Abstract: In this paper, we present and analyze a variant of Burmester-Desmedt group key agreement protocol (BD) and enhance it to dynamic setting where a set of users can leave or join the group at any time during protocol execution with updated keys. In contrast to BD protocol, let us refer to our protocol as DB protocol. Although the DB protocol is similar to BD protocol, there are subtle differences between them: 1) Key computation in DB protocol is different and simpler than in BD protocol with same complexity of BD protocol; 2) Number of rounds required in our authenticated DB protocol is one less than that in authenticated BD protocol introduced by Katz-Yung; 3) DB protocol is more flexible than BD protocol in the sense that DB protocol is dynamic. The reusability of user's precomputed data in previous session enables the join and leave algorithms of our DB protocol to reduce most user's computation complexities which can be useful in real life applications; and 4) DB protocol has the ability to detect the presence of corrupted group members, although one can not detect who among the group members are behaving improperly.

Abstract: We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Our analysis shows that TLS, including the Diffie-Hellman and key transport suites in the uni-directional and bi-directional models of authentication, securely emulates secure communication sessions.

Abstract: Designing secure protocols in the Universal Composability (UC) framework confers many advantages. In particular, it allows the protocols to be securely used as building blocks in more complex protocols, and assists in understanding their security properties. Unfortunately, most existing models in which universally composable computation is possible (for useful functionalities) require a trusted setup stage. Recently, Katz [Eurocrypt '07] proposed an alternative to the trusted setup assumption: tamper-proof hardware. Instead of trusting a third party to correctly generate the setup information, each party can create its own hardware tokens, which it sends to the other parties. Each party is only required to trust that its own tokens are tamper-proof. Katz designed a UC commitment protocol that requires both parties to generate hardware tokens. In addition, his protocol relies on a specific number-theoretic assumption. In this paper, we construct UC commitment protocols for "David" and "Goliath": we only require a single party (Goliath) to be capable of generating tokens. We construct a version of the protocol that is secure for computationally unbounded parties, and a more efficient version that makes computational assumptions only about David (we require only the existence of a one-way function). Our protocols are simple enough to be performed by hand on David's side. These properties may allow such protocols to be used in situations which are inherently asymmetric in real-life, especially those involving individuals versus large organizations. Classic examples include voting protocols (voters versus "the government") and protocols involving private medical data (patients versus insurance-agencies or hospitals).

Abstract: A secure failure-localization path-quality-monitoring (FLPQM) protocols allows a sender to localize faulty links on a single path through a network to a receiver, even when intermediate nodes on the path behave adversarially. Such protocols were proposed as tools that enable Internet service providers to select high-performance paths through the Internet, or to enforce contractual obligations. We give the first formal definitions of security for FL-PQM protocols and construct: 1. A simple FL-PQM protocol that can localize a faulty link every time a packet is not correctly delivered. This protocol's communication overhead is O(1) additional messages of length O(n) per packet (where n is the security parameter). 2. A more efficient FL-PQM protocol that can localize a faulty link when a noticeable fraction of the packets sent during some time period are not correctly delivered. The number of additional messages is an arbitrarily small fraction of the total number of packets. We also prove lower bounds for such protocols: 1. Every secure FL-PQM protocol requires each intermediate node on the path to have some shared secret information (e.g. keys). 2. If secure FL-PQM protocols exist then so do one-way functions. 3. Every black-box construction of a FL-PQM protocol from a random oracle that securely localizes every packet and adds at most O(log n) messages overhead per packet requires each intermediate node to invoke the oracle. These results show that implementing FL-PQM requires active cooperation (i.e. maintaining keys and agreeing on, and performing, cryptographic protocols) from all of the intermediate nodes along the path. This may be problematic in the Internet, where links operate at extremely high speeds, and intermediate nodes are owned by competing business entities with little incentive to cooperate.

Abstract: Finding flaws in security protocol implementations is hard. Finding flaws in the implementations of sensor network security protocols is even harder because they are designed to protect against more system failures compared to traditional protocols. Formal verification techniques such as model checking, theorem proving, etc, have been very successful in the past in detecting faults in security protocol specifications; however, they generally require that a formal description of the protocol, often called model, is developed before the verification can start.There are three factors that make model construction, and as a result, formal verification is hard. First, knowledge of the specialized language used to construct the model is necessary. Second, upfront effort is required to produce an artifact that is only useful during verification, which might be considered wasteful by some, and third, manual model construction is error prone and may lead to inconsistencies between the implementation and the model.The key contribution of this work is an approach for automated formal verification of sensor network security protocols. Technical underpinnings of our approach includes a technique for automatically extracting a model from the nesC implementations of a security protocol, a technique for composing this extracted model with models of intrusion and network topologies, and a technique for translating the results of the verification process to domain terms. Our approach is sound and complete within bounds, i.e. if it reports a fault scenario for a protocol, there is indeed a fault and our framework terminates for a network topology of given size; otherwise no faults in the protocol are present that can be exploited in the network topology of that size or less using the given intrusion model. Our approach also does not require upfront model construction, which significantly decreases the cost of verification.

Abstract: In the setting of concurrent self composition, a single protocol is executed many times concurrently in a network. In this paper, we prove lower bounds and impossibility results for secure protocols in this setting. First and foremost, we prove that there exist large classes of functionalities that cannot be securely computed under concurrent self composition, by any protocol. We also prove a communication complexity lower bound on protocols that securely compute a large class of functionalities in this setting. Specifically, we show that any protocol that computes a functionality from this class and remains secure for m concurrent executions, must have bandwidth of at least m bits. The above results are unconditional and hold for any type of simulation (i.e., even for non-black-box simulation). In addition, we prove a severe lower bound on protocols that are proven secure using black-box simulation. Specifically, we show that any protocol that computes the blind signature or oblivious transfer functionalities and remains secure for m concurrent executions, where security is proven via black-box simulation, must have at least m rounds of communication. Our results hold for the plain model, where no trusted setup phase is assumed. While proving our impossibility results, we also show that for many functionalities, security under concurrent self composition (where a single secure protocol is run many times) is actually equivalent to the seemingly more stringent requirement of security under concurrent general composition (where a secure protocol is run concurrently with other arbitrary protocols). This observation has significance beyond the impossibility results that are derived by it for concurrent self composition.

Abstract: We study the design of adaptively secure blind signatures in the universal composability (UC) setting. First, we introduce a new property for blind signature schemes that is suitable for arguing security against adaptive adversaries: an equivocal blind signature is a blind signature where there exists a simulator that has the power of making signing transcripts correspond to any message signature pair. Second, we present a general construction methodology for building adaptively secure blind signatures: the starting point is a 2-move "equivocal lite blind signature", a lightweight 2-party signature protocol that we formalize and implement both generically as well as concretely; formalizing a primitive as "lite" means that the adversary is required to show all private tapes of adversarially controlled parties; this enables us to conveniently separate zero-knowledge (ZK) related security requirements from the remaining security properties in the blind signature design methodology. Next, we focus on the suitable ZK protocols for blind signatures. We formalize two special ZK ideal functionalities, single-verifier-ZK (SVZK) and singleprover-ZK (SPZK), both special cases of multi-session ZK that may be of independent interest, and we investigate the requirements for realizing them in a commit-and-prove fashion as building blocks for adaptively secure UC blind signatures. Regarding SPZK we find the rather surprising result that realizing it only against static adversaries is sufficient to obtain adaptive security for UC blind signatures. We instantiate all the building blocks of our design methodology both generically based on the blind signature construction of Fischlin as well as concretely based on the 2SDH assumption of Okamoto, thus demonstrating the feasibility and practicality of our approach. The latter construction yields the first practical UC blind signature that is secure against adaptive adversaries. We also present a new more general modeling of the ideal blind signature functionality.

Abstract: Buyer-seller watermarking protocols incorporate digital watermarking with cryptography, in order to protect digital copyrights and privacy rights for the seller and the buyer before, during, and after purchase activities in e-commerce. In this paper, we analyze the security of some previously proposed protocols, and propose a secure and anonymous buyer-seller watermarking protocol. In contrast to early work, our improvement on the protocol's security properties ensures that the design requirements are fulfilled. The proposed protocol is able to simultaneously solve the piracy tracing problem, the customer's rights problem, the unbinding problem, the anonymity problem, the conspiracy problem, and the dispute problem. In the proposed protocol, a buyer can purchase digital contents anonymously but his anonymity can be revoked as soon as he is adjudicated to be guilty by a legal institute, such as civil court.

Abstract: Oblivious transfer (OT) is a fundamental primitive used in many cryptographic protocols, including general secure function evaluation (SFE) protocols. However, interaction is a primary feature of any OT protocol. In this paper, we show how to remove the interaction requirement in an OT protocol when parties participating in the protocol have access to slightly modified Trusted Platform Modules, as defined by Sarmenta et al.in proposing the notion of count-limited objects (clobs) [8]. Specifically, we construct a new cryptographic primitive called "generalized non-interactive oblivious transfer"(GNIOT). While it is possible to perform GNIOT using clobs in a straightforward manner, with multiple clobs, we show how to perform this efficiently, by using a single clob regardless of the number of values that need to be exchanged in an oblivious manner. Additionally, we provide clear definitions and a formal proof of the security of our construction. We apply this primitive to mobile agent applications and outline a new secure agent protocol called the GTX protocol which provides the same security guarantees as existing agent protocols while removing the need for interaction, thus improving efficiency.

Abstract: In one of the pioneering papers on public-key cryptography, Ralph Merkle suggested a heuristic protocol for exchanging a secret key over an insecure channel by using an idealized private-key encryption scheme. Merkle's protocol is presumed to remain secure as long as the gap between the running time of the adversary and that of the honest parties is at most quadratic (rather than super-polynomial). In this work, we initiate an effort to base similar forms of public-key cryptography on well-founded assumptions. We suggest a variant of Merkle's protocol whose security can be based on the one-wayness of the underlying primitive. Specifically, using a one-way function of exponential strength, we obtain a key agreement protocol resisting adversaries whose running time is nearly quadratic in the running time of the honest parties. This protocol gives the adversary a small (but non-negligible) advantage in guessing the key. We show that the security of the protocol can be amplified by using a one-way function with a strong form of a hard-core predicate, whose existence follows from a conjectured "dream version" of Yao's XOR lemma. On the other hand, we show that this type of hard-core predicate cannot be based on (even exponentially strong) one-wayness by using a black-box construction. In establishing the above results, we reveal interesting connections between the problem under consideration and problems from other domains. In particular, we suggest a paradigm for converting (unconditionally) secure protocols in Maurer's bounded storage model into (computationally) secure protocols in the random oracle model, translating storage advantage into computational advantage. Our main protocol can be viewed as an instance of this paradigm. Finally, we observe that a quantum adversary can completely break the security of our protocol (as well as Merkle's heuristic protocol) by using the quadratic speedup of Grover's quantum search algorithm. This raises a speculation that there might be a closer relation between (classical) public-key cryptography and quantum computing than is commonly believed.

Abstract: Network-based fuzz testing has become an effective mechanism to ensure the security and reliability of communication protocol systems. However, fuzz testing is still conducted in an ad-hoc manner with considerable manual effort, which is mainly due to the unavailability of protocol model. In this paper we present our on-going work of developing an automated and measurable protocol fuzz testing approach that uses a formally synthesized approximate formal protocol specification to guide the testing process. We adopt the Finite State Machine protocol model and study two formal methods for protocol synthesis: an active black-box checking algorithm that has provable optimality and a passive trace minimization algorithm that is less accurate but much more efficient. We also present our preliminary results of using this method to implementations of the MSN instant messaging protocol: MSN clients Gaim (pidgin) and aMSN. Our testing reveals some serious reliability and security flaws by automatically crashing both of them.

Abstract: The design and verification of cryptographic protocols is a notoriously difficult task, even in abstract Dolev-Yao models. This is mainly due to several sources of unboundedness (size of messages, number of sessions, ...). In this paper, we characterize a class of protocols for which secrecy for an unbounded number of sessions is decidable. More precisely, we present a simple transformation which maps a protocol that is secure for a single protocol session (a decidable problem) to a protocol that is secure for an unbounded number of sessions. Our result provides an effective strategy to design secure protocols: (i) design a protocol intended to be secure for one protocol session (this can be verified with existing automated tools); (ii) apply our transformation and obtain a protocol which is secure for an unbounded number of sessions. The proof of our result is closely tied to a particular constraint solving procedure by Comon-Lundh et al.

Abstract: How to define the security of undeniable signature schemes is a challenging task. This paper presents two security definitions of undeniable signature schemes which are more useful or natural than the existing definition. It then proves their equivalence. We first define the UC-security, where UC means universal composability. We next show that there exists a UC-secure undeniable signature scheme which does not satisfy the standard definition of security that has been believed to be adequate so far. More precisely, it does not satisfy the invisibility defined by [10]. We then show a more adequate definition of invisibility which captures a wider class of (naturally secure) undeniable signature schemes. We finally prove that the UC-security against non-adaptive adversaries is equivalent to this definition of invisibility and the strong unforgeability in -hybrid model, where is the ideal ZK functionality. Our result of equivalence implies that all the known proven secure undeniable signature schemes (including Chaum's scheme) are UC-secure if the confirmation/disavowal protocols are both UC zero-knowledge.

Abstract: Protocols specifying business interactions among autonomous parties enable reuse and promote interoperability. A protocol is specified from a global viewpoint, but enacted in a distributed manner by (agents playing) different roles. Each role describes a local representation. An ill-specified protocol may yield roles that fail to produce correct enactments of the protocol. Existing approaches lack a formal and comprehensive treatment of this problem. Building on recent work on declaratively specifying a protocol as a set of rules of causal logic, this paper formally defines the enactability of protocols. It presents necessary and sufficient conditions for the enactability of a protocol as well as a decision procedure for extracting correct roles from enactable protocols.

Abstract: Several compositional forms of simulation-based security have been proposed in the literature, including Universal Composability, Black-Box Simulatability, and variants thereof. These relations between a protocol and an ideal functionality are similar enough that they can be ordered from strongest to weakest according to the logical form of their definitions. However, determining whether two relations are in fact identical depends on some subtle features that have not been brought out in previous studies. We identify two main factors: the position of a “master process” in the distributed system and some limitations on transparent message forwarding within computational complexity bounds. Using a general computational framework, called Sequential Probabilistic Process Calculus (SPPC), we clarify the relationships between the simulation-based security conditions. Many of the proofs are carried out based on a small set of equivalence principles involving processes and distributed systems. These equivalences exhibit the essential properties needed to prove relationships between security notions and allow us to carry over our results to those computational models which satisfy these equivalences.

Abstract: The need of communication protocols in today’s environment increases as much as the network explores. Many new kinds of protocols, e.g. for information sharing, security, etc., are being developed day-to-day which often leads to rapid, premature developments. Many protocols have not scaled to satisfy important properties like deadlock and livelock freedom, since MDA focuses on the rapid development rather than on the quality of the developed models. In order to fix the above, we introduce a 2-Phase strategy based on the UML state machine and sequence diagram. The state machine is converted into PROMELA code as a protocol model and its properties are derived from the sequence diagram as Linear Temporal Logic (LTL) through automation. The PROMELA code is interpreted through the SPIN model checker, which helps to simulate the behavior of protocol. Later the automated LTL properties are supplemented to the SPIN for the verification of protocol properties. The results are compared with the developed UML model and SPIN simulated model. Our test results impress the designer to verify the expected results with the system design and to identify the errors which are unnoticed during the design phase.

Abstract: Security protocols aim to allow two or more principals to establish a secure communication over a hostile network, such as the Internet. The design of security protocols is particularly error-prone, because it is difficult to anticipate what an intruder may achieve interacting through a number of protocol runs, claiming to be an honest participant. Thus, the verification of security protocols has attracted a lot of interest in the formal methods community and as a result lots of verification techniques/tools, as well as good practices for protocol design, have appeared in the two last decades. In this paper, we describe the state of the art in automated tools that support security protocol development. This mainly involves tools for protocol verification and, to a lesser extent, for protocol synthesis and protocol diagnosis and repair. Also, we give an overview of the most significant principles for the design of security protocols and of the major problems that still need to be addressed in order to ease the development of security protocols.

Abstract: As there is growth in the need of applications such as video conferencing and interactive chatting, secure group communication is an important research area. Security in these applications is necessary to provide services like privacy, data-integrity, and non-repudiation to group members. A naive way to achieve security in such groups is to have a secret key among every node. This task is achieved by means of a contributory group key agreement protocol that each member directly contributes to key management and generation. In 2007, Heo et al. [4] proposed certificateless authenticated group key agreement (CAGKA) protocol. While their protocol provides efficient communication and computation complexity, it does not provide (perfect) forward secrecy desired for a secure group key agreement protocol. In this paper, a certificateless authenticated group key agreement protocol is proposed based on CCEGK and EAGKA. The proposed protocol also satisfies security requirements and is suitable for dynamic membership events.

Abstract: Modeling security for protocols running in the complex network environment of the Internet can be a daunting task. Ideally, a security model for the Internet should provide the following guarantee: a protocol that "securely" implements a particular task specification will retain all the same security properties as the specification itself, even when an arbitrary set of protocols runs concurrently on the same network. This guarantee must hold even when other protocols are maliciously designed to interact badly with the analyzed protocol, and even when the analyzed protocol is composed with other protocols. The popular Universal Composability (UC) security framework aims to provide this guarantee. Unfortunately, such strong security guarantees come with a price: they are impossible to achieve without the use of some trusted setup. Typically, this trusted setup is global in nature, and takes the form of a Public Key Infrastructure (PKI) and/or a Common Reference String (CRS). However, the current approach to modeling security in the presence of such setups falls short of providing expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known security notions (including UC) while failing to provide the same deniability guarantees that their task specifications imply they should provide. We introduce the Generalized Universal Composability (GUC) framework to extend the UC security notion and enable the re-establishment of its original intuitive security guarantees even for protocols that use global trusted setups. In particular, GUC enables us to guarantee that secure protocols will provide the same level of deniability as the task specification they implement. To demonstrate the usefulness of the GUC framework, we first apply it to the analysis and construction of deniable authentication protocols. Building upon such deniable authentication protocols, we then prove a general feasibility result showing how to construct protocols satisfying our security notion for a large class of two-party and multi-party tasks (assuming the availability of some reasonable trusted setup). Finally, we highlight the practical applicability of GUC by constructing efficient protocols that securely instantiate two common cryptographic tasks: commitments and zero-knowledge proofs.

Abstract: In this paper, we consider object protocols that constrain interactions between objects in a program. Several such protocols have been proposed in the literature. For many APIs (such as JDOM, JDBC), API designers constrain how API clients interact with API objects. In practice, API clients violate such constraints, as evidenced by postings in discussion forums for these APIs. Thus, it is important that API designers specify constraints using appropriate object protocols and enforce them. The goal of an object protocol is expressed as a protocol invariant. Fundamental properties such as ownership can be expressed as protocol invariants. We present a language, PROLANG, to specify object protocols along with their protocol invariants, and a tool, INVCOP++, to check if a program satisfies a protocol invariant. INVCOP++ separates the problem of checking if a protocol satisfies its protocol invariant (called protocol correctness), from the problem of checking if a program conforms to a protocol (called program conformance). The former is solved using static analysis, and the latter using runtime analysis. Due to this separation (1) errors made in protocol design are detected at a higher level of abstraction, independent of the program's source code, and (2) performance of conformance checking is improved as protocol correctness has been verified statically. We present theoretical guarantees about the way we combine static and runtime analysis, and empirical evidence that our tool INVCOP++ finds usage errors in widely used APIs. We also show that statically checking protocol correctness greatly optimizes the overhead of checking program conformance, thus enabling API clients to test whether their programs use the API as intended by the API designer.

Abstract: Fair exchange protocols allow both or neither of two parties to obtain the other's items, and this property is essential in e-commerce. In this paper, we construct an optimistic fair exchange protocol that is applicable to any digital signature by prescribing three forms of signatures, namely presignature, post-signature and notarised signature. We set an expiration date for presignature, and thus realise the timely termination of the protocol. Next, we define an ideal functionality of fair exchange protocols in the universal composability framework. Then, we construct an optimistic fair exchange protocol based on the above protocol, and prove its security in the universal composability framework.

Abstract: Security mechanisms for wireless sensor networks (WSN) face a great challenge due to the restriction of their small sizes and limited energy. Hence, many protocols for WSN are not designed with the consideration of security. Chaotic cryptosystems have the advantages of high security and little cost of time and space, so this paper proposes a secure cluster routing protocol based on chaotic encryption as well as a conventional symmetric encryption scheme. First, a principal-subordinate chaotic function called N-Logistic-tent is proposed. Data range is thus enlarged as compared to the basic Logistic map and the security is enhanced. In addition, the computation is easier, which does not take much resource. Then, a secure protocol is designed based on it. Most of communication data are encrypted by chaotic keys except the initialization by the base station. Analysis shows that the security of the protocol is improved with a low cost, and it has a balance between resource and security.

Abstract: The universal composability (UC) framework by Canetti [15] is a general-purpose framework for designing secure protocols. It ensures the security of UC-secure protocols under arbitrary compositions. As key exchange protocols (KEs) belong to the most used cryptographic mechanisms, some research has been done on UC-secure 2-party KEs. However, the only result regarding UC-secure group key exchange protocols (GKEs) is a generic method presented by Katz and Shin [35]. It allows to turn any GKE protocol that fulfills certain security requirements into a UC-secure variant. This yields GKE protocols which require at least five communication rounds in practice when no session identities are provided by external mechanisms. Up to now, no effort has been taken to design dedicated UC-secure GKE protocols with a lower communication complexity. In this paper, we propose a new UC-secure GKE which needs only two rounds. We show that two is the minimum possible number of rounds and that any 2-round UC-secure GKE requires at least as many messages as our protocol. The proof of security relies on a new assumption which is a combination of the decision bilinear Diffie-Hellman assumption and the linear Diffie-Hellman assumption.

Abstract: In this paper, we propose a new anonymous channel protocol for authentication in GSM mobile communication networks. The protocol is the result of incorporating our anonymity scheme to an efficient GSM authentication protocol proposed by Chang et al. As a result, our protocol has all the features of their scheme including anonymity. Compared with the most recent protocols in this area, such as those by Peinado and Hwang et al., we show that our scheme generally is more secure and more efficient.

Abstract: RFID (radio frequency identification) devices are usually vulnerable to attacks related to proximity verification: distance fraud attacks, relay attacks and terrorist attacks. These attacks require simpler technical resources than tampering or cryptanalysis and, they cannot be prevented by ordinary security protocols that operate in the high layers of the protocol stack. Distance bounding protocols, which are tightly integrated into the physical layer, are the main countermeasure against them. Hancke and Kuhn's protocol was the first distance bounding protocol for RFID. Tu and Piramuthu have recently proposed another protocol which outperform it. More precisely, the authors claim that their protocol reduces the false acceptance ratio and is resistant to terrorist attack. In this paper, however, we analyse this protocol and, discuss some aspects that could question its effectiveness.

Abstract: We show that for bit commitment schemes based on two-party stateless primitives, the stand-alone statistical security implies the statistical universally composable security. I.e. all such schemes are secure with an unlimited adversary, an unlimited simulator and an unlimited environment machine in the universal composability framework. Especially, these protocols can be used in arbitrary statistically secure applications without lowering the security.

Abstract: This paper presents a deterministic BB84 (dBB84) protocol that not only inherits the unconditional security of the original BB84 protocol but also enables the receiver to deterministically measure and decode all qubits sent by the sender. The proposed dBB84 protocol is then extended to be a deterministic secure quantum communication (DSQC) protocol wherein the sender can securely transmit secret messages to the receiver via quantum channels and the receiver can read out the secret messages only after receiving an additional classical bit for each qubit from the sender. In contrast to the existing single-photon-based secure communication protocols, which require the sender to either prepare two-qubit photon states or to establish two-way quantum channels with the receiver, the newly proposed protocol requires the sender to prepare single-qubit photon states for message transmissions and only set up one-way quantum channels to the receiver. Therefore, the proposed protocol is very suitable and feasible in practical applications.

Abstract: Numerous authentication protocols for RFID systems were proposed as attempt to prevent unauthorized tracking and monitoring, impersonation or cloning, and information leakage. Many of such attempts cannot establish essential requirements that one robust authentication protocol must guarantee. In this paper, we propose a rapid mutual authentication protocol, called FLMAP, that overcomes all the drawbacks of previously proposed protocols. Our protocol has three passes and it does not use any cryptographic primitives such as hash functions and encryption algorithms; it is very fast and efficient. Significant characteristics of the protocol are forward security, tag anonymity, location privacy, resistance to disclosure attack, low complexity on the back-end server, and scalability. To the best of our knowledge, our protocol offers the most enhanced security features in RFID mutual authentication protocols with respect to user privacy. In analyzing the protocol, we show how remarkable properties such as forward security and tag anonymity are guaranteed.