RFID Security: Tradeoffs between Security and Efficiency

We propose a model and definition for anonymous (group) identification that is well suited for RFID systems. This is based on the definition of Juels and Weis of strong privacy for RFID tags, where we add requirements for completeness and soundness. We also propose a weaker and more realistic definition of privacy. For the case where tags hold independent keys, we prove a conjecture by Juels and Weis, namely in a strongly private and sound RFID system using only symmetric cryptography, a reader must access virtually all keys in the system when reading a tag. It was already known from work by Molnar, Soppera and Wagner that when keys are dependent, the reader only needs to access a logarithmic number of keys, but at a cost in terms of privacy: For that system, privacy is lost if an adversary corrupts just a single tag. We propose protocols offering a new range of tradeoffs between security and efficiency. For instance, the number of keys accessed by a reader to read a tag can be significantly smaller than the number of tags while retaining soundness and privacy, as long as we assume suitable limitations on the adversary.