies and antenna polarization, the jamming attack can be countered. Furthermore, using a strong cryptographic scheme, the device attacks and other channel attacks can be prevented. Consequently, the cryptographic scheme must fulfill an RFID system's security requirements such as authentication, confidentiality, non-repudiation, integrity, anonymity, forward security, availability, and scalability. The cryptographic schemes that are prospective candidates to protect any information system are Symmetric Key Cryptography (SKC) [10], [11], RSA based cryptography [12], [13], Elliptic Curve Cryptography (ECC) [14], [15], and Hyper Elliptic Curve Cryptography (HECC) [16], [17]. A comparison of these cryptographic systems based on various aspects has been presented in Table 2.
It can be observed from Table 2 that SKC based schemes have a big issue with key distribution, while RSA based schemes have high computational cost due to modular exponential computation. ECC-based schemes perform better than the RSA, while HECC performs better than ECC by providing the same security features with less computation cost, communication overhead, and memory requirement.
HECC based schemes require less storage, smaller key size, quicker in key generation. They produce smaller ciphertext as compared to other Public Key Cryptography (PKC) schemes. Due to these features, HECC is an attractive cryptographic scheme to offer security for systems having limited computational resources such as RFID. Zheng [18] introduces the concept of Signcryption, which combines encryption as well as authentication in a single logical step. Before the actual advent of Signcryption, the technique was to use encryptionthen-signature to achieve secrecy and authentication. Zheng showed that Signcryption saves 50% of computing time and 85% of communication costs compared to the process of signature-then-encryption.

A. MOTIVATION AND CONTRIBUTION
Providing security in all fields of computing and communication has always been a priority. However, implementing efficient and appropriate RFID system security mechanisms has been a continuous challenge because of limited computing resources. RFID system requires a security mechanism, that minimizes computational, communication and storage overhead. Recently Singh et al. [19] suggested Elliptic Curve Signcryption based RFID authentication protocol. The security and efficacy of their proposed protocol are based on ECC. Even though ECC utilizes 160-bit small keys and fewer parameter sizes as compared to RSA however, 160-bit key size is still not well suited for resource-limited devices like RFID tags. ECC has higher computation overhead and generates excessive communication cost compared to HECC having 80-bits key size [20] that generates less communication and computational cost than ECC. Hence, their proposed protocol does not fulfill performance efficiency because their scheme generates excessive communication overhead computational overhead. Furthermore, there is no verification of the security of their proposed method by using any verification tools such as Scyther and AVISPA. It is crucial to design authentication protocol, to eliminate all the above limitations, and to fulfill the security requirements of resource-limited RFID systems. We describe our main contributions as following.
• We designed an RFID authentication scheme (RFID-AS) based on hyperelliptic curve Signcryption • We have shown that our scheme provides the required security features such as: authentication, confidentiality, non-repudiation, integrity, anonymity, forward security, availability and scalability.
• We have shown that our scheme provides security against replay, man-in-the-middle (MiM), impersonation, cloning, location tracking, desynchronization, Denial of Service (DoS), and key compromise attacks.
• The results of proposed RFID-AS confirm its efficiency in terms of Computational, Communication and Storage overhead.
• We validated our proposed scheme's security by using formal security analysis techniques,such as the Real-Or-Random (ROR) model and Automated Validation of Internet Security Protocols andApplications (AVISPA).

B. STRUCTURE OF THE PAPER
The rest of the paper is organized as follows. Section 2 overviews the related work. Section 3 discusses the system model. Section 4 explains the proposed authentication scheme. Section 5 demonstrates the proof of the correctness of the proposed protocol. Section 6 provides security analysis. Section 7 shows the comparative analysis. Section 8 provides the conclusion and finally, section 9 provides the future work.

II. RELATED WORK
Due to the lower computational capability of RFID tags, protection and privacy have been the main concern for RFID systems. Over the years, several security solutions providing various security features have been suggested. However, a great deal of emphasis has been placed on the design of secure authentication schemes for RFID. Also, several ECC-based schemes have been suggested in recent years, as ECC-based solutions are comparatively better than RSA and other PKC schemes. Gódor et al. [21] suggested ECC-based RFID authentication, which provides confidentiality and authentication while providing resistance against replay attacks. They also measured the computational time of various operations in the protocol. However, several required security attributes were not enforced in this scheme, and it could not deter DoS attacks. Lee et al. [22] revealed the problems of un-traceability and anti-counterfeiting in RFID systems. They proposed a protection framework that offered several security features but failed to meet mutual authentication, scalability, and resistance to desynchronization attacks. Safkhani et al. [23] suggested authentication scheme that provides security against tag impersonation attack. However, their scheme is susceptible to other attacks. Safkhani et al. [24] also suggested a hash-based scheme for mutual authentication. However, their scheme is computationally inefficient as the server needs to check all the entries in the database. Peris-Lopez et al. [25] suggested grouping proofs based protocol to safeguard tag impersonation attacks. However, this protocol suffers from concurrency attack. Liu et al. [26] proposed ECC-based RFID authentication, which reduces RFID tag computation cost and provides mutual authentication, confidentiality, and anonymity. The protocol was capable of defending against desynchronization attacks, counterfeit attacks, and replay attacks. Liao et al. [27] suggested an RFID authentication protocol based on an elliptic curve that utilizes secure challenge-response and ID-verifier messages to be transferred. However, their protocol suffers from a key compromise attack where the key contained in the tag can be recovered by an attacker. Zhao [28] proposed an improved authentication protocol that is safer and powerful than the Liao scheme. However, Farash [29] showed that the Zaho scheme unsuccessful in offering forward security. Chou [30] categorized the RFID authentication schemes as ultra-lightweight, lightweight, simple, and full-fledged. Chou stated that full-fledged authentication schemes are attractive because non-full-fledged authentication schemes are susceptible to tracking and desynchronization attacks. Chou also suggested an ECC-based authentication scheme and asserted that it also offers forward anonymity and scalability in addition to location privacy and mutual authentication, while also offering security against DoS, replay, and MiM attack. Farash [31] has shown that the Chou scheme failed to provide forward secrecy, confidentiality, and mutual authentication. Furthermore, Chou protocol was proven to have failed to protect against tracking attacks, cloning attacks, and impersonation and attacks. Farash also suggested an enhanced authentication scheme that can address impersonation, tracking attacks, MiM attacks, and offer mutual authentication, confidentiality, and forward secrecy. However, this protocol's total computational time takes an even greater amount than existing RFID authentication schemes. Zhang et al. [32] suggested an ECC-based scheme, which provides session initiation anonymity. Conversely, Lu et al. [33] [35] suggested an ECC-based RFID security scheme that provides resistance against Dos, tracking, impersonation, and replay attacks. They asserted that their proposed scheme requires less communication overhead, storage costs, and processing time. Chen et al. [36] analyzed several ECC-based full-fledged RFID authentication schemes. They pointed out that some of these schemes have privacy and security drawbacks, while some schemes produce high communication costs. Chen et al. also suggested two authentication schemes and stated that their schemes are efficient and secure. Shen et al. [37], revealed that the Chen et al. protocol is susceptible to spoofing attacks and replay attacks. Alamr et al. [38] proposed an RFID authentication scheme using ECC based Diffie-Hellman key exchange concept to compute the secret key. This key, in turn, is utilized for the messages to be encrypted. Their protocol provides mutual authentication, confidentiality, anonymity, privacy and offers resistance to replay, impersonation, and MiM attacks. Qian et al. [39] suggested a lightweight RFID security protocol using ECC encryption and simple operations such as bitwise AND, XOR, etc. This scheme decreases the tag computation cost, as it does not use the operation of the elliptic curve scalar multiplication. However, this scheme is restricted to providing confidentiality, authentication, and forward secrecy only. Bagheri et al. [40] proposed anti-collision RFID protocol. However, their protocol does not guarantee that all the tags are identified. Zheng et al. [41] suggested ECC-based RFID authentication that provides privacy, forward security, scalability, anonymity, and mutual authentication. Their protocol also offers resistance against DoS attacks, internal attacks, and tracking attacks. Chiou et al. [42] proposed an authentication protocol. However, in this protocol, the tag must perform five elliptic curve scalar multiplication (ECSM) operations, which increase computational cost. Therefore, this scheme is computationally inefficient and not appropriate for RFID systems. Liu et al. [43] proposed a security scheme for mobile RFID systems and mentioned that their approach is more efficient and can withstand all known attacks. Conversely, by observing the authentication stage of the protocol, it can be determined that the tag must execute four ECSM operations, which increases the tag computation cost. Therefore, this scheme is computationally inefficient and not appropriate for RFID systems. A lightweight RFID protection protocol for medical privacy was proposed by Fan et al. [44] and stated that it ensures confidentiality and secure authentication. This scheme is based on a simple operation such as XOR operation, hash computation, displacement operation, and cross operation. However, Aghili et al. [45] carried out a thorough review of the Fan et al. scheme and exposed that it is susceptible to secret information disclosures and impersonation attacks. Dinarvand et al. [46] suggested an ECC-based RFID authentication scheme that achieves authentication, non-repudiation, confidentiality, integrity, anonymity, forward security, availability, and scalability. Furthermore, their protocol is secure against tracking, de-synchronization, server spoofing, and replay attacks. Recently Singh et al. [19] proposed an RFID authentication protocol based on Elliptic Curve Signcryption. They also demonstrated that the computation cost and communication overhead of their proposed scheme is less than others. As the security and efficiency of the authentication, protocols described in the above literature are based on an elliptic curve, using 160-bits key size, which generates excessive communication overhead as compared to the hyperelliptic curve with 80-bits lower-key size as shown in Table 2. Even though ECC utilizes 160-bit small keys and fewer parameter sizes as compared to RSA but still the 160-bit key size is not well suited for resource-limited devices like RFID tags.

III. SYSTEM MODEL
This section describes the system architecture and threat model for the proposed scheme.

A. SYSTEM ARCHITECTURE
Primarily, an RFID system comprises three main communication components, namely a server, tag, and a reader as shown in Figure 2. In an RFID system, the basic communication session begins when the reader broadcast radio signal and the tag responds to the reader's signal. In the proposed RFID-AS, server and reader are communicating through a secure wired channel while the tag and reader are communicating through an insecure wireless channel. The server is a central database device that manages information related to the tags VOLUME 9, 2021  and reader. The reader collects the information of the tag and forwards it to the server to authenticated the tag.

B. THREAT MODEL
We considered Dolve-Yao threat model [47] for our proposed scheme. In this model the adversary has full control over the communication channel between tag and reader, and can thereby intercept, analyze, modify messages (as far as he knows the session key) and can replay the messages to the tag and reader.

IV. PROPOSED SCHEME
In this section, the background information required in the designing of the proposed scheme is first explained. Next, the working of the proposed authentication scheme is described in detail.

A. BACKGROUND DETAILS
Hyper elliptic Curve cryptography (HECC): Hyperelliptic curves (HEC) are algebraic curves with genus g > 1 [16]. HEC are also known as generalized form of elliptic curves (EC) that have g=1. The difference between HECC and ECC is group operation. Unlike the EC, the points on the HEC cannot form a group; rather it generates an additive Abelian group, derived from the divisor class group. HEC of genus 2 with 80-bits field size can be constructed to attain similar security as 160-bits ECC [20]. A HEC of g=2 over and is given by the equation (1): Additional requirements for the curve is it must be non-singular curve. A divisor D as shown in equation (2), is a finite formal sum of scalar multiples of points in curve E.
where m p ∈ Z, and [P] represent points on the hyperelliptic curve E.

B. PROPOSED AUTHENTICATION SCHEME
Our proposed RFID authentication scheme (RFID-AS) is based on HEC Signcryption and is consisted of three phases: Setup, Authentication, and Update. The flowchart of our proposed scheme is shown in Figure 3. it is assumed that the data transmission from reader to server and vice versa is secure due to wired channel, whereas the data transmission from reader to tag and vice versa is insecure due to insecure wireless channel. Table 3 shows the symbols and notations used to describe the scheme. The scheme is applicable to passive tag, semi-active tag and active tag.

1) SETUP PHASE
The server in the Setup phase, performs the following operations to select and assign initial values to system parameters.
i Selects a hyperelliptic curve E : ii Selects a unique identifier T id for each tag such as T id =i.D, where i ∈ {1, q-1} is a random integer.
iii Selects a random integer T pn ∈ R {1, q-1}, as the unique pseudonym for each tag. iv Selects a unique identifier X id for server such as X id =j.D, where j ∈ {1, q-1} is a random integer. v Selects a one-way hash function vi The server stores {T id , T pn } for every tag in its database. vii The server also stores {T id , T pn , X id } and {F q , F * q , q, x, y, D}, in the memory of each tag.

2) AUTHENTICATION PHASE
The tag and server simultaneously authenticate each other by using the concept of signcryption-unsigncryption, in which authentication and confidentiality attributes are implemented together. The tag performs the signcryption operation while the server performs the unsigncryption operation. The complete work flow of the protocol has been presented in Figure 4.
The following steps carried out in this phase: 1) For every session, the server initializes its private key V s with a random number ∈ {1, q-1}. The server then compute public key P s as and shown in Eq (3) and send it to the tag: 2) The tag after receiving {P s }, performs the Signcryption operation to obtain its Signcryption parameters C, R and S as follows: i For every session the tag initialize its private key V t with random integer ∈ {1, q-1} and compute its public key P t as: ii The tag computes its secret key K as: iii The tag encrypt its pseudonym to obtain the first Signcryption parameter C as: iv The tag apply hash function to the XOR of tag-identifier and tag-pseudonym to obtain second Signcryption parameter R as: v After computing R, the tag can now obtain its third Signcryption parameter S as: vi The tag then sends C, R, S and P t to the server.
3) The server performs the unsigncyption operation after receiving the Signcryption parameters C, R, S and tag public key P t . i Computes its secret key K as: ii Decrypts C by using K to obtain first unsigncrypted parameter T pn as: iii Search its database to find the corresponding tag identifier T id and if it is not found then the session is terminated, otherwise the second unsigncrypted parameter R is computed as: iv If R = R , then server authenticate tag successfully, If R = R then authentication failed and session is terminated. v After tag authentication, the server computes authentication message {T s } as: and sends {T s } to the tag. 4) Once the tag receive the authentication message {T s }, it computes T t as: If T s = T t , then server authentication by tag is successful and if T s = T t , then authentication is unsuccessful and session is dismissed.

3) UPDATE PHASE
Upon successful mutual authentication of tag and server, both of them must update the value of T pn , so that it can be protected from desynchronization attack and unauthorized usage. The tag updates the T pn by performing the following operation: The server updates the Tpn by performing the following operation:

V. PROOF OF CORRECTNESS
The accuracy of our proposed RFID-AS is based on the fact that the same secret key has been produced by both parties in authentication phase. According to Eq. (5), the tag computes its secret key as shown below.
According to Eq. (9), the server computed its secret key as shown below.

A. FORMAL SECURITY ANALYSIS THROUGH ROR MODEL
We have used the Real-Or-Random (ROR) model [48] for the formal security analysis of our proposed (RFID-AS). According to this model, an active adversary A tries to target the communication among the participants by simulating real (actual) attacks using ''Execute, Send, Reveal and Test queries''. In the proposed RFID-AS, the participants are tag T i and reader R and the corresponding participant instances are represented as π T i and π R respectively. We assume that A interact with π i = (π T i , π R ), where π i , represent an instance of executing participant. The queries initiated by the adversary A, are described below: Execute query: This query enables A to intercept (eavesdrop) all the messages exchanged between π T i and π R . Send query: In this query A can send a message Msg to π i , and receive a response from π i accordingly. Reveal query: This query enables A to extract the current session key between π T i and π R . Test query: In this query A request π i for the session key K and π i reply with an outcome c, where c represents a random bit.
Furthermore, H (.) is also modeled as a random oracle and is accessible to all the participants including the adversary A. We provide the proof of the existence of semantic security (secret session key security) in our proposed RFID-AS, by applying Theorem 1 as described below.
Theorem 1: Suppose an adversary A, running in a polynomial time pt, tries to obtain the current session key between π T i and π R , using the games G 1 , G 2 and G 3 . Then, A's advantage in breaking the semantic security to extract the session key K between π T i and π R in the proposed RFID-AS can be written as: where the variables q h , |hash| and Adv HECDLP A (pt), represent the number of hash queries, the range space of H (.) and the non-negligible winning advantage of breaking HECDLP respectively.
Proof: We provide the proof of Theorem 1, by considering three games G i (i = 1, 2, 3). In each game A tries to guess the correct bit c by using the Test query. Suppose wins G i A , is an event where A can guess the random bit c correctly, then the advantage for A in winning a game is given as: : This game is considered to be identical to the actual protocol executing under the ROR model. According to this game, the following output is obtained.
Game G2: In this game, the adversary A perform an eavesdropping attack by using the Execute query to break the secret session key security. The adversary A intercept all the messages communicated between π T i and π R , which are: m1 = Ps, m2 = Pt, C, R, S and m3 = Ts. As a next step, A needs to perform the Reveal and Test queries to check whether the derived session key, acquired from the communication between π T i and π R , is original or randomly selected. The secret session key between π T i and π R can be produced as: To derive this session key, A needs to know the secret information V t , V s and X id . It means that only eavesdropping of m1, m2 and m3 will not increase the winning probability for A. Hence, it is hard to distinguish between G 1 and G 2 as shown in the following equation: Game G3: This game is modeled as an active attack which simulates the Send and Hash query. It is clear from G2 that the eavesdropped messages mi(i = 1, 2, 3) between π T i and π R do not lead to any hash collision because the information in these messages are protected by H (.) and HECDLP. The variables V s and V t involved in P s and P t are protected by HECDLP, and the variables T p n, T i d and X i d involved in R are protected by H (.). Furthermore, G 2 and G 3 are indistinguishable except G 3 , simulates Hash and Send queries and solving the HECDLP. The advantage of solving HECDLP is Adv HECDLP A (pt) and according to birthday paradox, the collision probability of using hash oracle query is (q 2 h )/2|hash|. Overall, we can obtain the following outcome.
Now all the queries are executed by A and is only left in guessing the correct bit c, this results in the following output.

Adv RFID−AS
Using equations 16 and 17, the following result is obtained.

1/2.Adv RFID−AS
Using equations 19 and 20, the following result is obtained.
Similarly, using equations 18 and 21, the following result is obtained.
We can obtain the following result by multiplying equation 22 by ''2''.

B. FORMAL SECURITY VERIFICATION USING AVISPA
We implemented and validated the proposed scheme using the AVISPA simulation tool [49]. AVISPA is integrated with SPAN to provide a user interface. The architecture of the AVISPA tool has been shown in Figure 5. AVISPA tool operates under two validation states, namely: SAFE and UNSAFE. The output of the simulation is a SAFE state if a cryptographic scheme provides resistance against the MiM attack. The simulation's output is an UNSAFE state if a cryptographic scheme is not able to withstand the MiM attack. The role oriented language for writing cryptographic schemes in AVISPA is called High-Level Protocol Specification Language (HLPSL) [50]. We used software tools such as SPAN (version: SPAN-Ubuntu-10.10-light_1) and Oracle VM Virtual Box (version: 5.2.0.118431). The HLPSL source code of the proposed scheme contains four roles: role server, role tag, role session, and role environment as shown in Table 4, 5, 6, 7 respectively. AVISPA uses a special identifier i for the intruder. We used two backends of the AVISPA tool: OFMC and ASTE to validate our proposed scheme. The simulation result of the proposed protocol by  using ATSE and OFMC back-end of AVISPA tool shows that the proposed protocol is safe as shown in Figure 6a and Figure 6b respectively.

C. INFORMAL SECURITY ANALYSIS
The following assumptions are considered while performing the informal security analysis.
i. The tag identifier T id , tag pseudonym T pn , and server identifier X id , are known only to the server and the tag.
ii. For every session, fresh random values for V s and V t are selected by the server and the tag, respectively.
iii. The encryption algorithm E K is secure enough that an adversary is incapable of two decrypt the ciphertext C.

1) AUTHENTICATION
In each session the tag should authenticate the server and vice versa, so that to ensure secure communication in RFID system. Tag authentication: Once the server obtains the Signcryption text {C, R, S} from the tag, it computes the key K for decryption of ciphertext C to acquire the tag pseudonym T pn . The server searches its database to find the tag unique identifier T id corresponding to T pn . The server computes R and compare it with R obtained from the tag. If R = R, then the server authenticates the tag successfully. Suppose an attacker pretends to be a valid tag. In that case, it must produce an accurate value of R, but the value of R depends   server know this, thus it is impossible for an unauthorized server to produce the correct message {T s }.

2) CONFIDENTIALITY
Confidentiality is the assurance to keep the information secret during the transmission. In the proposed RFID-AS, the first message is the server public key {P s } sent to the tag and since it is a public parameter and known to all, so it can be submitted as plaintext. The second message sent to the server is the Signcryption parameters {C, R, S} and tag public key {P t }. As {P t }is a public parameter and is known to all so it can be transmitted as plaintext. All the three Signcryption parameters {C, R, S} reveals no information. The adversary is unable to decrypt the ciphertext C because it requires private key V t of the tag and server identifier X id to produce the secret key K . According to the property of HECDLP, an adversary cannot compute V t , given P t and D. Furthermore, server identifier X id is only known to legitimate tag and server. Similarly, Adversary A cannot obtain any information from R and S because R is computed from one-way hash function and its reverse is impossible to compute and S is obtained using R. The third message sent to the tag is {T s } which is encrypted message and an adversary cannot obtain any information from this because it requires a secret key K and an adversary is unable to produce it due to the property of HECDLP. Therefore, confidentiality attributes are successfully provided by the proposed RFID-AS.

3) NON-REPUDIATION
The value of R and S, sent to the server by the tag depends on the tag identifier T id and server identifier X id . Similarly, the {T s } message sent to the server's tag also depends on the tag identifier T id and server identifier X id . Based on Assumption 1, if R = R then the tag would not repudiate that the message was sent by it to the server and if T s = T t , then the server would not repudiate that the message was sent by it to the tag.

4) INTEGRITY
An adversary can't have two messages that have the identical message digest [41]. It means that for adversary A having an output of hash function can never determine the input message. Suppose an adversary alters any value in {C, R, S}, it can easily be identified by the server. The K value will not be equal to the K value created by the tag, which causes the server to generate R incorrectly. In this situation, authentication fails and the server terminates the session. Similarly, it can be easily identified if an Adversary alters {T s } received by the tag from the server. It would not be the same as computed by the tag, in this situation, the authentication fails and the tag terminates the session. In the proposed RFID-AS, data integrity during transmission is thus guaranteed.

5) ANONYMITY
In the proposed RFID-AS, the tag sends the secret information: tag identity T id , tag pseudonym T pn and server identifier X id in the form of a signcrypted message. Further, the security of T pn is maintained by using encryption and the security of T id and X id is maintained by using a hash function to the result obtained from the XOR operations between T pn , T id and X id . To obtain the confidential information T pn , T id and X id , the adversary needs the secret key K , which is not possible for him to calculate due to HECDLP. Similarly, the secrecy of T id and X id is preserved in the message {T s } sent by the server to the tag by performing XOR operations between R , T id and X id and then encrypting the result using the key K . The adversary needs to decrypt to get the value of T id and X id , which is not possible because the key K is not known and is not possible for him to calculate due to HECDLP. Therefore the proposed RFID-AS offers tag anonymity.

6) FORWARD SECURITY
Suppose the Adversary A, somehow manages to know the tag pseudonym T pn . In that case, it may not be able to retrieve previous messages, due to the messages {T s } and {C, R, S}, solely dependent on the secret key computed by tag and server, which subsequently depends on the random numbers V s and V t generated by the server and the tag respectively for each session. The proposed RFID-AS therefore offers forward security as the adversary yet is unable to get and use the past messages later.

7) AVAILABILITY
The tag identifier T id and server identifier X id remains the same during the entire communication of tag and server, and the adversary is unable to reach it. In addition, the tag pseudonym T pn that is sent to the server is updated for each session. The updating of tag pseudonym T pn for both the server and the tag ensures that both have the same T pn at all times. The proposed RFID-AS, therefore, offers availability and prevents de-synchronization.

8) SCALABILITY
The server searches and find tag identifier T id in its database corresponding to the tag pseudonym T pn obtained from the tag. So no linear search is needed for the server to know each tag's identity [31]. The server consumes O(1) amount of time to search for the corresponding tag in the proposed RFID-AS, consequently saving enormous computational workload as total tags in the system increases. Thus, the proposed RFID-AS, as a result, offers scalability.

9) SECURITY AGAINST REPLAY ATTACK
An adversary eavesdropping on the communication channel can obtain the past messages {P s }, {P t , C, R, S} and {T s }, communicated between tag and server. The adversary then can replay these messages to create an unauthorized effect. In our proposed scheme, the tag pseudonym T pn value is a private random number and for every new session, T pn is updated to T new pn . Therefore in the new session the adversary is unable to use the previously recorded messages.
i If an adversary pretending to be a valid tag and send to the server the pre-recorded message {P t } and {C, R, S}, then the server perform the following computation: It computes the secret key as K = hash(S.V s (P t + R.D) ⊕ X id ) and Decrypts the ciphertext to find the tag pseudonym T pn = D k (C). The server is unable to find a corresponding tag identifier T id because T pn = T new pn and dismisses the session. The resistance of the server replay attack is shown in Figure 7a. ii If Adversary A pretending to be a valid server and transmit to the tag the pre-recorded messages {P s } and {T s }, then the tag performs the following computations. Initialize its private key V new . Evidently, T new t = T s because in the new session the tag used V new t and the modified tag pseudonym T new pn , rather than V t and T pn , that were used in the former sessions. Thus, the server authentication fails and the tag VOLUME 9, 2021 terminates the session. The resistance of the tag replay attack is shown in Figure 7b.

10) SECURITY AGAINST CLONING ATTACK
According to Liao et al. [27], the RFID authentication protocol is susceptible to cloning attacks when a group of tags uses the same secret key in the authentication process. The proposed RFID-AS uses no stored secret key in the tag memory. Each session's new key is produced dynamically therefore, the adversary is not capable to extract the confidential data to clone a tag. Even if the adversary can obtain a specific tag identifier T id for a set of tags, it is not capable of obtaining tag pseudonym T pn for the same tags, as T pn is not fixed and is updated in every session.

11) SECURITY AGAINST LOCATION TRACKING ATTACK
An adversary is unable to retrieve tag identifier T id and server identifier X id transferred between tag and server due to secure communication in our proposed scheme. Whenever the tag transmit {C, R, S}, the adversary would be unable to retrieve T id and X id , because it has to solve the computationally difficult HECDHP for computing the secret key. Likewise, the attacker can not decrypt when the server transmits {T s } to the tag due to the secret key K of the server and tag. Moreover, in producing the messages, private random numbers are used. The attacker will, therefore not access the location information, hence security against location tracking attack has been guaranteed.

12) SECURITY AGAINST DESYNCHRONIZATION ATTACK
The adversary in the desynchronization attack prevents updating certain confidential information during tag server communication in an ongoing session. The adversary tries to intercept the messages and it is possible that the server failed to update the tag pseudonym in its database while the tag updates its pseudonym in its memory [46]. In our proposed scheme, the server stores the previous value of tag pseudonym T pn as well as the modified value of tag pseudonym T new pn to avoid the desynchronization attack. When the server receives {C, R, S} from the adversary, the server decrypts C and decides whether the decrypted value is a previous tag pseudonym T pn or a modified tag pseudonym T new pn . But since the adversary has no correct values for T pn and T new pn . Hence the adversary is unable to perform the de-synchronization of shared secret due to data integrity and mutual authentication provided by the proposed scheme.

13) SECURITY AGAINST DoS ATTACK
It has already been shown that while updating the tag pseudonym T pn , the proposed scheme ensures availability and can also prevent de-synchronization attack. Furthermore, updating of the Tag Pseudonym T pn between tag and server is the only synchronous update. Hence security against the DoS attack has been guaranteed.

14) SECURITY AGAINST IMPERSONATION ATTACK
An adversary eavesdropping on the communication channel can impersonate a valid server or tag.
i Server impersonation attack is also known as server spoofing attack in which an adversary tries to mimic the behavior of a valid server. In doing so adversary A, chooses a random integer V a , then calculates P a = V a D and sends {P a } to the valid tag. The tag then produces the message {P t , C, R, S} and sends it to A. However, A is unable to find X id and compute the secret key K and in turn, is unable to generate the message {T s } correctly and therefore unequal to the tag generated {T t }. Thus, the tag finishes the session due to the fact T s = T t . The Adversary A therefore unsuccessful to mimic the behavior of a server and thus security against the server impersonation attack has been guaranteed as shown in Figure 8a. ii The tag impersonation attack is also known as a tag masquerade attack in which an adversary tries to mimic the behavior of a valid tag. The adversary A, when receives {P s } from a valid server, generate the message  {P a } and {C, R, S} and send it to the server. Since the adversary is unable to obtain the tag identifier T id and server identifier X id , this is because only legitimate tag and server know it and therefore the message {C, R, S} sent by the adversary is incorrect. The valid server when receiving this incorrect message {C, R, S} from the adversary, decrypt the ciphertext C to compute R , but since R = R , hence the authentication fails and the session is terminated. Thus security against the tag impersonation attack has been guaranteed as shown in Figure 8b.

15) SECURITY AGAINST MiM ATTACK
An adversary in the MiM attack tries to modify the messages transmitted from the tag to the server and vice versa. The adversary pretending itself as a legitimate party and sends the modified messages to either tag or server [30]. As shown in section 6.2.6, the security against server and tag impersonation attacks is guaranteed and no illegitimate tag or server initiates and completes the session successfully. Thus, security against the MiM attack has also been guaranteed.

16) SECURITY AGAINST KEY COMPROMISE ATTACK
Since the server and the tag randomly generate private keys V s and V t for each session, that are used to produce the secret key K and an adversary is unable to generate this secret key due to HECDLP. Hence security against the key compromise attack has been guaranteed.

VII. COMPARATIVE ANALYSIS
The proposed scheme's efficiency has been evaluated by measuring the common performance parameters that include computational, communication and storage overhead. This section provides the analysis of these overheads as well as the comparison of the results with the existing schemes.

A. OVERHEAD ANALYSIS 1) COMPUTATIONAL OVERHEAD
The computational overhead of an authentication scheme depends on the time consumed by various operations performed by the protocol during its execution. In the ECC based RFID authentication protocol, the computational time is related to the number of elliptic curve scalar multiplication (ECSM) operation. Similarly, in HECC based RFID authentication protocol, the computational time is related to the number of hyperelliptic curve Division multiplication (HECDM) operations. The time consumed by other operations in an authentication scheme is very small compared to the execution time of ECSM or HECDM and therefore can be ignored. According to [21] the time to compute a single ECSM operation is 0.064 s on a 5 MHz tag. Thus, we can assume the time to compute a single HECDM to be 0.032 s due to 80-bits key and parameter size which is half of the key and parameters size used in 160-bits ECC [51].
In the proposed RFID authentication scheme, the tag executes one HECDM operation and the server executes two HECDM operations. Therefore, the tag execution time is 0.032 s and the server execution time is 0.064 s. Therefore, the total time consumed by the server and tag together is 0.096 s. Tables 8 and 9 compare the computation overhead with the current schemes [19], [27], [38], [41], [46]. Table 9 also provides the percentage improvement efficiency of the proposed scheme. A graphical representation of the comparison is also shown in Figure 9.     Table 10 presents a comparison of the communication overhead and improvement in efficiency from the current schemes [19], [38], [41], [46]. A graphical analysis of this comparison is also shown in Figure 10.

3) STORAGE OVERHEAD
The tag is required to store hyperelliptic curve parameters {F q , F * q , q, x, y, D}, server public key P s , tag's private key V t , tag's public key P t , server identifier X id , tag's unique id T id and the unique pseudonym of the tag T pn and T new pn . Since 80-bit HECC has been used, the size of each curve parameter is 80 bits. So the storage cost of the tag can be calculated as: 80+80+80+80+80+80+80+80+80+80+80+80+80 = 1040 bits. The server is required to store system parameters {F q , F * q , q, x, y, D}, server private key V s , server identifier X id , tag unique identifier T id , tag unique pseudonym T pn , and T new pn . It is assumed that the system has m number of tags, so the storage cost of the server can be calculated as: 80 + 80 + 80 + 80 + 80 + 80 + 80 + 80 + 80m + 80m + 80m = 640 + 240m bits. Table 11 presents comparison of the storage overhead and improvement in efficiency from the current   schemes [19], [38], [41], [46]. A graphical analysis of the comparison for the number of tags m = 15, is also shown in Figure 11.

B. COMPARISON OF SECURITY FUNCTIONALITIES
In this section the security requirements shown in section 6.1 and the potential to counter various attacks shown in section 6.2 are compared with the existing schemes [19], [38], [41], [46] as shown in Table 12.

VIII. CONCLUSION
RFID technology has become very popular due to less expense and improved speed. However implementation of the security and privacy mechanism is a major problem for RFID tag due to its lower computational capacity. Previously, the researchers suggested hash-based, SKC-based, and ECC-based for RFID systems. However, some of these protocols failed to achieve complete security requirements and some protocols have high computational overhead. In this paper, we proposed a hyperelliptic curve Signcryption based RFID authentication scheme. The security and efficiency of the proposed scheme are based on 80-bit HEC as compared to 160-bit ECC. The proposed scheme achieves security requirements for the RFID systems such as authentication, confidentiality, non-repudiation, integrity, anonymity, forward security, availability, and scalability. Additionally, the proposed scheme can also provide security against replay, MiM, impersonation, cloning, location tracking, desynchronization, DoS, and key compromise attacks. Furthermore, the security of the proposed scheme is validated by using the AVISPA tool. The results of the performance parameters of the proposed scheme have been compared with most recent RFID authentication protocols In terms of computation, communication, and storage overhead. Compared to the most recent protocol, our proposed scheme improves 70% computational overhead, 42.7% communication overhead, and 57.7% storage overhead. Thus the proposed scheme is more efficient and provides enhanced security as compared to the existing schemes, therefore, the proposed scheme is an attractive solution for resource-limited devices like RFID systems.

IX. FUTURE WORK
In the future, we are planning to conduct a practical test to measure performance. NAUMAN KHAN (Graduate Student Member, IEEE) received the master's degree from the University of Electronic Science and Technology of China, in 2016, where his research area was software-defined networking. He is currently pursuing the Ph.D. degree in computer science with the University of Malaya, Kuala Lumpur. He was working as a Network Engineer for more than three years in local and international IT companies. He is currently a Lecturer with the University of Malakand, Pakistan, and sponsored for the Ph.D. degree through the Higher Education Commission of Pakistan, Faculty Development Program. He is a CISCO (CCNA and CCNP), Microsoft certified. His research interests include software-defined networking, network security, and the Internet of Things. VOLUME 9, 2021