Security and Communications Protocols for Pervasive Technologies

POLITECNICO DI TORINO
SCUOLA DI DOTTORATO
Dottorato in Ingegneria Informatica e dei Sistemi – XXII ciclo
Tesi di Dottorato
Security and Communications
Protocols for Pervasive
Technologies
Filippo Gandino, 143558
Tutore
Coordinatore del corso di dottorato
Prof. M. Rebaudengo Prof. P. Laface
2010

Contents
Summary
V
1 Introduction 1
1.1 Radio Frequency Identification . . . . . . . . . . . . . . . . . . . . . . 2
2 Security 6
2.1 Public-Key Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.1 Public Key Encryption . . . . . . . . . . . . . . . . . . . . . . 8
2.1.2 Digital Signature . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.3 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.4 Relevant Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1.5 Public Key Properties . . . . . . . . . . . . . . . . . . . . . . 10
2.2 RFID Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Tampering with RFID Tags . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.1 Tampering in Pervasive Information Systems . . . . . . . . . . 13
2.3.2 Tamper-evident approaches . . . . . . . . . . . . . . . . . . . 16
2.3.3 Tamper-resistant approaches . . . . . . . . . . . . . . . . . . . 21
2.3.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.4 Public-key in RFIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.4.1 RSA-like Cryptography . . . . . . . . . . . . . . . . . . . . . . 31
2.4.2 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . 34
2.4.3 ElGamal Cryptography . . . . . . . . . . . . . . . . . . . . . . 37
2.4.4 NTRU Cryptography . . . . . . . . . . . . . . . . . . . . . . . 43
2.4.5 Approaches Discussion and Conclusions . . . . . . . . . . . . . 45
2.5 RFID Tags without cryptographic capability . . . . . . . . . . . . . . 47
2.5.1 An Anti-Counterfeit Mechanism for the Application Layer in
Low-Cost RFID Devices . . . . . . . . . . . . . . . . . . . . . 47
2.5.2 Traceability with Privacy Protection . . . . . . . . . . . . . . 53
2.5.3 A Security System for Chain Applications . . . . . . . . . . . 61
2.6 RFID Tags with cryptographic capability . . . . . . . . . . . . . . . . 78
II

2.6.1 EPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.6.2 Proposed Tag Architecture . . . . . . . . . . . . . . . . . . . . 82
2.6.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 86
2.6.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
3 RFID Reader-to-Reader Anti-collision 88
3.1 Performance Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . 90
3.1.1 Adopted Metrics . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.1.2 Proposed Evaluation Criteria . . . . . . . . . . . . . . . . . . 92
3.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.2.1 ETSI EN 302 208-1 V1.2.1 . . . . . . . . . . . . . . . . . . . . 93
3.2.2 Distributed Color System (DCS) . . . . . . . . . . . . . . . . 93
3.2.3 Colorwave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
3.2.4 Protocols with High Requirements . . . . . . . . . . . . . . . 94
3.2.5 Protocols based on Power Control . . . . . . . . . . . . . . . . 95
3.3 Probabilistic DCS (PDCS) Protocol . . . . . . . . . . . . . . . . . . . 95
3.4 Theoretical analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.4.1 Second Generation Collisions . . . . . . . . . . . . . . . . . . 98
3.4.2 DCS-Like Protocol Behavior . . . . . . . . . . . . . . . . . . . 106
3.5 Experimental Simulations . . . . . . . . . . . . . . . . . . . . . . . . 108
3.5.1 PDCS Behavior According to µ . . . . . . . . . . . . . . . . . 108
3.5.2 Best PDCS Configurations . . . . . . . . . . . . . . . . . . . . 111
3.5.3 Multichannel Analysis . . . . . . . . . . . . . . . . . . . . . . 113
3.5.4 Matrix Vs Random Deployment . . . . . . . . . . . . . . . . . 113
3.5.5 Mobile RFID Networks . . . . . . . . . . . . . . . . . . . . . . 113
3.5.6 Dense RFID Networks . . . . . . . . . . . . . . . . . . . . . . 114
3.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4 RFID for Agri-food Traceability 118
4.1 Agri-Food Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.2 Traceability Management . . . . . . . . . . . . . . . . . . . . . . . . . 120
4.3 State-of-the-art Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.3.1 Theoretical Model . . . . . . . . . . . . . . . . . . . . . . . . 124
4.3.2 Business Impact Analysis . . . . . . . . . . . . . . . . . . . . 125
4.3.3 System Proposals . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.3.4 Simulation Analysis . . . . . . . . . . . . . . . . . . . . . . . . 133
4.3.5 Field Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.3.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
4.4 Framework for Traceability Analysis . . . . . . . . . . . . . . . . . . 142
4.4.1 Internal Traceability System Features . . . . . . . . . . . . . . 143
4.4.2 Writing/Reading and Tagging Automation . . . . . . . . . . . 145
III

4.4.3 Established Internal Traceability Systems . . . . . . . . . . . . 148
4.5 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
4.5.1 Fruit warehouse . . . . . . . . . . . . . . . . . . . . . . . . . . 150
4.5.2 Implementation of the RFID Traceability System . . . . . . . 158
4.5.3 RFID-Based Traceability System Performance . . . . . . . . . 162
4.5.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
5 Conclusion 166
Bibliography 167
IV

Summary
Pervasive technologies represent cheap and small pervasively distributed devices
which communicate wireless. Nowadays, these technologies are widely employed for
several applications, since they can provide many benefits, such as accurate area
monitoring and distributed information systems, where the information is directly
matched to the items. However, they involve great security and efficiency problems,
which are mainly due the low cost of the devices, and to the strict constraints for
the communication range, the computational capability, and the power consumption.
The pervasive distribution of the information represents a great privacy problem,
since it is difficult to monitor the access to pervasive devices, and the security
systems are limited by strict computational constraints. The information could be
easily altered or copied, and pervasive devises matched to a human being could be
used to track him/her. Also the pervasive deployment of the devices involves additional
interference problems, which can affect the communication efficiency. This
work explores benefits and constraints of Pervasive Technology, and it is focused on
Radio Frequency Identification (RFID), which represents one of the more promising
and widely employed pervasive technology, and it is replacing previous automatic
identification systems like barcodes. The goal of this research study is to identify
and analyze the main weak spots of pervasive technologies, and to provide reliable
solutions. Much effort is spent for security, but also communications problems are
considered. Furthermore, the application of RFID in a real production sector is
exploited, in order to verify benefits and drawbacks on the field.
Chapter 1 introduces to the reader the technological background, describing
RFID characteristics.
Chapter 2 analyses in deep the security issue. First, the main security threats
for RFID are described. Since state-of-the-art studies do not provide a comprehensive
analysis of data-tampering with RFID tags, this problem and the available
protections are fully described and analyzed. The majority of security solutions
for pervasive technologies are based on symmetric encryption. However, also public
key encryption often represents an effective solution, so state-of-the-art security
approaches based on public key encryption are fully analyzed, and new solutions
V

are presented. The proposed security protocols for RFID are divided in two categories:
based on tag without cryptographic capabilities, and based on tag with
cryptographic capabilities. The latter approaches are not applicable to standard
RFID tags, and require the production of more expensive tags, but they are more
efficient and provide better security features.
Chapter 3 analyses the RFID reader-to-reader collision problem, which represents
a communication problem due to the interference between RFID readers in the same
area, and affects the communication efficiency. The state-of-the-art approaches are
analyzed and a new solution is proposed.
Chapter 4 analyses the application of RFID technology to a production sector.
The benefits and the drawbacks of the technology are discussed, and an evaluation
framework is proposed.
Finally, Chapter 5 presents some conclusions.
VI

Chapter 1
Introduction
A pervasive environment is characterized by the presence of many distributed smart
devices that hold information. Pervasive Information Systems (ISs) can be used in
order to improve and automate many traditional applications. This work is focused
on Radio Frequency Identification (RFID), which is a widely employed pervasive
technology suitable for several applications.
A key service suitable to pervasive environments is the Supply Chain Management
(SCM), which covers the planning and management of all activities involved
in supply chain and the connections among Chain Members (CMs) [60]. The information
for SCM should allow the identification of the products, their sorting in
the production flow, and the monitoring of the production flow. RFID tags can
be matched to products, so automatic tools can identify a product by using the
unambiguous ID of the matched tag as an entry for a central database that contains
all the concerning data. In order to manage the communication among the
CMs, the data could be stored in a shared database. However, its implementation
requires strong technical effort and tight cooperation among all the CMs. Nevertheless,
RFID tags with a rewritable memory can directly hold the information about
the identified items, so the products can also be immediately identified without a
permanent connection to a central database.
A service close to SCM is the traceability management. The traceability is the
ability to trace back and forward the path of an object, aiming at detecting the
cause of a defect in a commodity, and at finding other eventual products subject
to the same problem. Furthermore, the traceability is useful to detect counterfeit
products, since the presence of many data about the path along the supply chain can
help to check and guarantee the authenticity of products. Several sectors, especially
whenever the products may affect the security of customers, need an efficient traceability
system. Therefore, a Competent Authority (CA) should be able to rapidly
access to traceability information, in order to immediately detect possible problems.
The information for traceability should describe an object and its history, so the
1

1 – Introduction
information for SCM can be considered a subset of the information for traceability.
Multimodality shopping allows customers to interface with a shopping assistant
tool by various input/output media. In this context a mobile RFID reader can
identify the products and communicate to the shopping assistant tool some useful
data about the product.
RFID may be also involved into after point-of-sell applications. A tool connected
to an RFID reader and to web network can read the maintenance information
about the commodity and send them to a server that manages the request, avoiding
calling the maintenance center. In a smart home environment, RFID can be also
exploited for automatic application in order to increase comfort and security.
1.1 Radio Frequency Identification
In this section a brief introduction on RFID technology is presented, highlighting
weak spots and special requirements for RFID security techniques and RFID applications.
Antenna
RF
Modulo
RFID
Reader
Middleware
Logic
Circuits
Memory
RFID
Tags
Server
DB
Data
Base
Figure 1.1.
RFID System
An RFID system [49], which is shown in Figure 1.1, typically includes an RFID
reader and some RFID tags. The reader is able to access tags by a wireless communication,
which is managed by a radio frequency interface. Furthermore, the reader
communicates the collected data to a middleware, which is the software layer that
allows the interconnection between the reader and the information system.
A tag is composed by a radio frequency interface block, a memory component
and a logic element. There are two kinds of tags: passive and active. Passive
tags have no battery, and they acquire the power supply from the electromagnetic
field of the reader, while active tags have their own power supply. Passive tags
are cheaper than active ones, but they present a shorter transmission range. The
active tag life depends on the battery duration and use, while the rewritable passive
2

1 – Introduction
tag life is typically measured in number of read/write cycles. The passive tags are
more largely employed, thanks to their low cost. Active tags present performance
similar to other pervasive technologies, and they are able to provide more advanced
security features than passive ones, since their own power can supply more hardware
modules. Therefore, security techniques designed for other wireless devices, such
as wireless sensor networks and smart phones, can be applied to these devices.
Instead, according to the strict limitations that affect passive tags, they require adhoc
security techniques. The same techniques used for passive tags could be applied
also to active ones, but they have stricter limitations than general purpose ones.
Therefore, this work is specifically focused on passive tags, and in the following, if
not differently reported, the word ’tag’ is referred to passive tags.
The most important standardization organizations for RFID are represented by
International Organization for Standardization (ISO) and EPCglobal, which define
the physical and logical requirements and interfaces for tags and readers. Furthermore,
EPC standards define the structure and content of data. Operational frequency
used in RFID systems vary according to the country. The frequency bands
are:
ˆ Low Frequency (LF) between 125 and 134 KHz;
ˆ High Frequency (HF) at 13.56 MHz (e.g. ISO 14443 and ISO 15693, both
defined for identification cards);
ˆ Ultra High Frequencies (UHF) between 866 and 868 MHz in EU, between
902 and 928 MHz in USA (e.g. EPC Class I Gen 2 [8], defined for item
management);
ˆ Microwave at 2.45 GHz in EU, between 2.4 and 2.4835 GHz and between 5.725
and 5.85 GHz in USA.
A limitation to the use of RFIDs is represented by the presence of metal or liquid that
can create noise to the electromagnetic field, disturbing or stopping the transmission.
Lowest frequencies assure a major noise tolerance, but involve a shorter transmission
range. Another factor that affects the transmission is the antenna shape and size.
Typically, LF requires larger antennas. A reader compliant with EPC Class I Gen 2
can read RFID passive tags in a range over 4 meters. On the other hand, a small
reader for Personal Digital Assistant (PDA) compliant with ISO 14443 can read
RFID passive tags only in a range shorter than 10 cm. The RFID transmissions are
characterized by two ranges:
ˆ the reading range, corresponding to the area where the electromagnetic field
of the reader induces enough voltage in the tag antenna in order to correctly
receive tag data;
3

1 – Introduction
ˆ the transmission range, corresponding to the area where the data can be received,
but the supplied voltage could be not enough for passive tags; the
reader transmission range is larger than the tag transmission range, according
to the higher power, and than the reading range.
Commonly, computational capacities are extremely limited in a tag. The major
concern of an RFID reader consists in accessing the tag memory. Memory plays an
important role in the tag architecture; it contains the unique identification number
and may have up to several kilobits of storage capacity. However, the presence of a
larger memory increases significantly the tag cost. Tags can have read-only or read
and write memory. The rewritable memories open many application opportunities,
but they are exposed to malicious writing actions. The widely used EPC Class I
Gen 2 tags typically have a 96-bit memory bank that contains a code for the identification
of the tagged object and a 64-bit bank of reserved memory that contains
passwords. On the other hand, some ISO 14443 tags is equipped with memories
larger than 8 Kbits.
The hardware or software computation of cryptographic operations requires too
computational effort for RFID tags. An RFID tag compliant with EPC Class I
standard requires between 1000 and 4000 gates, while a commercial implementation
of Advanced Encryption Standard (AES) requires between 20000 and 30000
gates [108]. Since the number of gates for security is strictly limited, usually tags
implement only simple security operations. For example, EPC Class I Gen 2 requires
the use of password and bitwise XOR operations. However, some RFID tags
with cryptographic capability have been designed, such as DEFfire from Philips [14],
which owns a crypto co-processor for DES/AES operations, compliant with ISO/IEC
14443A for HF.
Each type of application requires an RFID system with specific technological
characteristics. In the following a list of RFID applications and their specifications
are presented.
ˆ Supply chain management [18]. A basic application can match each item with
a tag. The tags can have small read-only memory with a unique code. Their
frequency is UHF, in order to have a long reading range, and they are typically
compliant with EPC standards.
ˆ Internal traceability management based on reusable containers [54]. Each tag
is matched to a container and the data about the products, written in the
tag memory, are repeatedly updated. These applications require tags with
rewritable memory in order to update the information. The frequency of the
tag is HF, normally matched to a large memory, or UHF, providing a larger
reading range.
4

1 – Introduction
ˆ RFID applications for libraries [34]. Each tag is matched to a book, and it
contains information about the book and its location. These systems are often
based on tags with rewritable memories, so the stored data can be updated
and new ones can be added. The tags are normally read by a PDA, so the
short reading range provided by HF does not represent a limitation.
The pervasive nature of RFID technology exposes tags to two kinds of possible
accesses:
ˆ physical access, when an entity gets in touch with the tag;
ˆ RF communication access, by means of the tag communication protocol, potentially
without knowledge of the owner of the tag.
The first case seems more dangerous, since adversaries have time and means to
perform strong attacks. However, the possible damages due to tampering actions are
limited, since hardly they can be performed without knowledge of the tag owner.
Instead, RF attacks can generate troubles, since adversaries could alter data on
rewritable memory tags that will be reused, generating possible mistakes.
As a conclusion, the main elements that affect RFID security techniques for tags
are:
ˆ low computational effort;
ˆ limited memory;
ˆ exposure to RF access by hidden readers.
The strict limitations related to tags do not affect the reader and the middleware,
which can implement normal security techniques.
5

Chapter 2
Security
This chapter analyses and provides solutions to some of the main security threats
for pervasive technologies. Section 2.1 deeply describes the basic concepts of public
key cryptography, which are widely employed in this chapter. Section 2.2 describes
the main security threats for RFID technologies.
RFID is a well-known pervasive technology, which provides promising opportunities
for the implementation of new services and for the improvement of traditional
ones. However, pervasive environments require strong efforts on all the aspects of
information security. Notably, RFID passive tags are exposed to attacks, since strict
limitations affect the security techniques for this technology. A critical threat for
RFID-based information systems is represented by data tampering, which corresponds
to the malicious alteration of data recorded in the tag memory. The aim
of section 2.3 is to describe the characteristics and the effects of data tampering
in RFID-based information systems, and to survey the approaches proposed by the
research community to protect against it. The most important recent studies on privacy
and security for RFID-based systems are examined, and the protection given
against tampering is evaluated. This section provides readers with an exhaustive
overview on risks and defenses against data tampering, highlighting RFID weak
spots and open issues.
Section 2.4 presents, on one side, the motivations for addressing security and
privacy in RFIDs and, on the other side, it analyzes different approaches proposed
in the literature that aim at solving these issues. Such different approaches, based on
asymmetric encryption, will be described and compared analyzing their properties
and their applicability to RFID devices, taking into account their limitations in
terms of computation performance and power consumption.
Section 2.5 presents some security approaches for RFID tags without cryptographic
capability.
RFID is particularly interesting for several kinds of physical objects, either living
6

2 – Security
beings or inanimate items. In section 2.5.1 we propose to use it to implement an anticounterfeit
mechanism in selected wine production environments. Using a Personal
Digital Assistant (PDA) with a public/private key mechanism involving both the
passive RFID internal memory and the unique RFID identifier it is possible for
the reseller and the final user to verify if the bottle is original. A sample bottle
is used to simplify the encoding operation even in a low technology environment
like a traditional cellar, also reducing the risk of losing the private key. Finally,
implementation issues are considered, in order to confirm method feasibility.
In Section 2.5.2 an agri-food traceability system based on public key cryptography
and Radio Frequency Identification (RFID) technology is proposed. In order to
guarantee safety in food, an efficient tracking and tracing system is required. RFIDs
devices allow recording all useful information for traceability directly on the commodity.
The security issues are discussed and two different methods based on public
cryptography are proposed and evaluated. The first algorithm uses a nested RSA
based structure to improve security, while the second also provides authenticity of
data. An experimental analysis demonstrates that system is well suitable on PDAs
too.
A wide adoption of pervasive computing environments, in particular exploiting
RFID technology, may increase efficiency and bring added value with new applications.
Nevertheless, pervasive environments involve threats to the information
privacy, so pervasive RFID systems must be matched to information security systems
able to satisfy the requirements of both supply chain members and customers.
Section 2.5.3 presents a secure pervasive RFID-based information system, suitable
for traceability and supply chain management, for multimodality shopping and after
the point-of-sell services. The information system is designed in order to work
with standard RFID devices. Furthermore, the proposed system, based on public
key cryptography, avoids industrial espionage, guarantees the authenticity of information,
protects the customer privacy, and detects malicious alteration of the
information.
Section 2.6 presents a new architecture of an RFID transponder with cryptographic
capabilities. Other than being compatible with the EPC Class-1 Gen-2
communication protocol, our tag implements an asymmetric ciphering module that
proved useful in authentication and anti-counterfeit schemes, particularly critical
in many application fields. Experimental results concerning area requirements and
power consumption indicate its feasibility.
2.1 Public-Key Fundamentals
Cryptographic algorithms have been used for decades in order to guarantee communication
privacy. Cryptography deals with authentication systems with the aim
7

2 – Security
of ensuring the genuineness of a message to the receiver. We will focus on cryptographic
systems based on public key cryptosystems firstly presented in [43]. Many
other applicable algorithms based on public-key cryptosystems have been proposed
in the literature like RSA [110], ElGamal’s scheme [45] and Knapsack scheme [39].
In a public key cryptosystem, given a pair of families {E K } K∈{K} and {D K } K∈{K}
of algorithms representing inverting transformations,
and
E K : {M} → {M}
D K : {M} → {M},
on a finite message space {M}, the following statements must be true:
1. for every K ∈ {K}, E K is the inverse of D K ,
2. for every K ∈ {K} and M ∈ {M}, algorithms E K and D K are easy to
compute,
3. for almost every K ∈ {K}, each algorithm equivalent to D K is computationally
infeasible to derive from E K ,
4. for every K ∈ {K}, it is feasible to compute inverse pairs E K and D K from
K.
Therefore, by making K = Ko, a pair of ciphering functions D Ko and E Ko are
fixed. The third property allows making public the key E Ko without compromising
the security of the secret key D Ko . There are two main branches of public key
cryptography depending on the utilization of the secret and public keys: public key
encryption and digital signature.
2.1.1 Public Key Encryption
The basic idea behind public key encryption is to ensure confidentiality in a communication
channel. A message is encrypted in a way that cannot be decrypted by
other person than the intended recipient. Formally, a plaintext message P ∈ {M},
is ciphered by means of the public key E Ko . The result is a ciphertext message
C ∈ {M} that can be deciphered using the secret key D Ko . Thus, the following
relations are true:
C = E Ko (P ),
P ′ = D Ko (C).
Where P ′ = P . The receiver’s public key is available to anyone who wants to
communicate with him/her.
8

2 – Security
2.1.2 Digital Signature
When digitally signing, messages are authenticated. A message is signed by means
of the sender’s private key; in that way anyone who has access to the public key is
able to verify the authenticity of the message. Hence, a plaintext message P ∈ {M},
is signed by means of the secret key D Ko . The result is a ciphertext, signed message
S ∈ {M} that can be deciphered and verified using the public key E Ko . Accordingly,
the following relations remain true:
S = D Ko (P ),
P ′ = E Ko (S).
Where, if performed correctly, P ′ = P . The sender uses his/her own private key
to sign a message, and everyone is able to verify its authenticity by exploiting the
sender’s public key.
2.1.3 Example
Consider a simplified version of the RSA algorithm where the ciphering functions
are defined as follows:
E Ko (x) = x e mod n,
D Ko (x) = x d mod n.
By selecting the parameters in the following way:
e = 17,
d = 2753,
n = 3233;
it is possible to have both a public key (17,3233) and a private key (2753,3233). For
example, suppose that a message P = 123 is encrypted with the public key. Hence,
E Ko (123) = 123 17 mod 3233 = 855.
Similarly, the corresponding decryption is performed as follows:
D Ko (855) = 855 2753 mod 3233 = 123.
According to RSA Laboratories [87], as of 2007, valid key dimensions for a long
term security should be at least 1024-bit long. They show that 663-bit keys have
been factored with an effort equivalent to 55 years on a single 2.2 GHz Opteron
CPU; however, with a cluster of 80 2.2 GHz CPUs the key was broken in about
three months.
9

2 – Security
2.1.4 Relevant Attacks
In the following a short description of some attacks on public key encryption will be
presented:
ˆ Chosen-plaintext attack: the adversary chooses a set of plaintexts and obtains
the corresponding ciphertexts, in order to deduce information to recover the
plaintext of an specific ciphertext.
ˆ Adaptive chosen-plaintext attack: the adversary can choose a plaintext based
on the previously obtained ciphertexts.
ˆ Chosen-ciphertext attack: the adversary can obtain a set of plaintexts corresponding
on the chosen set of ciphertexts.
ˆ Adaptive chosen-ciphertext attack: the adversary can choose a ciphertext
based on the previously obtained plaintexts.
Although chosen-ciphertext attacks are very dangerous for public-key cryptography,
in the RFID context they are normally not possible.
2.1.5 Public Key Properties
In the following some properties of cryptographic schemes are presented.
Homomorphism [50]
Let M denote the set of the plaintexts and respectively C the set of ciphertexts. An
encryption scheme is said to be homomorphic if for any given encryption key k the
encryption function E satisfies:
∀m 1 ,m 2 ∈ M, E(m 1 ⊙ M m 2 ) ←→ E(m 1 ) ⊙ C E(m 2 ).
With the multiplication operators a scheme is multiplicatively homomorphic, so the
multiplication of two encrypted values is equal to the encrypted multiplication of
two values.
Semantic Security [62]
This property requires that no information about the plaintext can be learned from
the ciphertext. More strictly, an encryption scheme (G,E,D) is semantically secure
if for all probabilistic polynomial time algorithms M and A, functions h, polynomials
Q there is a probabilistic polynomial time B such that for sufficiently large k,
P r(A(1 k ,c,e) = h(m) | (e,d) ← G(1 k ) ; m ← M(1 k ) ; c ← E(e,m))
10

2 – Security
≤ P r(B(1 k ) = h(m) | m ← M(1 k )) + 1
Q(k) .
Semantic security does not consider the case of the chosen ciphertext attack.
Key-privacy [24]
This property requires that, from a ciphertext encrypted by a public key selected in
a set of known keys, an eavesdropper is not able to identify the employed key.
2.2 RFID Threats
The use of RFID tags hazards the privacy. In the USA, many organizations, such
as Consumer Privacy and Civil Liberties Organizations, are requesting attention
to privacy threats [6]. In Canada, the Annual Report to Parliament 2005 of the
Privacy Commissioner underlines the importance to ensure that RFIDs do not erode
informational privacy rights [1]. In EU, in compliance with the Working Document
adopted on 2005 by the European Data Protection Working Party [11], the national
authorities, set up to protect personal information, established guidelines needed for
a safe use of RFID technology [10].
Rules about privacy change according to the country, as well. However in many
countries there is a great attention on privacy risks. There are many privacy threats
connected to RFID [77, 113, 135]:
ˆ The serial number of a tag can be associated with the customer’s identity, so
it is possible to monitor the customer or, knowing the object identified by the
serial number, to get information for profiling. Besides to know which object
a person buys, it is possible to know how often a person uses it as well.
ˆ Even without associating a tag number with a person identity, a set of tags
can track an unidentified person, violating the “location privacy” [26].
ˆ The transfer of a tag from a set to another set means that an object passes
from a person to another, so it is possible to know that there is a relation
between those persons.
ˆ By reading the tag’s memory, it could be possible to know which commodities
a person possesses.
ˆ Companies would like to keep private their information, in order to avoid
industrial espionage and unauthorized monitoring of their sales.
11

2 – Security
ˆ Privacy threats, due to recording of the tracking information on an RFID
tag, are mainly the risk of unauthorized readings of information about the
belongings of a person, and the industrial espionage. In this Chapter a solution
to these problems is proposed.
The privacy threads, arose from RFID, involve dangers such as man tracking,
personal belongings monitoring and industrial espionage. Many solutions to the
privacy problem have been analyzed, some of them are:
ˆ killing the tag [8], a command can stop the tag at the point-of-sale.
ˆ using passwords or encryption [127], which try to avoid unauthorized readings
of the tag; changing tag ID [78], the use of different IDs makes difficult the
recognizing of a tag;
ˆ blocking the anti-collision system of the reader [80], a special tag stops the
correct functioning of the reader.
2.3 Tampering with RFID Tags
RFID is a well-known pervasive technology, which provides promising opportunities
for the implementation of new services and for the improvement of traditional ones.
However, pervasive environments require strong efforts on all the aspects of information
security. Notably, RFID passive tags are exposed to attacks, since strict
limitations affect the security techniques for this technology. A critical threat for
RFID-based information systems is represented by data tampering, which corresponds
to the malicious alteration of data recorded in the tag memory.
The aim of this section is to describe the characteristics and the effects of data
tampering in RFID-based information systems, and to survey the approaches proposed
by the research community to protect against it. The most important recent
studies on privacy and security for RFID-based systems are examined, and the protection
given against tampering is evaluated. This section provides readers with
an exhaustive overview on risks and defenses against data tampering, highlighting
RFID weak spots and open issues.
Although RFIDs provide relevant opportunities, they involve also considerable
information security threats [77], such as cloning of original tags and privacy violation.
A critical threat is represented by data tampering, which consists in the
malicious changing of data recorded in the tag memory. The tampering has many
dangerous effects, such as incoherence in the information system, exposure to opponent
attacks, and mistakes in the production flow. This malicious action has been
studied in various fields, e.g. software source protection [40], and many approaches,
addressing it, have been proposed.
12

2 – Security
Nowadays, the application of RFID is rapidly growing and, according to the strict
security requirements for RFID-based systems, several research studies on RFID security
problems have been proposed (e.g. [77, 117]). According to [118] in 2007, 58
papers on security and privacy in RFID systems, and 39 papers on controlling the
information flow between tags and readers have been proposed. Both specialized
approaches [97, 106, 107, 130] and some more general ones [17, 27, 28] address the
tampering problem. Several solutions to various security issues in mobile [135] and
pervasive technologies have been provided, but problems as tampering in RFID still
represent a critical threat for data security. Although various books [16, 84] and
survey-based journal papers [57, 77, 114, 118] present the state-of-the-art in RFID
security, these studies are mainly focused on privacy protection, authentication features,
and cryptographic hardware implementations, which represent the most frequently
analyzed RFID security issues. Therefore, this section aims at filling the gap
in RFID security study, analyzing the characteristics of data tampering in RFIDbased
information systems, and surveying the state-of-the-art of RFID tampering
protection, in order to provide readers with an exhaustive overview on risks and on
proposed defenses against tampering. The characteristics of RFID technology are
described, highlighting security weak spots. This survey is specially focused on tampering
with data in tag memories, since this threat represents a critical open issue.
Furthermore, the most recent and effective general purpose security approaches for
RFID tags are analyzed, evaluating their ability to effectively protect against tampering.
2.3.1 Tampering in Pervasive Information Systems
The definition of tampering changes according to the context. It can be defined
as a malicious action that alters something (e.g. objects or data). Several fields
in Information Technology are subject to the tampering problem, so many effective
defenses have been proposed [38, 67, 95, 99, 105, 132, 133]. There are two kinds of
protections against tampering.
ˆ Tamper-evidence. The feature of a process, device, or software, to detect the
existence of tampering.
ˆ Tamper-resistance. The ability to resist to tampering.
The effects of tampering can be divided in two main groups:
ˆ damage, when tampering makes something unusable;
ˆ alteration, when the target seems correct, but according to the malicious alteration,
it is faulty and it will generate possible mistakes.
13

2 – Security
Although tamper-resistance solutions aim at preventing all tampering effects,
tamper-evidence aims at preventing only mistakes due to an alteration, reduced
to a damage. In the following the main tampering effects and tamper-protection
schemes from several fields are introduced, describing their relation with RFID.
One field in information technology, where the tampering problem has been
widely studied, is the software protection. A tamper attack could alter a program in
some ways. An adopted solution is adding tamper-evident features, by inserting into
the program tamper-proofing code, which can detect if the program was tampered
with, stopping the program when tampering effects are detected [40]. This kind of
attack could be very dangerous for pervasive devices, since they are often deployed
into hostile areas. However, low cost RFID tags are very simple devices and most
of them do not present a microprocessor, so software tampering does not represent
a relevant threat.
A considerable tampering subject is the hardware tampering. Tampering actions
may aim at damaging the device or at altering the system accessing to the code
in order to reprogram it with a malicious one able to execute insider attacks. The
tamper-resistant hardware may avoid unauthorized access to the running code and
it may resist to malicious actions such as physical penetration, and temperature manipulation.
Various applications employ tamper-resistant hardware, among which
several approaches for authentication and integrity checking in mobile systems [132].
However, the use of tamper-resistant hardware requires high costs, which are often
too expensive for pervasive environments. In wireless sensor networks a tampered
node with a malicious running program is a critical threat. Hardware tampering
attacks to RFID tags have not been reported, and it is not yet directly handled by
RFID security approaches for low cost RFID tags. The main motivation is that tags
are often vulnerable to simpler and faster RF attacks, which can be applied also
without physical access.
In wireless communications, tamper attacks could modify in-transit packets, so
received data are altered and differ from the transmitted ones. This malicious action
is recognized as really dangerous especially in mobile fields, such as Vehicular [67],
and Mobile [99] Ad-Hoc Networks.
The greatest threat for RFID Information System is represented by data tampering.
The most well-known data tampering attacks control data, and the main
defense against it is the control flow monitoring for reaching tamper-evidence. However,
tampering with other kinds of data such as user identity data, configuration
data, user input data, and decision-making data, is also dangerous [38]. Some solutions
were proposed, such as a tamper-evident compiler and micro-architecture
collaboration framework to detect memory tampering [133]. A further threat is the
tampering with application data, involving mistakes in the production flow, denial
of service, incoherence in the information system, and exposure to opponent attacks.
This kind of attack is especially dangerous for RFID systems, since one of the main
14

2 – Security
RFID applications is the automatic identification for database real-time updating.
The main data tampering actions are:
ˆ data impairing, some bits of digital information are changed, in order to damage
it making data unreadable or to alterate its value;
ˆ wrong data insertion, data are altered replacing them with new data with erroneous
values; this action requires the ability to compose new data consistent
with the original data encoding;
ˆ data copying, original data are altered deleting and replacing them with other
data copied from a different location; this action does not require an encoding
process.
In a RFID-based system, data tampering is very dangerous, since it could generate
serious mistakes, e.g. in a company with AIDC the production flow could
be stopped, and in pharmaceutical industry [105], drugs with wrong data may be
delivered to a wrong destination, causing troubles for patients.
Data tampering can be performed on RFID tags with a rewritable memory, by
means of a RF communication. According to the pervasive deployment of tags,
an attack can be performed moving the adversary RFID reader for few seconds
inside the reading range of the tag, or viceversa waiting until the tag is moved in
the reading range of the hidden adversary RFID reader. For tags with a read-only
memory, tampering attacks cannot be performed by means of a RF communication,
so the physical access to the tag is required in order to perform the more costly
hardware tampering.
An evaluation of threats on RFID systems compliant with EPC standards has
been presented in [55]. This study, partially based on an evaluation framework
proposed by ETSI [12], determines the likelihood of a threat, which represents the
probability that an attack is performed, according to the motivation, which is evaluated
according to the provided benefits, and the required difficulty for attackers.
Finally the evaluation method ranks the risk of a threat as “critical”, “major” or
“possible”, according to the computed likelihood and the impact, which represents
the relevance of the attack effects. This study has been extended in [56], where the
threats contained in the STRIDE model [71], which is used to define threat types
for the design of secure software systems, are evaluated according to the proposed
method. However, only a limited part of the study is focused on tampering, and
the analysis deals only with systems compliant with EPC standards, which are designed
for item management. The motivation for tampering with RFID data has
been ranked medium, since adversaries do not reach clear benefits. The difficulty
has been ranked high, since adversaries have to bypass 32-bit passwords, according
to EPC Class I Gen 2 [8]. The impact has been ranked low, since the tampering
15

2 – Security
effects are evaluated temporary. The resulting likelihood and risk have been evaluated
low. However, according to our analysis, when the motivation is to damage a
competitor it can be ranked high. Moreover, tampering actions can be performed
for economic purposes, e.g. changing the price of a good in a shop. Many RFID
tags are not protected by passwords, and often eavesdropping the passwords could
be simple, as detailed in Section 2.3.3, so the difficulty is medium. When the effect
is an alteration the impact could be medium or high. The likelihood in our analysis
is considered medium and the risk is evaluated medium/high.
2.3.2 Tamper-evident approaches
In this section the approaches that aim at detecting tampering are detailed. These
schemes aim at reducing the alteration effects of tampering to a damage. According
to the evaluation method presented in [55], the result is the reduction of the impact
and of the risk from medium/high to low. Even if data tampering can be performed
not only on the data stored in the tag memory, it represents the weak spot of
RFID systems, so this section is focused on tampering with data on tags. Other
attacks conducted beyond the RFID reader, such as tampering with database or
messages between the RFID reader and servers, can be managed by well-known
security techniques (e.g. Tamper-Evident Database [95] and Message Authentication
Code (MAC) [25]). The described approaches are shown in Figure 2.1.
Tamper-Evident
Approaches
Anti-Tampering
Approaches
General Purpose
Security
Approaches
Fragile
Watermarking
Write Activity
Record
Authentication
Privacy
Symmetric
Cryptography
Public Key
Cryptography
Figure 2.1.
Tamper-evident approaches
16

2 – Security
Fragile watermarking for RFID data tamper detection
The watermarking consists in embedding information into original data. It is defined
fragile when a minimal change of the original data generates incoherence between
the data and the embedded information.
A tamper detection system based on fragile watermarking was proposed in [107].
This system aims at detecting tampering on RFID tag with a writable memory
compliant with EPC96 standard, as shown in Fig 2.2. The tag memory is composed
by the following fields:
ˆ the Header that defines the EPC version,
ˆ the EPC Manager that identifies the manufacturer,
ˆ the Object Class that identifies the kind of object,
ˆ the Serial Number that is used by the manufacturer to unambiguously identify
the tagged item.
Since the format of the first three data fields is set by the standard but the serial
number is directly managed by the companies, the authors propose to embed the
watermark into the serial number. The fragile watermark is reached by performing
3 one-way functions respectively on the EPC Manager, the Object Class, and the
original Serial Number. The check of the watermark requires the knowledge of its
location inside the EPC, and the adopted one-way functions, so these data shall be
shared by the partners that aim to guarantee the authenticity of the information by
adopting the described approach. This system allows detecting tampering on the
EPC Manager, the Object Class, and the original Serial Number. When tampering
actions are detected, the system detects the tampered area with a discrimination of
one among the three data, and the watermark.
Header EPC Manager Object Class Serial Number
8-bit 28-bit 24-bit 36-bit
Figure 2.2.
Standard EPC96: Tag Memory Organization
In [106], an implementation of the system described in [107] is proposed. The
watermark requires 8 bits out of the 32 bits of the Serial Number, and it is generated
as a hash number by the EPC Manager, and the Object Class, through a pseudo
random number generator. The function is not applied on the Serial Number, since
tampering actions on it are not considered dangerous by the authors. One additional
bit from the Serial Number is required as parity bit of the watermark.
17

2 – Security
The authors conclude that the short length of the watermark could affect the
robustness of the tamper detection system, but this problem could be avoided by
adding an additional memory area for the watermark.
A drawback of this implementation is that the watermarking is based on a secret
function. Therefore, when an opponent obtains the function a huge modification of
the system is required.
This system can be applied only to RFID tags that hold data compliant with
EPC96. However, it could be easily extended to other standards. The RFID tags
do not require special features. The communication protocols between the reader
and tags have no special requirements. When the reader receives a writing request,
it shall be able to generate the watermark and to embed it into the original data.
The middleware is in charge of managing the checking protocol. The time required
by the tamper check corresponds to the reading of 96 bits, and to the computation
of the watermarking function.
The robustness of the system is based on the secrecy of the adopted function,
and of the location of the watermark. However, this information shall be shared by
all the entities involved in the trade of the tagged products, so the application of
this system requires strong trust among participants. The system does not involve
participants with limited permissions, e.g. the only tamper checking ability, so the
method is vulnerable to insider attack, since a malicious participant can sabotage
the whole system. Furthermore, external companies or customers that want to buy
the products cannot directly use the system in order to detect tampering.
According to the implementation proposed in [106], data impairing performed
by an opponent that does not know the secret function and the location of the
watermark is undetected only if performed on the bits of the original Serial Number.
When the opponent knows the location of the watermark, it can impair all the bits
of the original Serial Number. This action, else if limited to the Serial Number,
can seriously damage some services, such as traceability management. As data
impairing, also wrong data insertion can be performed only on the bits of the original
Serial Number. However, the knowledge of the Serial Number format adopted by a
company makes easier to find the location of the watermark. This malicious action
can more effectively damage services, since its consequences are deterministic. The
data copying can be performed on the whole tag memory also without knowledge
on the functions and on the location of the watermark, since by copying both the
original data and the watermark no incoherence is generated. This action triggers
critical troubles, since all the data can be altered, and when performed on RFID
tags for item management, it can generate various mistakes.
This scheme can be used both to detect tampering with tag memories that do not
present any other protections (e.g. password), and as additional protection. The
application of the system, according to the restriction to EPC compliant tags, is
almost limited to item management systems. The extension to other tag types and
18

2 – Security
RFID systems is also possible. The strength of this scheme is that it is compliant
with RFID tag limitations, because no additional computation effort is charged
on tags, and no additional memory is required. However, the provided protection
against tampering is limited. The introduction of watermarking can defend against
random tampering attacks performed to the purpose of impair generic tags, but it
is weak against an adversary with proper means.
Write activity record for RFID data tamper detection
Yamamoto et al. have proposed a method for tamper detection based on write
activity record [130]. In this approach the RFID tag has a special memory area
that RFID readers can only read, and that the tag itself can read and write. When
a writing operation is performed on the tag memory by a reader, the tag writes a
record that describes the operation in the special memory area. A writing operation
is described by the offset of the written memory area, and by the length of the written
data. The first information in the special memory area represents the pointer to the
area for the next insertion, and the number of recorded writing operations.
The tamper detection method requires the check of the records in the special
memory area, in order to check if some data have been overwritten on previous
data. If there is no overlap, then the memory has not been tampered. Otherwise if
some memory areas have been overwritten, then data could be tampered.
The authors have proposed and tested an implementation that requires 2 bytes
for each record of the special memory area. Therefore, the special memory area
shall be very large, in order to hold more than one record for each memory bank.
Furthermore, the protocol should be able to manage effectively a number of writing
operations greater than the number of records in the special memory area, in order
to avoid that several writing operations on the same bank could hide tampering on
other banks.
The tamper detection can be performed without special permissions, so every
company or customer can check if tags have been tampered.
This system can be applied to RFID tags, regardless of their data organization
and format. The RFID tags require an additional special memory area, and a special
writing protocol. The middleware shall manage the checking protocol; while, the
communication protocol and the RFID reader do not present special requirements.
The time required by the tamper check corresponds mainly to the reading of memory
slots of 2 bytes for each performed writing. This overhead corresponds to a drawback
in many critical and real-time applications.
This approach allows detecting all the tampering actions, but it detects as possible
tampering also each rewriting operation. Therefore, it is not suitable for an
Information System that uses the same memory area more than once, e.g. internal
traceability systems based on reusable containers [53]. Furthermore, applications
19

2 – Security
that allow operators to correct writing operations of wrong data, by writing the
correct information on the same memory bank, will generate several false tamper
detections, according to the error rate of human operators. The suitability of the
system requires that the number of false detections should be very small. Another
drawback of the system is that only tampering with written memory banks can be
detected, but wrong data insertion and data copying on unused banks cannot be
detected.
This approach requires the design of new tags, currently not available, which
would be compliant with existing standards. The main drawbacks of this approach
are the large memory requirement, the long transmission time for tamper checking,
and the limited applicability. However for some applications where a high cost per
tag is acceptable, it can provide a good security against data tampering attacks
performed by RF channel.
Public key cryptography for authentication
Various protocols for authentication employ cryptography and RFID tags without
cryptographic capability. In these approaches the cryptographic operations are not
performed by the tag, which only contains the encrypted data. Typically, a critical
code is encrypted using a secret key and a public key cryptosystem in order to
get a signature. The public key is given to all the entities that have to check the
authenticity of the product matched with the tag. The authenticity checking requires
the decryption of the signature, and the comparison with the original code.
Authentication protocols can provide tamper-evidence, but they require tags
with a large memory and long data transmissions. Furthermore, it is not possible to
distinguish if a tag is not original or it has been tampered, and the tamper-evidence is
not extended to other information contained by the tag. Therefore, authentication
schemes based on public key cryptography for RFID tags without cryptographic
capability are not effective tamper-evident approaches. The damaging effects due
to false positives generates a medium/high impact according to the importance of
the authentication, so tags with additional tamper-resistant features are required in
order to reach a high difficulty for attackers and to reduce the risk from medium/high
to low.
Cryptography for privacy protection
Many applications uses secret or private information, employing RFID tags without
cryptographic capability that contain secret or private information. A possible
solution to avoid unauthorized readings of the recorded data is represented by the
encryption.
In a symmetric cryptosystem, all the participants own the key, so they can
20

2 – Security
perform both encryption and decryption. However, this system requires a strong
trust among the participants, since the robustness of the system is based on the
secrecy of the key.
Another interesting protocol is Insubvertible Encryption [17], which aims at protecting
privacy, and employs a public-key cryptosystem based on ElGamal encryption
[45] for privacy protection. In this scheme the data written in the tag memory
are encrypted and can be re-encrypted by an authorized user without knowledge on
the keys previously used. The scope of the re-encryption is to change the context of
the tag in order to avoid tracking. This scheme is tamper-evident, since the entity
that performs the re-encryption can identify if the ciphertext has been tampered.
In cryptosystems that manage also the authenticity, as described in Section 2.3.2,
the tamper detection can be performed only by the authenticity check, but this
operation cannot normally distinguish between a not authentic tag and a tampered
one. Instead, in cryptosystems that encrypt information only for privacy, data
impairing is detected by decryption, so only authorized entities can check it. Wrong
data insertion is possible only for opponents with the secret key. The data copying
of the whole memory can be performed avoiding detection only when the protocol
does not encrypt a reference information, that unambiguously identifies the item or
the tag. However, only systems where tags are not suspected to be not authentic
are effectively tamper-evident.
2.3.3 Tamper-resistant approaches
In this section one approach specifically designed for tamper-resistant RFID tag is
detailed. Furthermore, some security tamper-resistant general purpose approaches
are described. A classification of tamper-resistant approaches is shown in Figure 2.3.
According to the evaluation method presented in [55], these schemes aim at increasing
the difficulty for adversaries to tamper with data in tag memories.
Steganography for RFID tag data recovery
The steganography is the ability to hide information. In [97] an approach based
on steganography that aims at recovering tampered data on RFID tag memories
compliant with EPC96 is presented.
According to the approaches described in Sec. 2.3.2, the approach proposed in
[97] is based on the statement that opponents could get benefits only by tampering
with the EPC Manager and Object Class, and that the Serial Number is the best
area to embed security bits.
Authors propose to select a group of products of the same consignment that
are characterized by the same EPC Manager and Object Class, to split in groups
of bits the secret pattern generated from the EPC Manager and the Object Class
21

2 – Security
Tamper-Resistant
Approaches
Anti-Tampering
Approaches
General Purpose
Security
Approaches
Steganography
Unwritable
Memory
Password
Challenge-Response
Protocols
Read Only
Memory
Lockable
Memory
Hard
Cryptography
Figure 2.3.
Tamper-resistant approaches
of the tags, and to embed each group of bits in the Serial Number of a tag. The
secret pattern is computed using error correction codes, and its length is equal to the
sum of the lengths of the EPC Manager, the Object Class, and some bits required
by the formula. Error correction codes help to recover data, when also the Serial
Number has been tampered. Authors propose an implementation where the length
of the pattern is 66 bits. Therefore, these 66 bits are devised in groups, and each
group is embedded in a tag memory. Then for each group it calculates the parity
bit, which is embedded in the Serial Number of the subsequent tag. The tamper
detection and recover procedure consists in checking the parity bit, and performing
the error correction coding. The parity bit aims at detecting tamper with the Serial
Number, and the secret pattern is used to generate the original EPC Manager and
Object Class. Also when few bits of the secret pattern have been tampered, the
error correction coding can calculate the right original data.
This system can be applied only to RFID tags that hold data compliant with
EPC96. The RFID tags do not require special features. The protocols of communication
between the reader and tags are compliant with standards. Writing operation
shall be managed according to the group division of the tags, in order to embed correctly
the security bits. The middleware is in charge of the checking protocol. The
time required by the tamper checking and recovery, which may be performed on a
whole group of tags, corresponds to the reading of 96 bits for each tag, and to the
computation of the error correction coding.
The system can be applied only to indivisible set of products, since the lack of
some tags makes the recovery system unusable, and the tamper detection possible
22

2 – Security
only when both a tag and the subsequent one are available. The robustness of the
system is based on the secrecy of the location of the secret information and on
the error correction coding. However, this information shall be shared by all the
entities that are involved in the trade of the tagged products; so the application of
this system requires strong trust among participants. The system does not involve
participants with limited permissions, so a malicious participant can sabotage the
whole system. Furthermore, external companies and customers that want to buy
the products cannot directly use the system in order to detect tampering.
As for tamper detection approaches described in Sec. 2.3.2, data impairing performed
by an opponent that does not know the secret function and the location of
the secret pattern is undetectable only if performed on the bits of the original Serial
Number. When the opponent knows the location of the secret pattern, he/she can
impair all the bits of the original Serial Number. When the data impairing alters
too many bits of the secret pattern, the recovery cannot be performed. As data impairing,
also wrong data insertion can be performed avoiding detection only when
performed on the bits of the original Serial Number. However, opponents that know
the meaning of data in the Serial Number can easily find the secret pattern. Since
the system shall be applied to groups of products of the same set, the data copying
of the whole tag memory can be easily detected. However, the copy of all the data
of a group of tags, on a different group cannot be detected by this approach.
This scheme can be used to recover tampered data on tag memories that have no
other protections (e.g. access password), or as additional protection. The application
of the system, according to the restriction to EPC compliant tags, is generally
limited to item management systems. The application restriction to indivisible
groups of items and the low protection level strictly limits the applicability of this
scheme.
Unwritable Memory
RFID tags with unwritable memory are tamper-resistant. They can be divided in
two groups according to the memory characteristics:
ˆ read-only memory, as the memories that hold only the ID;
ˆ permanently lockable memory, such as in the EPC Class I Gen 2 Standard [8],
where after being locked with a password the memory becomes unlockable.
A great benefit of systems that employ these kinds of tags is the strong tamperresistance.
Although these RFID tags cannot be used for applications which require
the ability to record information on the tags (e.g. internal tracking with reusable
containers [54,121]), when they are applicable (e.g. supply chain management [96])
they represent the strongest solution. Also for authentication systems, unwritable
23

2 – Security
memory are an effective solution, especially when the tag memory contains a signature.
Tags with a permanently lockable memory are more versatile than tags with
a read only memory, and if the locking is correctly managed, they provide the same
tamper-resistant level.
Passwords
A basic protocol that authenticates readers can employ passwords. In this case a
reader needs the correct password in order to access to the tag memory. However, an
eavesdropper can listen the password and use it for unauthorized accesses to the tag.
The optional use of 32-bit passwords is required by EPC Class I Gen 2 [8]. When
a password is used to write into memory area, the tag sends a random number to
the reader, which performs a bitwise XOR operation between the password and the
random number, and then it sends the result to the tag. An adversary that can only
eavesdrop reader to tag communication, but not the other direction, is not able to
find the password. However, an adversary that can eavesdrop both the directions of
the communication can easily find it.
The strength of passwords is that they are easy to implement, and they are
also managed by low cost tags. However, the simple use of password increases
the difficulty for adversaries to tamper with RFID data, since this action requires
eavesdropping, but does not stop it. Furthermore, the use of password cannot be
applied to systems where generic users have the writing privilege.
Challenge-Response Protocols
In a challenge-response authentication protocol an entity presents a question, and
a second entity properly answers. When the answer is incorrect the second entity
is considered not valid. The authentication can be unilateral or mutual. Several
methods that implement challenge-response authentication can be applied to RFID
technology.
Advanced protocols employ cryptography [94]. An example that employs symmetric
key encryption, unilateral authentication, and random number, can be based
on ISO/ IEC 9798-2 [73]. Both the tag and the reader own the secret key. The tag
sends a random number to the reader, which encrypts it using the secret key and
which sends back the ciphertext. The described protocol requires tags with enough
computation capacity to perform symmetric-key encryption and to generate random
or suitable pseudo-random numbers. The robustness of the protocol is related to the
difficulty to predict the pseudo-random number and to the length and the security
of the employed keys. An example of RFID tags with cryptographic capability is
DEFfire from Philips [14], which can perform AES/DES operations.
The only ways to tamper with data on a tag that employs a challenge-response
24

2 – Security
authentication protocol based on symmetric key encryption are breaking the encryption
scheme, finding the secret keys or predicting/altering the pseudo-random
number generation. When the employed cryptosystem is strong enough, challengeresponse
protocols represent a strong solution. Moreover, they can be employed for
applications that require rewritable memories, provided that only authorized users
have to write on the tags. However, the main drawback is the additional cryptographic
modulo required by tags, which increases the cost per tag, and can reduce
the reading range, according to the higher power supply required by the tag.
2.3.4 Discussion
During the last years, many approaches have been proposed for security problems
aiming at protecting from tampering, and in particular various tamper-evident and
tamper-resistant approaches have been proposed for RFID tags. These approaches
are characterized by different properties, requirements, and applications. Furthermore,
each approach has specific benefits and drawbacks.
Table 2.1. Requirements Comparison of Anti-Tampering Approaches respect to
EPC Class I Gen 2 Standard
Approach
Requirements
tags
readers/ communication
middleware
Watermarking [106] standard (EPC96) watermark standard
generation
Write activity [130] special memory area standard standard
special writing protocol
Authentication [28] standard (large user standard/ standard
memory)
encryption
Privacy protection
standard (large user standard/ standard
[27]
memory)
encryption
Steganography [97] standard (EPC96) standard standard
Permanently lockable
standard (lockable) standard standard
memory [8]
Password [8] standard (password) standard standard
Challenge-Response
Authentication [14]
encryption
standard/
encryption
Challenge-
Response
In order to analyze the feasibility of anti-tampering approaches, their requirements
have to be considered. Table 2.1 shows the main characteristics of RFID
25

2 – Security
tags, readers and communications protocols that are required by anti-tampering
approaches. The compared authentication and privacy protection approaches are
based on messages encrypted with public key cryptography and embedded in the
tag memory. The requirements for the readers and the middleware are the easiest
to satisfy, adding additional software modules to the middleware, or implementing
their functionalities directly on the reader, also when these modules require relevant
computational effort. Requirements that modify the communication standards often
involve longer communication sessions and generate incompatibility with standard
devices. However, the only approach that has special requirements for communication
is the Challenge-Response Authentication, which is naturally limited to
authorized tags and readers. Each approach presents some requirements for RFID
tags, which are the most difficult to satisfy. The Challenge-Response Authentication
and the Write activity scheme present requirements not addressed by the standards,
which involve high cost tags with additional hardware modules. Authentication and
privacy protection approaches require large user memories, increasing the cost. The
tag requirements of the other schemes can be accomplished without excessive effort.
Table 2.2.
Protection Comparison of Anti-Tampering Approaches
Approach
Tampering Threats
data impairing wrong data insertion data copying
Watermarking [106] tamper-evident 1 tamper-evident 1 possible
Write activity [130] tamper-evident 2 tamper-evident 2 tamper-evident 2
Authentication [28] possible possible possible
Privacy protection tamper-evident tamper-evident possible
[27]
Steganography [97] tamper-evident 1 tamper-evident 1 possible
light resistance light resistance light resistance
Permanently lockable
tamper-resistant tamper-resistant tamper-resistant
memory [8]
Password [8] tamper-resistant tamper-resistant tamper-resistant
Challenge- tamper-resistant tamper-resistant tamper-resistant
Response Authentication
[14]
1 According to the analyzed implementation tampering with the original Serial
Number cannot be detected.
2 Tampering with blank memory banks cannot be detected.
Table 2.2 compares the protection against data-tampering threats of both approaches
designed for tampering, and general security approaches. One implementation
for each approach is used as reference in the table. A tamper threat is defined
26

2 – Security
as “possible” when the requirements of the approach are satisfied and it can still
be performed. The definition “light resistance” is used when tampering can be performed,
and the data recovery could be possible. Observing Table 2.2, we can find
that only one method is tamper-evident against data copying, but only for tampering
with written memory banks, so the protection from this attack represents a relevant
open issue for RFID tamper-evident research studies. Examining the general purpose
security techniques, we can find that although tag authentication protocols do
not provide any effective protection against tampering, privacy protection systems
present effective tamper-evident features.
Table 2.3. Robustness Comparison of Anti-Tampering Approaches
Approach Robustness Factors RFID Drawbacks
length of the watermark area in the EPC code
Watermarking [106] function secrecy difficult updating
watermark location secrecy
participant trust insider vulnerable
Write activity [130] no rewritings tampering and rewriting
unnoticeable
special memory length memory area
Privacy protection
length of the keys memory area and trans-
[27]
mission time
key secrecy
length of the code area in the EPC code
Steganography [97] error correction coding multiple tags
watermark location secrecy
participant trust insider vulnerable
Permanently lockable
hardware
memory [8]
password secrecy eavesdropper vulnerable
Password [8] password length memory area
password number memory area
Challenge-Response length of the keys tag computation
Authentication [14]
key secrecy
A critical characteristic for the evaluation of an approach is represented by its
robustness, since a protocol that protects against all tamper threats but can be
easily broken is not acceptable. Table 2.3 shows the main factors that affect the
robustness of a method, and the related drawbacks due to RFID technology, such
as additional memory area, which increases the cost, and additional computation,
27

2 – Security
which increases the time and consumption. The most robust tamper-evident approach
is represented by the Write activity scheme. However, it requires a large
memory to store the writing activities. The tamper-evidence provided by the privacy
protection approach is quite high, but it does not address data copying, and
it requires a large memory. The robustness of the Watermarking scheme is lower,
mainly because it is based on several factors, such as the length of the watermark and
the trust among participants, which are not easy to fully satisfy. The most robust
tamper-evident approach is the Permanently lockable memory, since it is protected
against RF attacks. Also the Challenge-Response Authentication is robust, but it
requires relevant tag computation capability. The Password approach is exposed
to brute force attacks, which are addressed by long passwords, and to eavesdropping
attacks, which represents the weak spot of this approach. The Steganography
approach does not provide high robustness, since tampering with the watermark
location prevents data recovery.
Table 2.4. Tamper Checking Comparison of Tamper-evident Approaches
Approach Detection Ability Owner Checking Time
Watermarking [106] participants 96-bit reading
watermarking function
Write activity [130] public reading of 2 bytes for performed
writing
Privacy protection [27] authority whole ciphertext reading
decryption
Table 2.4 shows the characteristics of tamper checking. The number of entities
that can check the tamper presence affects the usefulness of the system, since a
restricted number of possible users lead to difficulties to detect tampering. Also the
number and the kind of operations is important, since they affect the performance
of the system. However, as shown in Table 2.4, the RFID-specific tamper-evident
approaches do not require too long operations, so they are quite fast; instead, the
general privacy protection approach, which involves cryptography, requires more
computation time.
Table 2.5 shows the tamper-evident approaches sorted according to their robustness,
and the restrictions to their applicability. According to the decrease of the
robustness, the schemes can be more widely applied. The Write activity scheme can
be used only for applications that do not require more than one writing operation
per memory bank (e.g. supply chain management). Privacy protection can be used
for every type of application, but it requires that all the participants own the keys.
28

2 – Security
The Watermarking scheme can be used for applications that employ tags compliant
with EPC96 standard, which is normally used for item management.
For applications that do not require rewriting the Write activity approach is
the best solution. However, it requires expensive tags. For applications that require
rewriting, and only authorized users have to access tags, a good tamper-evident solution
is represented by the Privacy protection approach. However, also this approach
requires quite expensive tags. For the other applications where data are compliant
with EPC96, or when the tag cost is a critical parameter, the Watermarking approach
can represent a good solution. However, the provided tamper-evidence is
limited.
Table 2.5. Applicability Comparison of Tamper-evident Approaches
# Approach Applicability Restrictions
1 Write activity [130] No corrections or updates
2 Privacy protection [27] Participants with keys
3 Watermarking [106] EPC96 data format
Although tamper-evident approaches reduce the alteration effects of tampering
to damage, according to Section 2.3.1, tamper-resistant approaches can provide
better protection against both alteration and damage. Table 2.6 shows the tamperresistant
approaches sorted according to their robustness, and the restrictions to
their applicability. As for tamper-evident schemes, according to the decrease of the
robustness, they can be more widely applied. The Permanently lockable memory
approach can be used only for applications that do not require rewriting, similarly
to the Write activity approach. The Challenge-Response Authentication and the
Password schemes can be used for every type of application, but they require that
the participants with writing privilege own the keys or passwords. The Steganography
approach can be used for applications that employ tags compliant with EPC96
standard, as the Watermarking approach.
For applications that do not require rewriting the Permanently lockable memory
approach is the best solution. Moreover, it can be implemented with low cost
tags. Therefore, for these application the Permanently lockable memory approach is
better than the Write activity scheme. For applications that require rewriting, and
where only authorized users have to write tags, the Challenge-Response Authentication
can be a good solution. However, this approach requires very expensive tags.
When low cost tags are required, the same kind of applications managed with the
Challenge-Response Authentication can employ the Password approach, but they
provide less security, being exposed to eavesdropping. In order to reach a higher
security the Password approach can be used together with Privacy protection. For
29

2 – Security
the other applications where data are compliant with EPC96, or when the tag cost
is a critical parameter, the Steganography scheme can represent a solution, but only
if inseparable set of tags are used. This approach provides low tamper-resistance,
but it provides also limited tamper-evidence.
Table 2.6. Applicability Comparison of Tamper-resistant Approaches
# Approach Applicability Restrictions
1 Permanently lockable memory [8] No corrections or updates
2 Challenge-Response Authentication [14] Participants with keys
3 Password [8] Participants with password
4 Steganography [97] EPC96 format, Inseparble tags
The main open issues for tamper-resistant solutions are represented by the lack
of cheap and robust schemes applicable to tags with rewritable memory. Tamperevident
approaches lack of robust schemes based on low cost tags, and the lack
of schemes usable for a generic application. Especially data copying requires to
be carefully managed by future tamper-evident approaches. Watermarking-based
schemes seem a quite effective low cost solution, but it should be extended to tags
with different memory organizations.
2.3.5 Conclusion
Tampering is one of the most dangerous threats for RFID systems, especially datatampering,
which cannot easily be addressed with standard methods. In this section
the characteristics and the effects of tampering have been described. The peculiarities
of tampering with RFIDs and in general with pervasive technologies have been
detailed. Tamper-evident and tamper-resistant approaches for RFID have been surveyed
and classified. Furthermore, other general purpose RFID security techniques
have been described, analyzing their protection against tampering attacks.
The comparison of the described approaches highlighted their benefits and drawbacks.
Among the various approaches the main protection is given by the tamperresistant
general purpose ones, but these methods involve either strict limitations
to RFID applications, or RFID tag computational capacity. The RFID-specific
tamper-evident approaches do not require relevant computational capacity, but either
their robustness is limited or their applicability is narrow. The main open issue
is represented by the lack of tamper-evident approaches that are able to effectively
manage data copying.
30

2 – Security
2.4 Public-key in RFIDs
Symmetric encryption and challenge-response techniques have been successfully implemented
in RFID systems, and satisfactory results in terms of security have been
obtained for specific applications. Asymmetric encryption provides advantages that
symmetric encryption does not; e.g., since it does not require key distribution, benefits
such as off-line authentication might be obtained. Nevertheless, asymmetric
encryption is less diffused in RFIDs mainly because its hardware requirements are
larger than in other security schemes.
Different asymmetric encryption approaches have been studied and proposed.
Each proposal differs from others in the kind of encryption algorithm adopted. Relevant
approaches are based on the Rivest, Shamir and Adleman (RSA) algorithm [29],
Elliptic Curves Cryptography (ECC) [22], ElGamal scheme [45] or NTRU scheme [5].
RSA-like encryption engines are based on the complexity of computing logarithms
in finite fields. Good and proven security is obtained by using it; however,
its key length is the main drawback that affects its smooth implementation in RFID
systems. An encryption core based on this kind of algorithm requires key lengths of,
at least, several hundreds of bits which combined with the kind of operations that
must be performed provides an unhealthy environment for RFID deployment. Finally,
RSA-like algorithms require a huge quantity of memory in the RFID transponder.
ECC-based algorithms are based on the same mathematical principles as RSA
except by the fact that operations are carried out within an elliptic curve in the
finite field. As a result, key lengths are reduced in a significant way maintaining
many of the security advantages of RSA.
ElGamal scheme is based on the intractability of the discrete logarithm problem
and the Diffie-Hellman problem. Since two modular exponential operations are
required, the efficiency is lower than in RSA, and the size of the keys is larger. However
this approach retains several interesting properties, such as semantic security
and homomorphism.
NTRU is an encryption algorithm based on the complexity of finding a very short
vector in a high dimension lattice which has been proposed recently. This approach
allows reducing execution time because keys may be managed in short chunks, thus
taking advantage of general purpose processors.
2.4.1 RSA-like Cryptography
RSA cryptosystem was invented by Rivest, Shamir and Adleman [110] and is the
best known of the integer factorization family of cryptosystems where its strength
lies in the mathematical complexity of factoring large integers. In this scheme, large
enough integers are selected in order to make brute-force factorization infeasible.
31

2 – Security
RSA is, probably, the most widely used public key cryptosystem. Since multiplication
of integers modulo n is a relatively cumbersome procedure to implement, and
since an exponentiation operation requires repeated multiplication, the RSA system
cannot achieve the speed of private systems. This is, of course, true for other public
keys cryptosystems as well. RSA encryption and signature verification can be
speeded up significantly by selecting a small exponent (typical values are either 3 or
2 16 + 1).
Mathematical Description
Based on the integer factorization problem, RSA cryptosystems are created from
two large prime numbers p and q. In RSA, the product n = pq generates the group
G = Z ∗ n, which is a multiplicative group of units in the integers module n. The
order of G is φ(n) = (p − 1)(q − 1), where φ denotes the Euler Phi function. Since
no efficient algorithms are known for taking b-th roots in Z ∗ n without the knowledge
of p and q, hence, breaking the RSA cryptosystem is believed to be equivalent to
factoring n.
Keys Generation
steps:
Public and Private generation is performed in the following
1. Select two large prime numbers p and q.
2. Compute n = pq.
3. Compute φ(n) = (p − 1)(q − 1).
4. Find two numbers a and b that satisfy ab ≡ 1 (mod (φ(n))).
5. The public key is the pair (n,b) and the secret key is (p,q,a).
Encryption In an RSA cryptosystem, message x is translated into a ciphertext
c(x), i.e. encrypted, as follows:
c(x) = x b mod n
Decryption On the other hand, decryption in a RSA cryptosystem is performed
in the following way:
p(y) = y a mod n
32

2 – Security
High-level Approach
Some approaches utilize RSA-like encryption for dealing with security in RFID
transponders. Most of them are part of a broader protocol with a specific aim
that takes advantage of RSA encryption in an indirect way, avoiding encryption
requirements within the RFID tag.
A common use of encryption in RFID systems is to reduce counterfeit. In [28],
authors come up with a solution for providing a level of security against counterfeit
tags based on RSA-like encryption. The basic idea behind their approach is to
use a key-couple K P and K S , the public and secret key respectively, to encode the
identifier of the tag I T . In particular, they encrypt I T with K S that gives as a result
C T , a ciphered version of the identifier. C T is then memorized in the tag’s memory
allowing final users to verify the authenticity of the tag by decrypting it with K P
and comparing the result with I T ; after the memorization, the writing action for the
involved area of memory is disabled.
This approach is a simple authentication protocol that bypasses the need of
encryption capabilities inside RFID transponders.
The cloning action is possible, but it clearly requires the production of new
tags. The forgery action needs to break the RSA cryptosystem system. A spying
action can only get the identifier. The ciphertext is unchangeable, so the system
is tamper resistant. The system does not provide protection against tracking or
personal belongings spying.
Hardware Approach
An authentication protocol for RFIDs that has been implemented in hardware and
adopts RSA-like cryptography is introduced in [29]. In that approach, authors
present an RFID tag with encryption capabilities. The tag encrypts the identifier
of the tag I T , providing a ciphertext C T . C T can be decrypted and compared to I T .
According to authors choosing the public key K P or the secret key K S for encryption
depends on the kind of application that is intended. For instance, if encryption is
performed with K S then decryption must be performed with K P , and thus the
application should be an authentication or anti-counterfeit protocol. Authors claim
that, when using a technology of 90 nm and 1.9 MHz as operational frequency,
they reach about 1600 µW of power consumption and an encryption average time
of 540 ms for a 1024-bit key. Even though timing and power results are not fully
satisfactory, this approach provides a good starting point for on-line encryption in
RFID transponders.
33

2 – Security
2.4.2 Elliptic Curve Cryptography
Elliptic Curve Cryptography (ECC) is a term used to mean a multitude of different
cryptographic key exchange and agreement protocols. The building block of all
these protocols is the scalar point multiplication which also represents the computationally
most expensive operation. The construction of elliptic curve groups may be
performed by exploiting different types of finite fields, being the most common one
the Galois Field with prime characteristics or binary extension fields, e.g., GF(p)
and GF(2 k ). Low power implementations of ECC in hardware may be achieved
by means of efficient arithmetic that can lead to feasible approaches for public-key
cryptography within the RFID domain.
Several elliptic curve cryptographic schemes are related to schemes based on
the discrete logarithm problem. In order to show theoretical constructs of ECC and
provide a possible implementation architecture, the particular approach of Menezes-
Vanstone [119] is considered throughout this section. For the description of other
schemes quoted in this section, we will refer the readers to the original papers.
Mathematical Description
ECC relies on a group structure induced on an elliptic curve. The set of points on
an elliptic curve (with one special point added, known as the point at infinity O)
together with point addition as a binary operation has the structure of an abelian
group, i.e., a group where the point addition is commutative. A finite field of
characteristic 2 is considered, i.e., GF(2 n ). A non-supersingular elliptic curve E
over GF(2 n ) is defined as the set of solutions (x,y) ∈ GF(2 n )× GF(2 n ) of the generic
equation
y 2 + xy = x 3 + ax 2 + b,
where a,b ∈ GF(2 n ), b /= 0, together with O.
Keys Generation
Public and private keys are generated as follows:
1. Choose a specific elliptic curve, for instance: E : y 2 ≡ x 3 + α · x + b mod p.
2. Choose a primitive element α = (x α ,y α ) ∈ E.
3. Pick a random integer a ∈ {2,3, . . . ,#E − 1}.
4. Compute a · α = β = (x β ,y β ).
5. The public key is then (E,p,α,β), and the private key is (a).
34

2 – Security
Encryption
The encryption algorithm executes the following steps:
1. Pick a random k ∈ {2,3, . . . ,#E − 1}.
2. Compute k · β = (c 1 ,c 2 ).
3. Encrypt e E,p,α,β (x,k) = (Y 0 ,Y 1 ,Y 2 ) where Y 0 = k · α, Y 1 = (c 1 · x 1 ) mod p, and
Y 2 = (c 2 · x 2 ) mod p.
Decryption
In order to decrypt, the following steps must be performed:
1. Compute a · Y 0 = (c 1 ,c 2 ).
2. Decrypt as follows: d a (Y 0 ,Y 1 ,Y 2 ) = (Y 1 · c −1
1 mod p, Y 2 · c −1
2 mod p) = (x 1 ,x 2 ).
High-level Approach
Work proposed in literature related to this kind of encryption rely on the different
mathematical operations within the elliptic curve to introduce the required levels of
difficulties for public-key algorithms. Several approaches utilize this encryption for
off-line authentication of RFID tags.
One of them is presented in [124], where authors construct an elaborated algorithm
to be used for authentication based on ECC. Their approach exploits, other
than the ECC-based public key algorithm, a Physical Unclonable Function (PUF)
that is embedded within the transponder.
A PUF, as defined by the authors, is a function that has the property of being
easy to evaluate but hard to characterize. That is, the amount of knowledge that an
attacker can obtain from studying the responses to randomly distributed challenges
(i.e., queries) to the PUF is negligible. In addition, PUFs should be unique, i.e.
responses measured on different PUFs should be, with high probability, far apart.
Besides, the PUF should be inseparably linked to the chip, meaning that any attempt
to remove the PUF from the chip leads to the destruction of the chip and the PUF.
As a valid implementation for the PUF, authors propose the silicon PUF (SPUF)
[58]. SPUFs have advantages compared to other PUF techniques because they can
be constructed in silicon base materials, and thus common CMOS manufacturing
processes can be exploited. SPUFs are circuits designed to be sensitive to time
delays which vary across integrated circuits due to process variations in transistors
and wires. Therefore, even a person who has the detailed information of the SPUF
circuit cannot physically clone it because circuit delays depend on process variations
that are, even, beyond the manufacturer’s control.
The main elements in the off-line identification approach are:
1. A reader and a transponder with identification I D and a PUF.
35

2 – Security
2. A standard identification scheme composed by K g which is a generation key
algorithm; P , an interactive protocol used by the prover (the transponder);
and V , which is an interactive protocol used by the verifier (the reader).
3. A secure signature mechanism (which is typically ECC-based) constituted by
SK g , a generation key algorithm; S e which is the signature algorithm; and V f
which is the verification algorithm.
The overall identification scheme is generated in two stages, namely enrollment and
authentication.
In the enrollment stage, SK g is conceived as master key generation algorithm
MK g in order to generate a secret key msk and a public key mpk, used to sign and
verify respectively. K g is used as a UK g which is an algorithm that creates a public
key pair (pk,sk) for each tag. A certificate, that functions as a signature, is then
stored in the transponder based on pk and the signature mechanism, i.e. msk. In
the authentication stage, the tag sends the certificate to the reader. If it is valid,
the reader and the tag start the standard identification protocol. If the tag finishes
the protocol the reader validates the tag correctly.
This anti-counterfeiting algorithm protects effectively against cloning and forgery
actions.
Hardware Approaches
In the following, several approaches implemented in hardware are presented.
Gaubatz et al. In [59], authors offer an ECC hardware implementation addressed
to highly constrained devices that may be utilized in RFIDs. Their core operates at
a frequency of 500 KHz. Their architecture occupies a chip area equivalent to 18720
gates using a 0.13 µm CMOS technology. They state that consumption is under
400 µW in signing and encrypting messages. Furthermore, authors claim that, with
their scheme, a message of less than 200 bits is encrypted in approximately 817 ms.
Batina et al. Batina et al. [23] improved the implementation proposed by Gaubatz
et al. in [59]. Their processor included a modular arithmetic logic unit capable of
computing additions and multiplications using the same cells without having a fulllength
array of multiplexers. Results are better compared to other implementations.
The total amount of gates required is around 12000 in a 0.13 µm CMOS technology;
consumption is less than 30 µW and message encryption is performed in 115 ms
operating at 500 KHz.
36

2 – Security
Wolkerstorfer Wolkerstorfer developed an integrated chip that can provide good
performance for signing messages [128]. The chip has an equivalent area of 23000
gates implemented in 0.35 µm CMOS technology. It reaches the operating frequency
of 68.5 MHz.
Kumar - Paar The hardware implementation presented in [86] is a valid approach
of an ECC processor. It is able to operate at 13.56 MHz, which is a standard
frequency in RFIDs. The area of the chip is about 12000 gates according to the
authors. They state that operating at that frequency, with a technology of 0.35 µm,
their processor has a timing performance of about 18 ms.
2.4.3 ElGamal Cryptography
In [45] ElGamal presented the ElGamal encryption system and the ElGamal signature
scheme. The ElGamal encryption is based on the intractability of the discrete
logarithm problem and the Diffie-Hellman problem.
The generalized version of this encryption scheme can work in any finite cyclic
group G, but the group determines the security and efficiency of the scheme. Two
right groups are:
ˆ the multiplicative group Z ∗ p of integers modulo p;
ˆ the group of points on an elliptic curve over finite field.
The efficiency of ElGamal encryption is lower than RSA, since it requires two
modular exponential operations, and since the resulting ciphertext size of an encryption
is twice as the plaintext one.
ElGamal scheme employs randomization. This is a reason of the large size utilized,
but it is a protection against statistical and chosen-plaintext attacks.
Mathematical Description
In this section the generalized version of ElGamal will be described. The problem
to solve in order to break ElGamal encryption is the Diffie-Hellman problem, which
is strictly related to the widely studied discrete logarithm problem, so the security
of ElGamal encryption is often considered based on the second one.
The generalized discrete logarithm problem is: given a finite cyclic group G of
order n, a generator α of G, and an element β ∈ G, find the integer x, 0 ≤ x ≤ n−1,
such α x = β.
The generalized Diffie-Hellman problem is: given a finite cyclic group G, a generator
α of G, and group elements α a and α b , find α ab .
37

2 – Security
The group G satisfies the computational Diffie-Hellman assumption if no efficient
algorithm can compute α ab . A stronger assumption, useful for the demonstration of
security properties, is the decisional Diffie-Hellman assumption [33], that is based
on the decisional Diffie-Hellman problem.
The generalized decisional Diffie-Hellman problem is: given a finite cyclic group
G, a generator α of G, and group elements α a and α b , distinguish α ab from α z .
The group G satisfies the decisional Diffie-Hellman assumption if no efficient
algorithm can distinguish α ab from α z .
Keys Generation
steps:
Public and Private generation is performed in the following
1. Select an appropriate cyclic group G of order n, with generator α.
2. Choose a random integer a, 1 ≤ a ≤ n − 1.
3. Compute the group element α a .
4. The public key is (α,α a ), together with a description of how multiply elements
in G.
5. The private key is a.
Encryption In ElGamal encryption, message m is translated into a ciphertext c,
i.e. encrypted, as follows:
1. Represent m as an element of the group G.
2. Select a random integer k, 1 ≤ k ≤ n − 1.
3. Calculate γ = α k and δ = m · (α a ) k .
4. The ciphertext is c =(γ,δ).
Decryption
Decryption in ElGamal encryption is performed in the following way:
1. Calculate m = γ −a · δ.
38

2 – Security
Properties
Some properties of ElGamal are:
ˆ Semantic security: Tsiounis and Yung [122] demonstrated that the semantic
security of the ElGamal encryption and the decision Diffie-Hellman assumption
are equivalent, so if the decision Diffie-Hellman problem is hard over G,
ElGamal encryption possesses the property of semantic security.
ˆ Homomorphism: ElGamal is a homomorphism cryptosystem, since the encryption
of a message is
ε(m) = (α k ,m · (α a ) k ),
then,
ε(m 1 ) · ε(m 2 ) = (α k 1
,m 1 · (α a ) k 1
)(α k 2
,m 2 · (α a ) k 2
)
= (α k 1+k 2
,(m 1 · m 2 )(α a ) k 1+k 2
) = ε(m 1 · m 2 mod n).
ˆ Key-privacy: Bellare et al. [24] proved that the ElGamal scheme provides
anonymity under chosen-plaintext attack.
About the key length, In 1996 Menezes et al. [94] recommended 1024-bit or larger
moduli for long-term security.
High-level Protocols and Approaches
Works proposed in literature related to this kind of encryption relies on the different
mathematical operations within the ElGamal approach.
Re-encryption In 2001, European Central Bank proposed to embed RFID tags
in Euro banknotes; RFID tags in banknotes can be used like a money flow tracking
mechanism and an anti-counterfeiting systems. In [79], authors consider the special
problem of consumer privacy protection for RFID-powered banknotes, but their
approach is potentially applicable to a generic RFID-based authentication system.
Their broader protocol can employ: a generic public-key cryptosystem, that may
be based on ElGamal cryptosystem [45], thanks to its readiness to encoding over
elliptic curves; and a digital signature of any type, that may be based on elliptic
curves, thanks to its relative good security with compact size. In this particular
case, a public key P K L and a secret key SK L are generated by an appropriate law
entity or agency. That pair is used to manage the privacy protection. An RFID
tag, within this system, possesses a unique identification S i which is the same as the
serial number assigned to the banknote. A Central Bank generates a signing key pair
P K B and SK B , which are used to guarantee the authenticity of the information.
The Central Bank generates the signature Σ i on S i by using SK B , then the bank
39

2 – Security
encrypts Σ i and S i by means of P K L and a randomly value called the encryption
factor r i , and thus obtaining a ciphertext C Si . Now the bank generates an access
key D i by using the public hash function h. Finally the bank writes S i and Σ i on
the banknote, it inserts C Si in a cell of the tag memory that is protected from the
writing by the access key D i , and it inserts r i in a cell that is protected from both
writing and reading by D i . Everyone can read and write the information in the
memory by using the data written on the banknote and h.
Every merchant with an optic access to a banknote can verify its authenticity
by: encrypting Σ i and S i by P K L and r i , and then checking the resulting C Si ;
decrypting the signature Σ i by using P K B and checking the resulting S i .
By using this system, the agency in charge of inspecting banknotes transactions
can decrypt C Si , which is readable without an optic access to the banknote, because
it has SK L , and compute back the original serial number C Si .
In order to avoid privacy risks, authors proposed a re-encryption mechanism to
be performed periodically; hence, by using again P K L , selected users re-encrypt Σ i
and S i by P K L and a new r i, ′ creating a new C Si ′ . Therefore after every re-encryption
the tag will emit different data, which cannot be linked to the previous ones.
Authors presents a numerical sample that uses the signature scheme of Boneh,
Shacham and Lynn [42] and the Fujisaki-Okamoto [51] variant on ElGamal. With
a serial number size of 40 bits, the relative signature size is 154 bits, the plaintext
size is 194; considering an elliptic-curve-based group of 195-bit order, the ciphertext
size is 585 bits, so the required memory is 780 bits.
The described scheme is based on mixnets [37]; the main difference is that in
mixnet the entities performing re-encryption do not know the plaintext, instead
in [37] plaintext, which is the serial number, is known.
The described scheme allows the money tracking, and it provides a partial defense
against counterfeiting and privacy violation.
The cloning action is possible on every banknote in the optic and radio contact.
The forgery action needs to break the signature system. A problem is that, also if
it is secure, there is no possibility to change the key couple, so forgers have many
years to break it. The signature is written on banknotes so, after the secret key has
been unveiled, it is unchangeable and there is no more proof of the authenticity of
the information on all the printed banknotes.
The only information to hide is the serial number; all the information in the tag
memory, if maliciously changed, can invalid the money tracking system. The spying
and tapering actions are possible only by using an optic reading, or by breaking the
cryptosystem. Moreover, if the secret key has been unveiled, the couple of keys can
be easily changed.
In order to avoid people tracking, the ciphertext emitted by the tag is changed
by the re-encryption. However it is possible to suppose that the re-encryption is executed
only when there is a banknote transfer between a customer and an authorized
40

2 – Security
entity, so the banknotes emit the same numbers for the whole time they are hold by
the same person. Furthermore a person can bring a set of banknotes, so he/she is
identifiable by a set of ciphertexts with periodical input and output of elements.
The exchange of money between persons does not involve the re-encryption, so
it could be easy detecting relation between private persons. The presence of the tag
could show the presence and the approximate quantity of money. This information
can be very useful for merchants and thieves. Authors suggest that some additional
RFID privacy systems can reduce the exposition to these threats.
Universal re-encryption In [63], a modified version of the re-encryption approach
exploited in mixnet [37] is presented. The main difference from re-encryption
is that universal re-encryption does not need the knowledge of the public key under
which a ciphertext was computed. The properties of universal re-encryption are
demonstrated exploiting ElGamal cryptosystem [45], due to its security properties
and its homomorphism. The required storage and computation resources are twice
as standard ElGamal ones.
The authors propose also a possible application of universal re-encryption to
generic RFID tags. Like for the scheme described in the re-encryption section, some
entities perform re-encryption of the public information of tags in order to avoid
people tracking. Differently than the previous scheme, here various kind of entities
with their couple of keys, which do not have information about the other entities
and about the key previously used on a tag, can re-encrypt the output of the tag by
using their own public key.
The universal re-encryption offers the opportunity to extend the RFID re-encryption
protection privacy system to all RFID tags, but authors do not go in deep about
practical implementation problems.
Saito et al. [112] examine the special problem of the malicious modification of
the information in the tag memory; they found two dangerous attacks and they
propose two protection schemes. Both the attacks exploit an encryption with special
parameters, that avoid a correct privacy re-encryption, in order to make the tag
traceable.
The first proposed scheme is “the re-encryption protocol with check”. In this
protocol, when a reader writes a ciphertext on a tag, the tag must check if the ciphertext
is correctly re-encryptable, and so it can avoid malicious ciphertext. The
second proposed scheme is the “re-encryption protocol using a one-time pad”. In
this protocol the tag re-encrypts the ciphertext by using a one-time pad, which is
written and updated by an authorized reader and is stored in the tag memory. The
re-encryption computational work is devised between the generation and the application
of the one-time pad. Authorized readers need a key, stored in a database, in
order to update the one-time pad, and so to determine the next emitted ciphertexts.
41

2 – Security
The first protocol protects only against two specific attacks, instead the second
brings a higher protection, by allowing only authorized access, but it limits
strictly the universality of the updating operation, that is the core of the universal
re-encryption. Both the protocols require tags with computation capacity and
storage memory, but they are not quantified. In absence of an efficient physical
implementation, these protocols look too expensive for low cost RFID tags.
The universal re-encryption owns some good properties, but it presents also some
gaps that must be still managed. The scheme does not provide protection against
cloning, forgery and tampering actions. It provides protection only against spying
and tracking actions, but a malicious re-encryption can make the tracking possible.
Insubvertible Encryption The scope of the insubvertible encryption [17] is to
solve the security problems of the universal re-encryption, which is based on ElGamal
encryption.
Like explained before in this section, with universal re-encryption a malicious reencryption
can make the RFID tag traceable. The insubvertible encryption consists
of a certificate attached to an ElGamal encryption. A valid encryption requires the
use of the correct certificate. The ciphertext can be randomized by everyone, but the
entity that performs the re-encryption can identify if the ciphertext is safe. A cypher
text can not became back untraceable, but the re-encryption entity can delete the
ciphertext and write a new untraceable ciphertext that is without meaning.
The privacy protection of the presented cryptographic primitive is based on three
properties:
ˆ This scheme inherits semantic security from ElGamal.
ˆ The certificate is an extension of the signature proposed by Camenisch an
Lysyanskaya [35], which depends on LRSW assumption [92], so the certificates
are unforgeable.
ˆ The scheme provides key privacy.
The described scheme is a good evolution of universal re-encryption, in fact some
security problems are solved.
The cloning action is possible, in order to avoid it additional protection systems
are required. The forgery action needs to break the certificate system.
The spying is not possible, since to get the encrypted information needs to break
the cryptosystem, which is based on ElGamal. The scheme is tamper-evident, but
not tamper-resistant; at the first re-encryption the tampering will be detected, but
the previous data are lost. However the tamper-evidence is limited, since the insertion
of safe data, e.g. copied from another tag, is not detectable.
42

2 – Security
The re-encryption, which can be performed by everyone, can potentially limit the
tracking to short path, but it requires the presence of several re-encryption entities.
Perhaps the evaluation of mobile re-encryption tools could be interesting.
The extension of the system to many kind of commodities, and the spying resistance,
protect people against the malicious identification of their personal belongings.
2.4.4 NTRU Cryptography
NTRU is a cryptosystem that is, apparently, highly efficient and appropriate for
embedded applications such as smart cards or RFID tags. While it has not been
profoundly tested in order to establish its resistance to cryptographic attacks, there
is theoretical evidence of its efficiency that claims that its provided level of security
is comparable to RSA scheme’s [69] [70].
Mathematical Description
NTRU is based on arithmetic in a polynomial ring
R = Z(x)/((x N − 1),q)
defined by the parameters set (N,p,q) that presents the following properties:
ˆ All elements of the ring are polynomials of degree at most N - 1, where N is
prime.
ˆ Polynomial coefficients are reduced either mod p or mod q, where p and q are
relatively prime integers or polynomials.
ˆ p is considerably smaller than q, which lies between N/2 and N.
ˆ All polynomials are univariable over the variable x.
The main operation inside the ring is the multiplication which is commonly
represented with the asterisk ⊛. It can be best described as the discrete convolution
product of two vectors, where the coefficients of the polynomials form vectors as
follows.
a(x) = a 0 + a 1 x + a 2 x 2 + · · · + a N−1 x N−1 = (a 0 ,a 1 , . . . ,a N−1 )
b(x) = (b 0 ,b 1 ,b 2 , . . . ,b N−1 )
c(x) = (c 0 ,c 1 ,c 2 , . . . ,c N−1 )
43

2 – Security
Then the coefficients c k of c(x) = a(x) ⊛ b(x) mod q,p are each computed as
c k =
∑
i+j=k mod N
a i b j .
The modulus of reduction of each coefficient c k of the resulting polynomial is
either q for Key Generation and Encryption, or p for Decryption.
Keys Generation
should be executed:
In order to generate the private key f(x) the following steps
1. Choose a random polynomial F (x) from the ring R. F (x) should have binary
or ternary coefficients.
2. Construct f(x) = 1 + pF (x)
On the other hand, the public key h(x) should be derived from f(x) in the following
way:
1. Choose a random polynomial g(x) from the ring R.
2. Calculate the inverse f −1 (x) mod q.
3. Calculate h(x) = g(x) ⊛ f −1 mod q.
Encryption
In a NTRU cryptosystem, encryption is performed as follows:
1. Encode plaintext message into a polynomial m(x) with coefficients from either
0,1 (binary) or -1,0,1 (ternary).
2. Choose a random polynomial φ(x) from ring R.
3. Compute ciphertext polynomial c(x) = pφ(x) ⊛ h(x) + m(x) mod q.
Decryption
following way:
In opposition to the encryption, the decryption is performed in the
1. Use the private key f(x) to compute the message polynomial m ′ (x) = c(x) ⊛
f(x) mod q.
2. Map the coefficients of the message polynomial to plaintext bits.
44

2 – Security
Hardware Approach
A good hardware implementation of NTRU cryptosystem is found in [59]. Authors
employed a small number of gates that may be suitable for RFID constrained
schemes. Their approach is contained in just 3000 gates with a consumption of
about 20 µW. The operating frequency is 500 KHz, which is enough for most of
RFID applications. According to the authors, operations such as encryption or verification
are performed in about 58 ms, while decryption is calculated to be executed
in about 117 ms and messages are signed in 234 ms.
2.4.5 Approaches Discussion and Conclusions
Most of the algorithms covered so far have been implemented in hardware for RFIDs
or other constrained devices. In this section, these solutions are summarized and
compared according to their performance and feasibility.
Tables 2.7 and 2.8 summarize all hardware approaches reviewed in this section.
While it is not easy to have concrete conclusions by analyzing these hardware approaches,
they provide a good understanding of state-of-the-art solutions to public
key problems in RFIDs.
Table 2.7.
ECC hardware approaches
ECC
Gaubatz Batina Wolkerstorfer Kumar-Paar
et al. [59] et al. [23] [128] [86]
Gates 18720 12000 23000 12000
CMOS Tech. 0.13 µm 0.13 µm 0.35 µm 0.35 µm
Frequency 500 kHz 500 kHz 68.5 MHz 13.5 MHz
Power(Avg.) ∼394 µW ∼30 µW not available not available
Time Performance ∼817 ms 115 ms not available ∼18 ms
As stated before, asymmetric encryption may provide the advantages to RFID
security that symmetric encryption lacks. However, as in classical asymmetric approaches,
those advantages have costs which are commonly related to higher computational
requirements. This seems evident by observing, for instance, the expected
dimension or the power consumption of the presented approaches.
45

2 – Security
Table 2.8.
RSA and NTRU hardware approaches
RSA
NTRU
Bernardi et al. [29] Gaubatz et al. [59]
Gates not available 3000
CMOS Tech. 90 nm not available
Frequency 1.9 MHz 500 kHz
Power(Avg.) ∼1600 µW ∼20 µW
Time Performance ∼540 ms ∼234 ms
Nevertheless, according to the estimates of the algorithms and hardware approaches
shown, it is feasible to conceive public key encryption as a real possibility
in RFID systems because they have acceptable limitations and are sufficiently fast.
In Tables 2.9 and 2.10 a comparison of high level protocols is shown.
Table 2.9. High-level Protocols (1)
Anti-counterfeiting encryption [28] Re-encryption [79]
Cloning Possible Possible
Forgery Not Possible Not Possible
Spying Possible Only with optic reading
Tampering Tamper-resistant Only with optic reading
Tracking Possible Limited
Set tracking Possible Possible
Set relation Possible Possible
Belongings monitoring Possible Only money presence
Anti-counterfeiting with Off-line Encryption [28] and Universal re-encryption [63]
seem to be weak protocols, because they have no protection against many threats.
They are specific protocols that try to solve only some problems and that need to
work together with other schemes. From the privacy point of view the best analyzed
scheme is the Insubvertible Encryption [17], that provides protection against all the
privacy threats.
46

2 – Security
Table 2.10. High-level Protocols (2)
Universal re-encryption [63] Insubvertible encryption [17]
Cloning Possible Possible
Forgery Possible Not Possible
Spying Not Possible Not Possible
Tampering Possible Partly tamper-evident
Tracking Possible through tampering Short paths
Set tracking Possible through tampering Short paths
Set relation Possible through tampering Not possible
Belongings monitoring Not Possible Not Possible
Public key cryptography represents a great opportunity of security improvement,
both through hardware implementations and high-level protocols. In this section
relevant novelties about the application of public key cryptography to RFID context
were described; the strength and weakness points of the described approaches were
highlighted.
2.5 RFID Tags without cryptographic capability
This section presents security approaches based on RFID tags without cryptographic
capability.
2.5.1 An Anti-Counterfeit Mechanism for the Application
Layer in Low-Cost RFID Devices
An always increasing number of RFID tags and readers are available in commerce
nowadays. RFID trends indicate that this technology will become ubiquitous in
the near future allowing a large number of applications to seize its advantages. At
the present time, automatic payment and access control applications are exploiting
RFID benefits. Another extended area of application for RFID tags is the supervision
of stock and inventories in shops and warehouses. This technology has also
shown to be useful in goods tracing and tracking, and therefore, it is suitable for
supply chain management. As a matter of fact, RFID technology seems appropriate
for complying with EC regulation No. 178/2002, which establishes the policy for
food supply chain standardization in Europe, in particular for the traceability requirements
[4]. Recently, in the United States, the Food and Drug Administration
(FDA) called for the pharmaceutical industry to apply RFID tags to pallets and
47

2 – Security
cases, with the aim of combating counterfeit pharmaceuticals [2]
Broadly, RFID tag recognition is made by simply reading its unique identification
number. RFID tags response to reader interrogations without alerting its
bearer, thus causing potential privacy risks. On the other hand, counterfeit hazards
take place when RFID-tagged items validation lacks of a proper authentication
mechanism. In general, a large number of security threats may arise within an RFID
system [57, 77].
Customer privacy issues have overshadowed authentication concerns in RFID
research. However, proper tag authentication is an essential keystone for guaranteeing
genuine identification. Loosely speaking, RFID authentication diminishes the
problem of readers harvesting information from counterfeit tags. Some proposals
that addressed this topic [44,48], require the tag to have cryptographic capabilities.
This section analyses and proposes an authentication algorithm that has no need
of complex computational resources in the RFID tag, i.e. it can be implemented with
low-cost tags. The proposed algorithm requires the tag to have user memory, which
is a requirement that can be followed using existing technology. Our algorithm,
based on a public/private key scheme, can be used to check original bottles in a
high-priced wine production environment. The basic idea is to use the private key
to encode the RFID unique identifier in the RFID memory, in order to allow the
final user to verify the bottle by means of the public key. The anti-counterfeit
mechanism may be constructed exploiting such an authentication procedure, thus,
a worthy application can be developed.
Adopted Approach
Our tag authentication algorithm, an anti-counterfeit approach is described in the
following. It targets basic tags with memory, which enhances its chances of being
applicable at the present time. It is supported exclusively on the application
layer of the RFID communication model, hence it avoids modifying the tag architecture.
It exploits one-way asymmetric authentication theory based on public key
cryptographic, and, as a result, database access is not mandatory.
General Architecture The system under consideration is a typical high quality
agricultural product, like a high quality wine with a limited production, which may
be counterfeited by a fraudulent organization. The technological system available
for the wine producer is normally based on a low cost computer system. We can
assume that one or few Personal Digital Assistant (PDA) equipments are available
at the producer side. The RFID technology is adopted for a twofold goal: its
memory can be exploited to store a cipher code, but also it may allow increasing
the information given to the customers. The general architecture is described in
Fig. 2.4. The system can be described considering the two separated entities: the
48

2 – Security
Figure 2.4.
General anti-counterfeit architecture
49

2 – Security
producer and the user. The producer (in our application we consider a farm winery
with a limited high quality grape and wine production) during the bottling phase
put an authentication code according to the cryptographic algorithm described in
the following subsection. The whole security is hold within the device that computes
the encrypted code. There is a potential risk that a PDA containing the secret key
is temporarily stolen. An additional layer of protection is then required. The secret
key is maintained reserved in a golden sample bottle. The authentication phase can
be divided in two steps, as shown in Fig. 2.4:
ˆ in the first, the system manager reads the secret key from the golden sample
bottle; this key can be used to produce the code for a limited and defined
number of bottles according to the kind of wine;
ˆ then, each bottle is encoded by means of the same PDA. The bottling phase
requires that the encoding step does not introduce a negligible time overhead.
Whenever the set of bottles is processed, the secret primary key, temporarily
stored into the PDA internal memory, is automatically deleted.
The user, that may be a wine cellar or a wine library or a restaurant, needs
to check if the considered bottle is an original or a counterfeited one. The system
requires a low cost interface in order to be widely distributed to all the possible
consumers that sell the product. So, the computing system could be a simple PDA
reader that applies the cryptographic algorithm described below. The check procedure
has to guarantee a fast authentication step.
Figure 2.5.
Signature generation and authentication algorithms
50

2 – Security
Cryptographic Algorithm
The adopted cryptographic algorithm is introduced in Fig. 2.5. The algorithm is
divided in a generation and in an authentication part. Both sections are meant to be
executed by an RFID reader, on the producer and on the user side. The generation
branch considers the signature construction and subsequent saving into the tag. The
authentication section examines the algorithm that has to be performed by the user
in order to verify tag’s authenticity.
Tag signature generation is done by means of ciphering the unique identification
number ID of the tag. First, ID is read from the tag. Subsequently, using the ciphering
function related to the secret key D K0 , the identification number is ciphered
into a ciphered identification number CID which is saved into the tag’s free user
memory. Memory occupied by CID is locked.
Any user in possession of the public function EKo, is able to perform tag authentication.
Initially, ID and CID are read from the tag’s memory. Afterwards, the
deciphering public function is applied to CID to compute PID. By comparing PID
and ID, it is possible to authenticate the tag.
Secret and public keys are generated by means of the RSA algorithm [110] as
follows. Two large prime numbers n and p are chosen. The number of elements
q in GF(q) is computed by multiplying n and p. A random value E, relatively
prime to (n − 1)(p − 1), is picked. Subsequently, the number D is calculated D =
[k(n−1)(p−1)+1]/E, with k chosen in order to make D an integer number. Private
algorithm is defined as
and the public algorithm as
D K0 (P ) = P D mod q = C, (2.1)
E K0 (C) = C E mod q = P. (2.2)
The security level of our system depends on the size of q. If q is a number
slightly less than 2 b , all quantities involved in the system may be represented as b
bit numbers. Exponentiation operations, used for ciphering or deciphering, takes at
most 2 b multiplications, while logarithmic operations, used for attacking attempts,
require 2 b /2. Therefore, the number of operations required to discover the secret
key grows exponentially with b.
While enlarging q improves system security, it also places constraints within computational
time. The time required to calculate ciphering and deciphering functions
is augmented mainly because the size of the numeric values involved in the computation.
A reasonable value for q should be on the order of 2 1 024, i.e. b equals to
1024. Considering that regular bit length for numerical values is, at most, 64 bits
51

2 – Security
in a computing system, appropriate algorithms should be used to manage 1024 bits
or bigger values.
Case Study
Our algorithm has been implemented as an anti-counterfeit mechanism in a prototypical
application developed in cooperation with a wine farm, in order to evaluate
its feasibility and performance.
With our application an explicit anti-counterfeit solution was required to offer to
the final consumer as a proof of originality. The final product (i.e. a valuable bottle
of wine, with an estimated price higher than 50 US Dollars) is high-priced enough
to eventually allow extra costs due to the technological overhead introduced by the
whole RFID system (i.e. tag, reader, and cryptographic system). The product
shape permits a suitable disposition of the RFID inlay behind the regular bottle
label, without any particular problem caused by the interference due to the materials
(glass and wine).
The computing resources are divided into hardware and software resources.
As far as the hardware resources are considered, we used the following ones:
ˆ RFID tag: the LRI512 passive tag from STMicroelectronics has been adopted.
This tag is fully compliant with ISO15693 standard, its nominal carrier frequency
is 13.56 MHz with a user memory EEPROM with 512 bits. The baud
rate from tag to the reader is 6.62 Kbit/s or 26.48 Kbit/s.
ˆ RFID reader: Socket Reader Card 6E from Socket Communications, Inc. compliant
with ISO15693 standard with a nominal carrier frequency, 13.56 MHz,
and 10% or 100% amplitude shift keying (ASK) modulation. The baud rate
from reader to tag is 1.65 Kbit/s or 26.48 Kbit/s.
ˆ Computing system: PDA with a 624 MHz Intel PXA270 processor.
Software resources comprise:
ˆ RFID reader interface library: Windows CE dynamic link library (DLL) provided
by Socket Communications, Inc.
ˆ Development environment: Visual Studio .NET 2005 from Microsoft Corp.
Encryption/decryption keys’ length was chosen of 512 bit. Therefore, the whole
free user memory available in the tag is used to store the authentication code, thus
resigning other kind of wine information.
While generating a public/private key pair may require a large amount of time,
our decryption algorithm is completed in 130 ms. Within our case study, tag authentication
is completely carried out in 460 ms, including decryption procedure and
52

2 – Security
tag memory reading. This ensures that the time overhead is negligible in the user
side when authentication takes place.
On the other hand, from the producer point of view, encryption needs on the
order of 3500 ms to be concluded. We employ 3800 ms to entirely generate and write
the signature into the tag. Although we believe that algorithm optimization may
help reducing encryption time, we did not attempt to improve it since it was not part
of this section’s objectives. However, we consider that valuable wine production rates
are extremely low, so it is reasonable to think that time expenses introduced by the
current encryption algorithm in the signature generation procedure are insignificant
for the overall production chain.
Conclusions
RFID is a widely adopted identification technology. Our proposal is to use RFIDs to
implement an anti-counterfeit mechanism in selected wine production environments.
Our algorithm requires the tag to have user memory, which is a consideration that
can be followed using existing technology. The proposed algorithm, based on a
public/private key system, can be used to check original bottles. The basic idea is
to use the private key to encode the RFID unique identifier in the RFID memory,
in order to allow the final user to verify the bottle by means of the public key.
Our implementation is in testing phase in a typical wine farm with a low technology
environment in Piedmont (Italy). Even if the proposed algorithm does not
completely solve the problem – in an extreme case it is always possible to change
the wine in the bottle -, it is simple and cheap. It is particularly suited for little
cellars who want to allow final user to verify authenticity of the product. From this
point of view, it is useful also to improve confidence in casual buyers.
2.5.2 Traceability with Privacy Protection
Agri-food companies often apply simple systems, based on paper documents. Some
systems exploit barcode to identify commodities: by using the identification number
in the barcode, it is possible to find, in the company database, the information about
the food. Today new opportunities for the food traceability come from the Radio
Frequency Identification (RFID) technology.
RFID is widely adopted as a contactless identification technology. A typical
RFID system is made up of: a reader, which creates an electromagnetic field, and
some passive tags without an own voltage supply. They can be read only if they
are in the interrogation zone of a reader which supplies the power required through
a coupling unit. Today, the size of the RFID tag memory allows recording directly
on every commodity all useful information for the competent authorities to trace it.
53

2 – Security
This section proposes a system which allows competent authorities to manage
alimentary traceability, preventing new privacy problems. In this system food business
operators shall record on the RFID tag information on their treatments, in
compliance with one precise outline. The present size of the tag memory allows
using the whole memory for traceability, or leaving a part for other independent
aims, such as anti-counterfeit or marketing. Stored data will be protected using
the public-key cryptography: every operator will record its treatments and only the
competent authorities, using private-keys, will be able to decrypt the information. In
this way, by means of the resulting ubiquitous data system, authorities could immediately
access information on alimentary commodities under examination. The use
of encryption allows protecting the memory area of the traceability system, without
blocking the memory; it is, moreover, possible to use additional privacy protection
systems, in order to ensure the privacy of the whole tag. To improve the security
level we propose two different algorithms suitable for different situations:
ˆ Nested Cryptography Algorithm (NCA), that uses encapsulated ciphertexts
in order to enhance the security optimizing memory occupation;
ˆ Authenticating Cryptography Algorithm (ACA), that proves the authenticity
of information.
General Architecture
At the present time, in order to find the operators that treated a commodity, the
authorities have to follow a trail of breadcrumbs. They find the first operator and
then they have to trace back, step by step, in order to detect any other.
In order to make easier authorities’ work, we propose to create a ubiquitous
tracking database, by labeling the alimentary commodities with an RFID tag. Every
operator of the chain controls a part of the tag memory (memory slot) and it has
to record its own data and its treatments information on it. In this way all the
traceability information are immediately available to the competent authorities.
The tag memory is divided, at logic level, in a sufficient number of areas, to
allow a sufficient number of operators to write. On the other hand, the size of a
memory slot, that corresponds to the Maximum Allowed Information Size (MAIS)
of each operator, must be large enough to store all its data. An accurate template
is needed to streamline the use of the memory space. In way of employing a smaller
memory area than using strings of characters, information must be translated in
numerical codes. The use of codes to implement the traceability is under study also
by EAN [7]. Codes have to identify operators, their geographic zone, their sector,
the kind of commodity and the executed treatment types. The competent authority
will fill in a reference table for any kind of code:
54

2 – Security
ˆ identification codes (IDC) reference tables; a group of three tables that identifies
the operator:
– geographic code (GC) reference table; the first part of the code identifies
the country, the second the region, and the last the municipality; the
authorities, by using this code, can immediately identify the origin of a
commodity;
– sector code (SC) reference table; the sector code defines the kind of operator,
e.g. “farmer” or “distributor”;
– operator identification (OID) reference table; this code identifies the single
operator;
ˆ commodity code (CC) reference table; this code identifies the kind of commodity;
it is useful when a food is made by different elements;
ˆ treatment code (TC) reference tables; in every sector a table holds the list of
the relevant operations, and their codes.
An operator must also write the IDC of its supplier, in order to enhance system
reliability against frauds.
In the agri-food chain the commodity follows different steps. Initially the producer
stores its data into the first memory slot. Step by step each operator adds its
data. The following situation may modify the initial product:
ˆ Simple treatment; the operator adds its data at the bottom of previous information.
ˆ Merge of commodities; if the number of available memory slots is enough,
the operator copies the information of all the old tags in the new one. If
information regarding the commodities would overfill the memory, it writes
only a summary, including: a header (the summary special area identifier
flag) and the identification codes of suppliers that matched to commodity
codes. Then the operator adds its data at the bottom of previous information.
ˆ Partition of a commodity; the operator adds its data at the bottom of previous
information, and it tags all the new commodities.
Operators must put in database the data contained in all tags, in order to be
able to prove, in case of an authorities’ inspection, their propriety.
55

2 – Security
Privacy Protection System
We elaborated two cryptographic algorithms, adapted to different contexts. Both
the algorithms are based on RSA algorithm. The two algorithms are presented
in sections 2.5.2 and 3.4. Periodically the competent authorities establish a set of
Authority Public Keys (APuKs) and Authority Private Keys (APrKs) with different
lengths, and distribute public key set to all operators. For the common part of the
algorithms, every operator encrypts a plaintext, by using one of the authority public
keys, and it writes the resulting ciphertext in the appropriate memory area. The
authorities can decrypt the ciphertext by using the private keys coupled to the
public keys used by the operator. By changing private and public keys periodically,
authorities can increase security; in fact, an unauthorized entity which finds some
private keys could use them for a short period of time while authorities can decrypt
old and new ciphertexts.
Figure 2.6.
NCA
56

2 – Security
Nested Cryptographic Algorithm (NCA)
This system uses pairs of APuK and APrK of different length. To understand the
benefit of using different key lengths, it is important to remember that enhancing
the length of the keys increases security and ciphertext size. Each operator uses
a particular APuK depending on its position in the chronological sequence of the
production chain (increasing numbers, e.g., 1 for the farmer, and so on). The MAIS
is the same for all operators. The tag memory is, at logical level, divided in slots
with this size. The description of this algorithm is shown in the Fig. 2.6.
The first operator has the shortest key, the length of its key is equal to the MAIS.
Its information is encrypted by the first APuK, and the relative ciphertext is written
in the first memory slot.
The length of any operator APuK is equal to the MAIS multiplied by the number
of the operator position in the chain. All operators, subsequent to the first one,
compose their plaintext adding their information to the bottom of the previous
ciphertext. After the encryption, operators write the new ciphertext in the first
part of the memory tag, occupying a number of memory slots equal to the operator
position. The last operator, theoretically the retailer, uses always the last and
longest key. Its ciphertext occupies all the memory slots.
At each chain ring the security grows. In the first part of the chain there is
not a high security, the privacy of customers is not in danger, but the protection of
information on the first businesses is low. Instead, out of the production chain, the
security is to the maximum level.
Authorities decrypt, one by one, all the ciphertexts by using the correct private
key.
Figure 2.7.
ACA
57

2 – Security
Authenticating Cryptographic Algorithm (ACA)
In this system, there is only one APuK and one APrK. The memory slot size and,
consequently the MAIS, is the same for all operators. The scope of this system is to
ensure also the authenticity of the message. Periodically every operator establishes
its own Operator Private Key (OPrK) and Operator Public Key (OPuK), and sends
the OPuK to the authority. The pair of keys of the operator is used to prove the
authenticity of the message. The description of this algorithm is shown in the
Fig. 2.7.
The first step for operators is to translate their data by their OPrK. Since the
OPrK is secret, only the authentic operator can write the cipherdata which can be
decrypted by using its OPuK.
Every operator subsequent to the first erases the memory slot that contains the
IDC of the previous operator.
Each operator encrypts its cipherdata and writes the resulting ciphertext in the
first free memory slot, which contained the previous operator IDC.
The last step of every operator is to encrypt its IDC by using the APuK, and to
write the resulting text in the first subsequent free memory slot.
Authorities decrypt the last used memory slot by using the APrK. In this slot
there is the IDC of the last operator. The previous slot is decrypted by using the
APrK and then by using the OPuK that is related to the IDC. Since all operators
write the IDC of its supplier, authorities know what OPuK is correct to decrypt the
previous memory slot.
This system protects from frauds by proving the message originality. The security
level depends on the memory slot size.
Table 2.11. Memory Slot
Name Code Bytes
Geographic code - nation GC1 1
Geographic code - region GC2 1
Geographic code - city GC3 2
Sector code SC 2
Operator identification OID 2
Commodity code CC 2
Number of treatments NoT 1
Treatment code – first one 1st TC 7
Treatment code – nth one Nth TC 7
Supplier IDC SIDC 8
58

2 – Security
Figure 2.8.
PDA Encryption/Decryption Time
Figure 2.9.
PC Encryption/Decryption Time
Experimental Results
We experimentally evaluated the proposed technique implementing a prototype. Initially
we filled out part of the code reference tables, sufficient to test the system. The
simulation allowed knowing the performance time of the system and the differences
among the cryptography algorithms.
To put into operation the system, the authorities need an RFID reader for mobile
devices and a PDA with the reading software. The agri-food operators need an RFID
reader to write on the tag. A small reader for mobile devices and a PDA with the
writing software is enough as well. To increase the efficiency it is possible to use
PCs with appropriate readers, instead. We used the following resources:
ˆ RFID tag: SRIX4K from STMicroelectronics, passive tag, compliant with
ISO14443, frequency 13,56 MHz, EEPROM with 4 kbits.
ˆ RFID reader: ACG Dual ISO CF Card Reader Module from ACG, compliant
with ISO14443, frequency 13,56 MHz.
59

2 – Security
ˆ Computing system: PDA with a 624 MHz Intel PXA270 processor.
In the simulation we use the whole memory, of 4096 bits, for the traceability
system.
Table 2.11 shows the composition of the data in a memory slot. The first 10 bytes
identify the commodity and the operator, the subsequent byte shows the number of
treatments. Then each GoO of 7 bytes describes a treatment and its time.
In the NCA we set the MAIS to 512 bit, so a slot can hold at most 6 treatment
codes. There are 8 keys, from 512 bit to 4096.
In the ACA we set the MAIS to 1024 bit. The security level depends on the
length of the keys, so the MAIS is a compromise between the security and the
number of memory slot. We implemented the software by using a not optimized
implementation of RSA algorithm, so the processing time cannot show the real
performance of the system, but it can show the differences when using different key
lengths. The authorities’ check of a memory slot, encrypted using a 512 bits key,
in the NCA is completed in 3800 ms, in the ACA in 3930 ms, 3500 of which are
spent by the decryption algorithm. Operators in the NCA employ 500 ms to entirely
generate and write their ciphertext, in the ACA 3930, the encryption needs on the
order of 130 ms to be concluded. Anyway, by using a PC, with a Pentium 4 at
3,20 GHz processor, the decryption needs 62 ms and the encryption 1 ms; with a
4096 bit key the decryption needs 4125 ms, the encryption 31 ms. The difference
between encryption and decryption comes from the use of a very optimized public
key. Figures 2.8 and 2.9 show the encryption/decryption time. Although, this time
table results from the simplicity of the used algorithm implementation; we did not
attempt to improve it since its characteristics are not part of this section objectives.
Conclusion
Today, an efficient management of the traceability is necessary; RFID technology
offers the possibility to implement a rapid and effective ubiquitous system. Unfortunately,
recording operators and commodity data on a RFID tag involves, in
addition to standard RFIDs privacy problems, the risk of unauthorized readings of
information about the belongings of a person, and industrial espionage. However,
privacy can be protected by using an opportune cryptosystem: algorithms presented
in this section produce a satisfactory reply to these privacy problems.
Even considering the possible optimization of the cryptography algorithm implementation,
the decryption time requires the use of a PC, while the encryption can
be made simply by a PDA. The ACA implies one encryption and one decryption for
any operation, so, unless using short keys, it requires a PC.
In the NCA it is not possible to lock an area until the subsequent operators have
written on the tag, while the ACA requires larger tag memory to ensure a high level
of security, but it allows locking a memory slot, after recording on it.
60

2 – Security
In order to increase the protection from fraud, also in the NCA it is possible to
use the authenticating system, but it involves the management of a great number
of keys and it extends the operation time.
Our traceability system, with a suitable RSA implementation, can satisfy efficiency
and privacy demands. Future work involves the practical implementation of
the proposed algorithms in a wine bottling chain. We think it could address the
safety of alimentary commodities, improving actual standards.
2.5.3 A Security System for Chain Applications
Ubiquitous computing environments offer new opportunities for several services [75].
One of the main technologies for ubiquitous environments is represented by Radio
Frequency Identification (RFID), which is widely adopted as a contactless identification
technology. In particular, environments based on RFID technology are
employed in very different areas, such as health care [15], robot localization [65] and
navigation [104], but their most promising applications are within Supply Chain
Management (SCM) [116], traceability [53], shopping [100], and smart home [131].
Various applications employ RFID technology as base for their Information Systems
(ISs), since RFID technology allows to improve services with the introduction
of automatic identification. Although ubiquitous environments offer many benefits,
they involve also security threats to information. On the one hand, the intense use
of RFID tags can endanger the information privacy, on the other hand, RFIDs can
be used to spread false information for malicious actions. Modern society requires
more attention to privacy threats, and in many countries laws about privacy protection
limit the use of RFIDs [1]. Furthermore, all the brands require firmly to reserve
the key information about their production flow. Nowadays in the global market,
also the authenticity of the information is a critical problem for business. Therefore,
strong information security systems are required, in order to reach all the potential
benefits of RFID-based environments avoiding dangers and damages.
This section presents an IS based on RFID technology, which exploits the opportunities
of ubiquitous environments, and is suitable for SCM, traceability management,
and other services. Furthermore, the proposed IS is protected by a new information
security system based on the Nested Supply Chain Cryptographic Algorithm
(NSCCA), which employs public-key cryptography, addresses the most dangerous
privacy threats, proofs the authenticity of the information, and detects malicious
alteration of the information. NSCCA is an evolution of the Nested Cryptographic
Algorithm (NCA) [27], a security algorithm based on RSA [110], that protects the
privacy and is suitable for traceability management. Both the algorithms employ
nested ciphertexts, in order to reach a high security with small memory areas. The
novelties of NSCCA with respect to NCA are:
61

2 – Security
ˆ the authenticity proof;
ˆ the suitability for several services;
ˆ the management of large supply chains avoiding too long cryptographic keys;
ˆ the tamper detection property extended to authorized Chain Members (CMs),
where the CMs are the companies involved in the supply chain.
The feasibility of the IS has been evaluated, and the performance of its implementation
based on standard passive RFID tags with a rewritable memory has been
analyzed. The experimental analysis shows that the IS does not require any special
device, so its application is cheap and easy. Furthermore, no modification to the tag
architecture or to communication protocols is required.
Related Work
Although there are many research studies that try to address the RFID tracking
problem, this threat requires a quantity of RFID readers that nowadays is unfeasible.
A deep analysis on anti-tracking schemes has been presented in [19].
The proposed system is able to address all the described threats, apart from the
tracking one, along the whole path of a product.
Several other studies address some security threats. Many approaches for pervasive
technologies are focused on authentication. In [76, 120], two schemes for the
authentication of smart cards, which can perform keyed hash functions, have been
proposed. Some approaches, starting from [101], propose tag authentication schemes
where the RFID tags change their identification after each reading. In [20], the authors
proposed an authentication scheme based on keyed hash function. This scheme
is designed to address the counterfeiting and the tracking threats. Moreover, the
identification of the tag is just a link to a database, so this system protects against
personal belongings monitoring and industrial espionage. The tag has a read-only
memory, so the system protects also against sabotage. Also the YA-TRAP protocol
[123], which is a tag authentication scheme based on Message Authentication
Code, addresses all the described threats. However, these schemes require a central
server that stores all the information matched to any involved tag and manages the
updating of the security material. This requirement strongly limits the applicability,
since they can protect against personal belongings monitoring and industrial
espionage only if the access to the central server is limited to authorized users.
Furthermore, they require tags with the ability to compute keyed hash functions.
62

2 – Security
General architecture
The EPC standard [8] provides only the unique identification of the item, its type,
and its manufacturer. Instead, in the proposed IS, the data required by the listed
applications are stored directly on the tag, so authorized users can directly access
to them. Furthermore, the system employs an algorithm based on public key
cryptography, which ensures the authenticity of the information, the privacy of the
customers, the protection against industrial espionage, and the rapid detection of
malicious alterations of the information.
The proposed pervasive IS is based on rewritable RFID tags. The activities
managed by the system, and the operations required for these activities are:
ˆ traceability management, each CM writes on the tag the useful data about
the product and the treatments executed on it, these data are reserved for the
CA;
ˆ SCM, each CM writes on the tag the useful data about the product, these
data are reserved for the authorized CMs and the CA;
ˆ multimodality shopping, the retailer writes the useful data about the product,
these data are public;
ˆ after the point-of-sell applications, the IS can be used for many applications:
– maintenance, the retailer writes the useful data about the product and
its history, these data are reserved only to the authorized CMs managing
the maintenance;
– smart home, the retailer writes the useful data about the product, these
data are reserved to the customer.
In our approach, the tag memory is divided at the application layer in Memory
Slots (MSs); each MS is used by one CM in order to record its information, whereas
the final retailer uses two MSs. The first CM uses the first MS, each following CM
uses one more MS. The final retailer writes in its first MS the data for the traceability
and, instead of data for SCM, he/she writes the data for the maintenance. The final
MS is used for multimodality shopping and after the point-of-sell applications; the
retailer writes in this area the data that are used by customer during the shopping
and by smart home applications.
The data are represented by records that correspond to label/value couples,
where the label stores a code representing the kind of information, and the value
corresponds to the information itself. This method of representation, when it is applied
to a steady system, requires more memory than a method based on structures,
63

2 – Security
where each record corresponds to a specific meaning. Nevertheless, it involves more
flexibility, so it allows each company to choose which data should be recorded for
each activity. The label identifies the kind of information, and so the correct reference
table. Each label is followed by a value with a specific length. The managed
data are:
ˆ identification, formatted according to EPC96 [8], identifying the company
(EPC Manager), the kind of product (Object Class), and the single item (Serial
Number);
ˆ company identification (CID), compliant to EPC Manager, identifying the
company that wrote the previous MS;
ˆ treatments, which identify the executed treatments according to the reference
tables; the value represents the number of subsequent related characteristics;
ˆ characteristics, which describe the product or detail the treatments according
to the reference tables.
Figure 2.10.
Example of data structure
An example of possible implementation, shown in Fig. 2.10, is based on a data
structure composed of 2-byte labels, and values of 1 byte for the treatments, 2 bytes
for the characteristics, 3 bytes for the CIDs, and 12 bytes for the identifications. In
this example the first bit of the label identifies the kind of value: “0” for identification
and characteristics, “1” for treatments. The second and the third bits of the label
identify the relevance of the record: “00” as maximum, and “11“ as minimum
relevance. Since the identification is always required, its relevance bits are set to
”00”. The other 13 bits of the label describe the information according to the
reference tables.
64

2 – Security
Each MS has a fixed size that must be set according to a trade-off between the
possible number of CMs in a generic supply chain and the amount of data for each
CM.
According to the described IS, each CM, getting a product from its supplier,
adds its data to the product tag and then gives the product to the following CM.
Three different situations are possible:
ˆ simple treatment; when a company gets, stores, gives to another company, and
eventually treats a product, it adds its data in the first free MS;
ˆ merging of products; when a company uses more than one product, if the
number of free memory slots is enough, the company adds all the data from
the tags of the merged products, otherwise it gets only the main important
data and puts them in a summary slot;
ˆ partition of one product; when a company uses one product to manufacture
more than one commodity, it copies the previous data in the empty memory
of the tags of the new commodities and it adds its data in the subsequent first
free MS.
The most critical situation is the merge of products, since it could require several
MSs. When the number of free MSs is not enough, a company has to write a
summary, but this operation is not trivial since the company could not have the
permission to read all the previous data in the tag memories. The lack of information
about the previous CMs affects predominantly the traceability management,
which requires accurate information about the whole history of a product, so a wellstructured
summary is essential. The summary shall include at least the data with
maximum priority of the products directly merged. However, the company must include
the maximum quantity of data according to their importance. Useful data can
be selected in a decreasing relevant order, considering the relevance of the record,
the proximity of the record writer along the supply chain, and the importance of
the product matched to the record for the manufacturing of the new item.
Cryptographic system
The proposed IS requires that CMs record in the tag memory the data that are
useful for traceability and SCM. According to Section 1 the information useful for
SCM is a subset of the traceability management information, so a part is required
only by the CA, and another one is required both by the CA and by some CMs.
Therefore, the security system allows CA to read all the data, instead authorized
CMs are allowed to read only the information for SCM. The security system is
controlled by the same CA that controls the traceability.
65

2 – Security
Table 2.12. NSCCA Keys
Key Quantity Length Owner Holders
1
APuK 1 MS CA Public
2
1
APrK 1 MS CA CA
2
1
OPuK 1 MS N th CM Authorized CMs
2
1
OPrK 1 MS N th CM N th CM
2
i th OPuK MaxNMS i× MS N th CM Authorized CMs, CA
i th OPrK MaxNMS i× MS N th CM N th CM
1
CPuK 1 MS Customer Public
2
1
CPrK 1 MS Customer Customer
2
Differently form NCA, which involves only a set of nested cryptographic keys
generated by CA for traceability management, the proposed public key cryptosystem
manages different privileges of information access by using three different sets
of keys, which are shown in Table 2.12. The first set is managed by the CA which establishes
the Authority Public Key (APuK) and the Authority Private Key (APrK);
the length of this couple of keys is equal to 1 MS; the APuK is public and it is used
2
by all the CMs in order to encrypt the information reserved to the CA; the APrK
is secret, so only the CA can decrypt the traceability information. The second set
of keys is established by the CMs: each CM establishes its own set of Operator
Public Keys (OPuKs) and Operator Private Keys (OPrKs), which is composed by
couples of keys of different lengths; the first couple has a length equal to 1 MS area,
2
the length of the following couple of keys, which are used for nested MSs, is equal
to the length of 1 MS multiplied by the position of any CM in the supply chain,
so the first couple has a length equal to 1 MS, the second a length of 2 MSs, and
so on. However, the couples of keys with the greatest length could be so long to
affect the efficiency of RSA encryption and decryption, since the time performance
of RSA depends on the length of the employed keys. Therefore, in order to avoid a
significant performance penalty the maximum number of nested MSs (MaxNMS)
must be set to a proper number that is a factor of the total number of MSs minus
1 (used as second MS of the retailer and not included in the sets of nested MSs).
Therefore, the memory is divided in sets, where each set is composed by MaxNMS.
The length of the couples of keys (kl) is:
kl = MS · (CMpos mod (MaxNMS)) ; (2.3)
where CMpos is the position of any CM in the supply chain. Each CM uses a OPrK
of a specific length in order to encrypt the whole information. The OPrKs, which are
used for SCM information encryption, are secret, and known only by the company
66

2 – Security
that generated them, instead the OPuKs are distributed to the CA and to the
CMs that are authorized to read the data for SCM. Therefore, only the authorized
CMs and the CA can read the information for SCM; furthermore, they can also
check the authenticity of the information, since only the original company owns the
OPrK used for the encryption, so, only an authentic ciphertext can be decrypted
by using the correct OPuK. The last set of keys is managed by the customers.
Each customer establishes his/her own couple of Customer Public Key (CPuK) and
Customer Private Key (CPrK), which are used to avoid unauthorized accesses to
the information for after the-point-of-sell applications. The length of CPuK and
CPrK is equal to 1 MS area. The CPrK is secret, instead the CPuK is given to
2
retail shops during the shopping, in order to perform the encryption.
In order to ensure the authenticity of the information against forgery in the
plaintext for SCM the company inserts a tag signature (TS). The TS is composed
by address-block couples, where the former element represents the address of a block
of bits in the tag ID, and the latter is the value of the bits. The TS is characterized
by the number of couples, the length of the address, and the length of the block.
Fig. 2.11 shows an example of TS, where the length of the address is 6 bits, the
length of the block is 2 bits (at most for tag ID of 2 6 · 2 = 2 7 bits) and the number
of couples is 4. In the example, the address of the first couple, represented on 6
bits, is 2, the values, represented on 2 bits, is 0. The other couples, according to
hexadecimal representation, are 34 H -1, 19 H -2, 38 H -3.
Figure 2.11. Example of Tag Signature. The elements of the TS are
represented in italic-bold style
NSCCA Algorithm
In the following the NSCCA algorithm is described step by step (Fig. 2.12). In the
remain of the section we will refer to ciphertexts encrypted by using APuK as CT A ,
and to ciphertexts encrypted by using OPuK as CT O .
The first CM encrypts a plaintext that contains the traceability information
reserved to CA by using the APuK; the length of the plaintext is at most as 1 2
MS. Then the first CM encrypts a new plaintext that is composed by 1 st CT A , by
the SCM information for the authorized CMs, and TS. The length of the OPrK
67

2 – Security
Figure 2.12.
Nested Supply Chain Cryptographic Algorithm
68

2 – Security
which is used by the first company of the chain for the new encryption is equal
to 1 MS, so the length of the plaintext can be at most equal to 1 MS, and the
length of the information for SCM is 1 MS. The resulting ciphertext is written by
2
the first CM in the first MS. Even if all the data are on the tag memory, they
can be decrypted only by one specific OPuK, so both CA and CMs need to know
which CM has encrypted them. Then, the first CM encrypts its CID by using the
APuK and writes the resulting ciphertext (CID A) in the first half of the second
MS. Then the CID should be encrypted by using the OPuK of the second CM with
length equal to 1 MS, and written in the second half of the second MS (CID O).
2
However, this operation can be performed either by the first CM before delivering
of the commodity, or by the second CM after receiving the commodity, according
to the SCM.
The MSs and the CMs are grouped in nested MS sets, which include a number
of consecutive MSs equal to the MaxNMS. The behavior of a CM depends on its
position in its nested MS set.
Each CM between the first and the last one can decrypt the information written
in the second half of the last used memory slot by using its OPrK with length equal
to 1 MS, since the encryption was performed by the supplier by using the OPuK of
2
that CM. The decrypted information represents the CID of the supplier and it allows
the identification of the correct OPuK. This CID will be inserted in the plaintext
for Authorities, in order to allow CA finding the correct key and decrypting the
previous ciphertext, or in the plaintext for SCM, when also subsequent CMs are
authorized to know who is the previous CM and to decrypt its ciphertext. Each CM
composes a plaintext that contains the information for traceability and it encrypts
it by using the APuK. After using the APuK, each CM encrypts a new plaintext
that is composed by:
ˆ the ciphertext written in the tag memory by the previous CM ((n − 1) th CT O ),
when the CM is not the first of its nested MS set;
ˆ the ciphertext resulting from the encryption of the traceability information
and the CID related to the previous MS(n th CT A );
ˆ the SCM information;
ˆ the TS.
The length of the OPrK used to perform the second encryption is calculated
according to (2.3). After the encryption, if the N th CM is the first in its nested MS
set, it erases the CID MS and it writes the ciphertext in the first free MS, else it
erases also the last nested MS set, and it writes in the first free MSs, by using a
number of MSs equal to n mod (MaxNMS). Then the n th CM encrypts its CID by
69

2 – Security
using the APuK, it writes the resulting ciphertext in the first half of the (n + 1) th
MS, it encrypts its CID by using the OPuK of the subsequent CM with length equal
to half MS, and it writes the resulting ciphertext in the second half of the (n + 1) th
MS.
As the previous CMs, the last CM, which is the final retail store, can decrypt
the information on the tag memory in the same way. It composes a plaintext that
contains the information for traceability and it encrypts it by using the APuK.
However, the retailer composes a plaintext by using information for maintenance
activities that are managed by some CMs. Therefore, the last CM encrypts, by
using the longest key in order to fill its nested MS set, a plaintext that is composed
as the previous ones, except from the maintenance information.
After the encryption, the retailer writes its ciphertext and the CID for CAs as
previous CMs. Finally, it writes, without encryption, in the second half of the last
MS the information for multimodality shopping and after the point-of-sell applications.
At the point-of-sell the customer can give to the retailer its CPuK, so the
retailer will encrypt the information in the last half MS by using the CPuK. Alternatively,
if the customer does not own a couple of keys, the retailer can erase that
information or leave it without encryption, according to customer needs.
At least the identification record must be written in the area that is not encrypted
by the APuk, in order to allow the identification of the product and the generation
of a potential summary by the supplied companies. When a company does not
require to hide information to the other CMs, the use of the APuK can be avoided.
This approach is especially suitable for summary, since enlarges the area readable
by CMs.
Example of Application
In order to explain the behavior of the system, an example of application of the IS
to a complex business as a tire company is here described.
A tire is composed by the following materials: various types of polymer compounds,
metallic and textile yarns, and beads. Each tire can be composed by more
than one compound and yarn. Since the production of a tire corresponds to the joining
of several products, where each product is used for many tires, this operation
corresponds both to a merging and to a partition. Let’s consider that 6 products
are merged and that the tags of 2 of them contain two filled MSs, and that the
others contain one filled MS. Moreover, let’s consider that the tire company has
the privilege to access to the data for SCM of all the suppliers except one. If the
tags contain 10 MSs, then all the MS filled by the suppliers can be copied in the
first 8 MSs of the new plaintext, else a summary is composed. The tire company
can access to the data for SCM of 7 MSs, so the summary will include the main
important data from these MSs, and only the EPC code that identifies the other
70

2 – Security
supplier. The summary is encrypted with APuK and with OPrK, according to the
traceability and/or SCM scope.
The data that the company will add to the tag are the identification of the
tire, the CIDs required to decrypt the previous MSs, and the additional data on
the tire and on the treatments (e.g. the identification of the machines used for
the treatments). The data that are used only for traceability, which compose the
P B A , are encrypted with APuK. The P T O of the tire company is composed by the
information on the suppliers (the original MSs or the summary), the CT A , and the
TS. P T O is encrypted with the OPrK with the correct length.
The resulting ciphertext CT C is written on the first MSs of the new tags. In the
first half of the subsequent MS, the company writes its CID encrypted with APuK,
and in the subsequent its CID encrypted with OPrK.
IS Evaluation
In order to evaluate the feasibility of the approach, in this section the characteristics
of the IS and its implementation will be discussed.
Time The time required to read and write on RFID tags and to elaborate the
information depends mainly on the length of the keys and on the employed devices.
The time spent for reading and writing on RFID tags is proportional to the
number of transmitted bits. An RFID reader ACG Dual ISO CF Card Reader
Module, compliant with ISO14443, at 13.56 MHz, requires 21 ms to read a 32-bit
block from an SRIX4K STMicroelectronics tag, and it requires 37 ms to write a 32-
bit block. Therefore, the reading and the writing of 1,024 bits require respectively
about 0.67 s and 1.18 s.
The computational capacity affects strongly the time performance, especially
when the cryptographic operations are executed on mobile devices. Some tests on
the ratio between the time performance of RSA encryption (by public-key) and
decryption (by private-key) executed on a PDA or on a PC were performed by using
a PC with an Intel Core 2 Quad at 2.67 GHz and 3.2 GB of RAM, and a PDA with
a 624 MHz Marvell PXA310 processor and 128 MB of RAM. The decryption ratio
is about 10 times. A device with low computational capacity could be too slow for
cryptographic operations, especially for decryption with a large key.
The time performance is strongly affected by the key length employed for the
encryption. Fig. 2.13 shows the time performance reached by a PC and by a PDA.
The decryption operations require longer time, since the computational effort is
asymmetric, where private-key operations require the major effort in public key
cryptography. The performance of the PDA for decryption varies from about 258
ms with a 512-bit ciphertext, to over 2500 ms for 4096 bits. A PC for decryption
requires from about 16 ms with a 512-bit ciphertext, to about 300 ms for 4096 bits.
71

2 – Security
Therefore, the decryption with long keys can be executed, but it requires both an
efficient implementation and a device with great computational capacity.
NCA is faster than NSCCA, since it requires the same type of operations, but
the number of encryption and decryption operations is minor. However, the additional
operations are performed with the APuK and the APrK that have the shortest
length, so the additional time is almost negligible. Moreover, in NSCCA the maximum
length for a key is limited to MaxNMS. This feature improves drastically
the time performance, but it could be extended to NCA.
YA-TRAP requires: the transmission from the reader to the tag of at most
160 bits; the computation by the tag of a keyed hash function on 160 bits; the
transmission from the tag to the reader of at most 160 bits; the transmission from
the reader to the central server of at most 160 bits; the computation by the tag of
O(n) keyed hash function on 160 bits, where n is total number of tags in the system;
the transmission from the reader to the tag of the whole information matched to
the tag. YA-TRAP is quite efficient for small applications, but the central server
represents a strict bottleneck for applications with many tags and readers that can
access simultaneously to the central server.
Security Pervasive environments based on RFID tags involve several information
security threats. The NSCCA is based on RSA encryption, so the security is related
to the length of the employed keys. The constant improvements in computational
capacity reduce the time required by factorization. A point is the factorization of
a 663-bit RSA key recently completed [9], which took the equivalent of 55 years on
a single 2.2 GHz Opteron CPU. Therefore, the factorization of keys with a length
close to 700 bits is possible, but it requires a strong effort.
The analysis of the system security is based on the malicious actions described
in [113].
In order to prove the authenticity of the information on the tag, CMs encrypt
it by using their OPrKs and write the TS. The two main threats for authenticity
are cloning and forgery. The NSCCA protects against forgery by using the OPrKs,
since both the CMs in the same chain of the company that wrote the forged tag and
the authorities hold the OPuK that can decrypt the ciphertext and so that allows
detecting the false tag. A malicious opponent can forge authentic new tags only by
stealing the OPrK or by factorizing it. The length of the OPrK is related to the
position of the owner in the nested MS set inside the supply chain, so it is more
difficult factorizing the key of CMs in the last positions of the sets and of the retailer,
which uses always the longest OPrK. However, the authenticity check requires the
OPuK, but customers and CMs without the correct key could use an on-line web
service of the authorities that checks the authenticity of the information.
An opponent could try to clone an RFID tag by copying the information in
72

2 – Security
Figure 2.13.
Time required for Cryptographic Operations by a PC and by a PDA
the tag memory into the memory of new tags, but the TS in the memory avoids
this malicious action, since the probability that the TS of a tag corresponds also to
another tag with random ID is
probability = 1
2 L·b (2.4)
where b is the number of blocks in the TS, and L is the length of the block.
Table 2.13 shows the possible configurations of a TS, where the length of the tag
ID could be up to 128 bits. Although typically the length of an ID is 64 or 96,
the configurations based on a longer ID, where the block length is shorter than or
equal to the length of the ID, are applicable, but b must be recomputed. With a
64-bit ID, by using TS with 4-bit address and L equal to 4 bits, with a 3-byte TS
(b = 3) the probability of identical TS is 2.44·10 −4 , and with a 6-byte TS (b = 6) the
probability is 5.96·10 −8 . Therefore, finding random tags with the IDs corresponding
to a specific TS is not feasible, so the cloning action requires the knowledge of the
OPuK, in order to read the TS, and it requires the ability to write new tags with
73

2 – Security
Table 2.13. TS characteristics
Address length Number of Block length Address-block
(bits) Blocks (NB) (bits) couple length (bits)
7 128 1 8
6 64 2 8
5 32 4 9
4 16 8 12
3 8 16 19
2 4 32 34
1 2 64 65
0 1 128 128
a desired ID. However, the presence of a stock of commodities with cloned tags can
be easily detected, thanks to the presence of the same TS on different tags.
Differently from NSCCA, NCA does not provide the authenticity of the information
on the tag. YA-TRAP provides authenticity, but the authenticity check can
be performed only by the users that are authorized to access to the server.
The privacy of customers is protected by the OPrKs, the APuK, and by the
CPuK. A privacy threat is the finding on the tag memories of information about
personal belongings. On the one hand, after the point-of-sell the information for
SCM and traceability is encrypted by using also the longest OPrK, so only who
knows the correct OPuK can read that information. Furthermore, the OPuK allows
only the access to maintenance information or to the SCM information of one CM,
instead opponents need other OPuKs and the APrK in order to read more data.
However, OPuK security is also based on the reliability of the CMs that hold it,
so its circulation should be tightly limited. On the other hand, the information for
smart home is encrypted by the CPuK, which has a length equal to 1 MS, so it
2
is subject to a minor protection. However, the information for smart home may
hold only some specific data, e.g. the expiration date, in order to avoid risks for
information important for privacy. Furthermore, customers can delete a part or the
whole information for smart home, according to their privacy requirements.
NCA provides the same protection to customer privacy as NSCCA, but it allows
only the application to traceability management. In YA-TRAP the adversaries
cannot reach data related to the tag, since all the information are stored on the
central server. However, this scheme does not involve users with different privileges,
so the same tag can not be employed by different applications, such as traceability,
SCM, and multimodality shopping. Furthermore, the scheme is not suitable for after
the point-of-sell applications, since they would require that customers can access to
the central server.
74

2 – Security
Industrial espionage is addressed by encrypting the information by using the
OPrKs of the CMs and the APuK. The length of the shortest key is related to
the chain position of the last CM that has written on the tag. An opponent, in
order to read the last information for SCM, needs to find the correct OPuK, or to
factorize it. In order to read other information, the opponent needs the subsequent
correct OPuK. Also NCA and YA-TRAP can protect against industrial espionage
as NSCCA.
Another threat is the tampering. NSCCA is not tamper-resistant, but it is
tamper-evident. Only an opponent that owns the OPrK and the OPuK of the CM
could correctly modify the information on the tag. After the-point-of-sell, if the
writing block command on the employed RFID tags is active, the memory can be
blocked, in order to avoid tampering. Furthermore, also inside the supply chain, the
closed nested MS sets can be blocked, so only the last set, if it is incomplete, can
be tampered.
NCA provides the same protection against tampering as NSCCA. YA-TRAP is
tamper resistant, since the data are stored in the server. However, YA-TRAP is
exposed to denial-of-service, since it involves time stamps, which can be modified
performing several malicious readings.
Differently from NSCCA and NCA, that do not provide protection against tracking,
YA-TRAP has been designed to protect against it.
The main improvement of NSCCA over NCA and YA-TRAP is that it protects
against the same or more security threats than them (except for tracking), but
it is the only scheme suitable for several applications and it can manage different
privilege levels.
Memory dimension The tag memory is one of the main elements of the proposed
system. The parameters of the memory division are the size of the MS and the
number of MSs in each tag memory.
The number of MSs should be greater than or equal to the greatest number of
CMs that can be involved in the supply chain of a product. Although the number
of CMs is related to the production sector, it can vary significantly within the same
sector. Furthermore, the merging of products requires several MSs, so it is difficult
that the number of MSs can be so great to store all the data of any product. When
the number of MSs is not enough the CM has to record a summary, as described
in Section 2.5.3, and to store the other data in the company database, but this
operation affects the efficiency of the traceability application, so it should be avoided
by setting proper memory dimension parameters.
The size of the MS affects:
ˆ the security of the system, since it is based on the length of the keys, which is
related to the size of the MS;
75

2 – Security
ˆ the time required for encryption and decryption, since it depends on the length
of the keys;
ˆ the quantity of data that each CM can record.
On the one hand the benefits, from recording on the tag memory the information
about all the CMs involved in the supply chain of the product, and from the
encryption and decryption time saving, are based on the smallness of the MSs. On
the other hand, the security of the IS and the quantity of information recordable by
each CM are based on the largeness of the MSs. Therefore, the described elements
must be carefully evaluated.
We assume that the typical number of CMs in a simple supply chain is normally
lower than 10; instead the most complex chain can involve several companies, and
for particular commodities, that are the result of the merging of different products,
the chain could require several MSs. Therefore, a suitable number of MSs per tag
memory should be at least great enough for the basic chains, and the merging excess
information may be stored in the database of the CM.
SRIX4K is an example of RFID tag from STMicroelectronics, which has a 64-bit
Unique Identifier and a 4096-bit EEPROM, but only 3872 bits can be written by
users. However, with a 4-Kbit area the size of the shortest keys is not enough also
with few MSs. Therefore, the RFID tags with larger memories are required, in order
to reach a good security level. In Table 2.14 the configurations of the passive tag
D5-TAGb with a 16-Kbit EEPROM is shown. Furthermore, nowadays there are
other RFID tags with larger memory, e.g. mic3®-TAG with 32 Kbit.
The length of the keys used with a 16-Kbit area allows reaching a good security
level also with more than 8 CMs, but the cryptographic operations performed with
the longest possible keys require too elapsed time, so the maximum number of
nested MSs should be properly set to a value that avoids too long keys. A possible
configuration is shown in Table 2.15. According to the time performance reported
in Section 2.5.3, the reading and decryption of the 512 bits by the customer for after
point-of-sell application data require less than 0.5 second, and the encryption and
writing of the 3072 bits by the retailer require less than 6 seconds.
According to the label/value implementation described in Section 2.5.3, an identification
requires 14 bytes, and the other records require 5 bytes or less. By employing
the PKSC 1.5 [81] method for encrypting data using the RSA, 11 bytes
are required by the encryption information. Considering a TS of 6 bytes, according
to the configuration shown in Table 2.15, each CM can write 53 bytes reserved for
CA and 47 bytes reserved for authorized CMs. For example the CM could write
in the area for CMs its identification, the previous CID, and 11 treatments or 8
characteristics, and in the area for authorities 3 identifications, 1 characteristic, or
11 characteristics and 1 treatment.
76

2 – Security
Table 2.14. 16-Kbit memory configurations
Number Number MS size Largest key Shortest key
of MSs of CMs (bits) (bits) (bits)
2 1 8192 8192 4096
3 2 5461 10922 2730
4 3 4096 12288 2048
5 4 3276 13104 1638
6 5 2730 13650 1365
7 6 2340 14040 1170
8 7 2048 14336 1024
9 8 1820 14560 910
10 9 1638 14742 819
11 10 1489 14890 744
12 11 1365 15015 682
13 12 1260 15120 630
14 13 1170 15210 585
15 14 1092 15288 546
16 15 1024 15360 512
17 16 963 15408 481
18 17 910 15470 455
Table 2.15. 16-Kbit memory configuration example
Memory size 16 Kbit MSs 16 CMs 15
MS size 1024 bits MaxNMS 3 Nested sets 5
Longest key 3072 Shortest key 512
NSCCA requires the same memory area of NCA, except for the memory employed
for after the point-of-sell applications, which are not managed. The memory required
by YA-TRAP is quite small, but it requires RFID tags and communication protocols
out from the RFID standards.
Conclusion
Pervasive computing environments offer great benefits to various sectors. Nevertheless,
they possibly involve dangerous threats for the information security. Some
very relevant applications could be strongly improved by pervasive environments,
but they require firmly information security.
77

2 – Security
The analysis has shown that the proposed pervasive IS based on RFID technology
is suitable for SCM, traceability management, multimodality shopping, maintenance,
and smart home applications. Furthermore, all the described applications
get benefits from pervasive environments. At the same time the algorithm here
proposed (NSCCA) avoids industrial espionage, it protects the customer privacy, it
guarantees the authenticity of information, and it can easily detect sabotage actions
that aim to alter the information. The analysis of the tag memory characteristics
demonstrated that standard RFID passive tags allow implementing the proposed IS
with proper features of time requirements, security and quantity of recordable data.
Therefore, the implementation of the IS does not require new devices, and so it can
be cheaply and easily applied in commercial sector.
Compared with previous schemes NSCCA has greater memory requirements, but
it can be widely applied, and it is compatible with RFID standards. The future work
will involve the integration of the proposed IS with tracking protection systems, for
security reasons. On the one hand, the optimization of the cryptographic software
implementation seems an effective solution that does not require alterations of the IS.
On the other hand, the introduction of new protocols that join symmetric encryption
to public key cryptography could bring more efficient results, but it involves the
challenge of key management.
Figure 2.14.
Reader-transponder scheme
2.6 RFID Tags with cryptographic capability
A common RFID reader-transponder scheme is presented in Figure 2.14. The reader
transmits information to the transponders, or tags, by modulating an RF signal.
Then, transponders recover information and operating power from the RF signals.
After processing information, a tag responds to the reader by backscattering, i.e.
modulating the reflection coefficient of its antenna while the reader is transmitting
a continuous wave RF signal.
Current RFID implementations and protocols vary deeply since a worldwide
78

2 – Security
standardization is still under development. EPC Global specified a ultra-high frequency
(UHF) RFID air interface when introduced its EPC Class-1 Generation-2
(C1G2) UHF RFID protocol [8]. While being a robust specification suitable for
many UHF RFID applications, the EPC C1G2 protocol also presents several novelties
on its anti-collision and tag selection mechanisms.
Even though significant attention has been placed on RFID security and privacy
issues 8, few standardization entities have really addressed them. Customer
privacy issues have overshadowed authentication concerns in RFID research. However,
proper tag authentication is an essential keystone for guaranteeing genuine
identification. In general, RFID authentication diminishes the problem of readers
harvesting information from counterfeit tags.
RFID’s authentication and privacy procedures are based on undemanding symmetric
encryption mechanisms where cryptography keys are exchanged through an
unsafe communication channel. Symmetric encryption schemes use the same key to
encrypt and decrypt a message. On the other hand, asymmetric encryption, which
is also known as public-key cryptography, utilizes different keys for decrypting and
encrypting a message. Public-key cryptography has been widely used for authenticating
a message; electronic signatures are a clear application of it. When using
asymmetric encryption schemes, rather than symmetric ones, a system’s security
level raises, but so does its complexity.
This section introduces a transponder architecture that follows the specifications
of the EPC C1G2 protocol. Our design comprises an asymmetric cryptographic
module that is able to encrypt information transmitted to the interrogator.
In this design, we focus on digital components, neglecting the radiofrequency
transceiver and other analog elements. Our tag is constituted by different functional
modules that are able to perform the following operations: receiving interrogator
queries, processing internal information, managing tag status, handling inner memory,
encrypting data and generating tag responses.
By including an internal encryption element, we empower the tag to perform
authentication tasks. As described in Section 2.5.1, encrypted information recorded
in the memory of a tag may lead to satisfactory authentication and anti-counterfeit
mechanisms. In this section, we evaluate the possibility of rearranging the encryption
procedure from a high-level system, such as an external computer, to a low-level
device, such as the RFID tag. Results about the trade-off of this reorganization in
terms of cryptographic capabilities, required area and power consumption are presented.
2.6.1 EPC
This section provides details abourt EPC C1G2 Standard.
79

2 – Security
Physical Layer and Tag Components
An EPC C1G2 compliant tag is able to establish a reader-to-tag communication if
it implements precise directives regarding the physical layer of the protocol. Within
this layer, modulation and data encoding directions are found. The physical layer
also sets up what should be the composition of the tag, that is, its hardware requirements.
The EPC C1G2 presents mandatory and optional hardware characteristics. Some
of them are related directly with the physical layer, while others are associated with
higher layers and procedures. Important hardware requirements have to do with the
memory and the anti-collision systems.
According to the EPC C1G2, tag memory must be divided in four banks as
follows:
ˆ Reserved memory. Passwords for accessing some tag functionalities, such as
memory locking or tag disabling, must be stored here.
ˆ EPC memory. A code that is used to identify the object to which the tag
is attached must be placed in this bank. Some control data is also allocated
here.
ˆ Tag Identifier (TID) memory. This is the portion of the memory where the
tag identifier should be stored.
ˆ User memory. User-specific data storage is allowed in this part. This is an
optional bank.
In addition, a tag should contain a set of registers that are useful when the anticollision
procedure is in execution. These registers are commonly called inventory
flags. A tag uses them to keep a record of its own status when a reader is executing
an inventory round, i.e. it is trying to catalog a group of tags based on their inventory
flags status.
Communication Layer
The communication layer, according to EPC C1G2, allows a reader to manage tag
populations. A great number of tags may be controlled by supervising tag’s data
collisions. EPC C1G2 protocol implements anti-collision mechanisms within this
layer by using a two-part scheme. First of all, a command, or instruction, must be
provided by the EPC C1G2 compliant reader and tag to allow broad tag selections.
Second, a set of commands have to be used by the reader in order to choose singularly
a tag.
80

2 – Security
A selection command tells a tag or group of tags to set or unset their inventory
flags according to a comparison mask. In this way, a reader is able to split in smaller
sets a larger group of tags in order to access them easily.
As indicated by the EPC C1G2 protocol, a reader can tell a tag to compare
any 256-bit portion of the memory with the aim of regulating its inventory flags.
Nevertheless, usually a reader evaluates just the portion of the memory where the
tag’s identification code is mapped. Generally, after selecting a group of tags, a
reader proceeds with the inventory stage.
A reader builds up an inventory of tags by using several commands. Within this
stage, anti-collision mechanisms become crucial because different tags may response
at the same time generating data disagreements.
Typically, a reader executes inventory commands pointing towards a previously
selected set of tags. That is, after sending a selection command, a reader issues
an instruction indicating that those tags with specific inventory flags status must
initiate an inventory round.
When starting a new inventory round, an inventory-flags-matching tag generates
an internal random Queue Position Number (QPN) which is the core of the anticollision
scheme. The protocol states that when a tag’s QPN is equal to zero, the
tag must answer to the reader by sending a temporary random 16-bit address. From
that moment on, and until the next inventory round starts, the reader may turn to
the tag by means of its temporary address.
EPC C1G2 protocol provides a large set of reader instructions to manage inventory
rounds and to handle QPNs behavior. As noted before, tags’ anti-collision
system relies on the associated probability of random number generation.
Application Layer
The EPC C1G2 protocol offers several accessing commands that become functional
only after a tag has been differentiated. These commands are part of the application
layer protocol. Accessing a transponder generally consists of writing, reading or
locking its internal memory.
Writing or reading a tag’s memory does not require reader validation. However,
if a memory portion is locked, a reader might not be able to read or write it. A
reader that wants to lock a portion of the memory, such as the TID memory portion
or the user memory bank, should validate itself by issuing an access password.
Other than sending writing or reading instructions, a reader is able to terminate
indefinitely tag’s operation by issuing another password-protected command.
81

2 – Security
Figure 2.15.
Transponder architecture
Figure 2.16.
Encryption module
2.6.2 Proposed Tag Architecture
As RFID technology becomes ubiquitous, new sets of functionalities are being added
to tags and readers, and, thus, new threats and risks are emerging as well. Counterfeiting
is one of the most important issues that RFID users may encounter. A
well-designed tag may reduce counterfeiting and may help to give an additional value
to the object to which the tag is attached.
The tag architecture that is introduced in this section may be useful to efficiently
address counterfeiting and authentication issues because of its public-key
cryptographic module. Authenticated and counterfeit-free tags may provide confidence
to RFID users, allowing that technology to enhance its scope and to reach a
Figure 2.17.
Crypto writing and reading operations
82

2 – Security
Figure 2.18.
Tag authentication algorithm
higher degree of expansion.
The tag architecture that we introduce is compliant with the EPC C1G2 protocol
and comprises a public-key encryption module. The architecture of the novel
RFID tag is presented in Figure 2.15. It is divided in the following macro-modules
according to its functionality.
ˆ Decoder/Encoder (DECENC). This module is in charge of decoding queries arriving
from the interrogator and encoding the responses that the tag backscatters.
This module deals directly with physical data encoding, PIE when decoding
and FM0 or MMS when encoding. In addition, this module also decodes
interrogator instructions.
ˆ Main Control Unit (MCU). It is the control unit of the whole tag. It keeps a
record of the state of the tag and deals directly with interrogator commands.
ˆ Output Control Unit (OCU). After MCU decides whether to answer or not
to an interrogator command, the OCU takes control and formats the output
response.
ˆ Memory (MEM). It is the memory of the tag. It includes the memory banks.
ˆ Encryption Module (CRY). It is the public-key encryption module. It becomes
active only when the interrogator issues a read command related to encrypted
data.
Most of these modules are intended to pursue a specific EPC C1G2 function;
indeed, the tag was designed based on the instruction set required by the EPC
83

2 – Security
C1G2 protocol. However, CRY has been added in order to enhance transponder’s
capabilities without altering the compatibility with EPC C1G2 protocol.
Cryptographic Architecture
CRY is a public-key encryption module suitable for authentication applications.
Tags implementing this module are able to authenticate themselves as electronic
signatures do. Thus, our architecture helps to reduce counterfeiting.
The CRY module is a simplified low-efficient version of the RSA algorithm that
shares the same bus with OCU and MEM.
CRY performs the encryption with the secret key shown in Figure 2.16. As
explained in Section 2.5.1, the secret key algorithm, D K0 , is a power operation. It
is composed by a secret pair D,q that defines the exponent and the modulus used
in the encryption. Thus, a plaintext P is encrypted into a ciphertext C that can be
decrypted by anyone who possesses the public function E K0 .
In our design, each one of the elements in the secret pair D,q is a 1024-bit value
fixed and wired internally in CRY. A 1024-bit secret key assures a high level of
protection for the ciphertext which resultant length is 1024 bits as well. Secret keys
are not automatically generated by CRY, they should be previously generated with
proper tools.
In order to avoid overloading the memory, information that is meant to be encrypted
is actually stored inside the tag in its plain form, i.e. without encryption.
Thus, when a user wants to access encrypted information, CRY encrypts it and
delivers the associated ciphertext.
CRY behavior and usefulness are easily understood by analyzing its writing and
reading mechanisms. Our implementation uses the User Memory exclusively for
cryptographic operations. Consequently, information that is intended to be read in
plain form cannot be stored in the user memory.
A generic crypto writing operation is presented in the left segment of Figure 2.17.
When a user wants to write an authenticating signature into the tag, he/she writes
16-bit plaintext blocks into the user memory. Afterward, he/she may lock the user
memory bank, avoiding further writing-accesses to the signature. A user may efficiently
authenticate a tag by writing signature data that combines the tag identifier
number and pertinent information of the object to which the tag is attached.
In Figure 2.17, we present the crypto reading operation. Our design does not
allow reading the user memory if it is not done with a cryptographic scope. When
a user requests encrypted information, the tag maps a single 16-bit plaintext word
into a 1024-bit ciphertext by means of CRY.
With our cryptographic tag, a producer who wants to offer an authentication
system, may pursue a crypto writing operation using the tag identifier as plaintext.
Thus, a user may verify tag authenticity by following the algorithm in Figure 2.18.
84

2 – Security
Any user in possession of the public function E K0 , is able to perform tag authentication.
Initially, the tag identifier (T ID) and the ciphered tag identifier (CID) are
read from the tag’s memory. Afterwards, the deciphering public function is applied
to CID to compute the plain decrypted identifier (P ID). By comparing P ID and
ID, it is possible to authenticate the tag.
Figure 2.19.
Tag recognition and authentication example
An Application Example
EPC C1G2 instruction set includes a large number of commands or instructions.
Practical usefulness of the protocol can be perceived by means of an application
example. In the following, we present an example of a reader that wants to verify
the authenticity of a set of tags.
We suppose that within the reader interrogation field there are four different
tags. We also hypothesize that the tags have been prepared for the authentication
procedure described in the previous section. In order to present the example, we
illustrate reader queries, tags responses and tags status.
Figure 2.19 presents the first phase of our example. The reader manages the tag
population in order to single out a tag. First, the reader sends a Select command to
execute a broad selection; tags matching the selection criterion set their inventory
flags. For this particular case, the selection mask is compared with the first part
of the EPC code; as expected, just three out of the four tags are selected. After,
the reader issues a Query command to start a new inventory round; selected tags
compute their QPN. Subsequently, the reader broadcasts QueryRep commands until
a tag responds with its temporal address.
85

2 – Security
Once a tag has been singled out, the reader is able to verify its authenticity.
Every access or cryptography command sent by the reader must specify the temporal
address of the tag previously selected, which in this case is the second one. As seen in
Figure 2.19, the reader first read the tag identifier and then queries for the encrypted
identifier, requesting one 16-bit word at a time. Verification and authentication take
place when the user executes the algorithm already explained in Figure 2.18.
In this simplified example, the tag identifier is 32-bit long. In any case, even if
it is common to find much longer identifiers, the authentication procedure is always
the same.
1800
1600
1400
Dynamic Power
Static Power
Total Power
1200
Power (µW)
1000
800
600
400
200
0
128 256 512 1024
Secret Key Length (bit)
Figure 2.20.
Power consumption for different key lengths
2.6.3 Experimental Results
Based on the proposed architecture, our design was described using the VHDL language.
Afterwards, a gate-level description of the tag was obtained by synthesizing
using a 90-nm HMOS industrial library. Circuit verification was done at both levels
– RTL and netlist – of the design flow.
When varying key length, circuit’s characteristics also fluctuate as shown in Figure
2.20 and Figure 2.21. Area requirements and power consumption are constrained
by the encryption module and the length of its key.
In order to estimate time requirements, we evaluated the time spent by CRY to
compute the encryption of a single memory word, while varying the secret key and
the memory word. The resulting time required by CRY is close to 539.5 ms on the
average.
86

2 – Security
Figure 2.21.
Area requirements for different key lengths
2.6.4 Conclusion
In this section, we presented a novel RFID tag architecture. The design was synthesized,
simulated and verified. The tag was conceived according to the EPC Class-1
Generation-2 protocol for UHF RFID transponders, however it is able to work for
other frequencies as well without substantial changes.
We added an encryption module to the tag design in order to improve tag capabilities
for privacy protection and authentication. A suitable method for tag
authentication was described; it showed itself useful for authenticating also the object
that is attached to the tag. A large number of applications, such as small wine
producers or large clothing manufacturers, may take advantage of this implementation.
Future work involves the practical implementation of the proposed tag in a
wine bottling chain to power it with an authentication mechanism.
87

Chapter 3
RFID Reader-to-Reader
Anti-collision
The wide adoption of Radio Frequency Identification (RFID) for applications that
require a large number of tags and readers makes critical the reader-to-reader collision
problem. Various anticollision protocols have been proposed, but the majority
requires considerable additional resources and costs. The best protocol without
noteworthy additional requirements is DCS, which is based on time division.
This Chapter presents the Probabilistic DCS (PDCS) reader-to-reader anticollision
protocol which employs probabilistic collision resolution. Differently by previous
time division protocols, PDCS allows multichannel transmissions, according
to international RFID regulations. A theoretical analysis is provided in order to
clearly identify the behavior of the new parameter representing the probability. An
improved evaluation method is presented, in order to evaluate more accurately the
fairness of the protocols.
The proposed protocol keeps the features of DCS, achieving more efficiency.
Theoretical analysis demonstrates that the number of reader-to-reader collisions
after a slot changing is decreased by over 30%. The simulation analysis validates the
theoretical results, and shows that PDCS reaches better performance than previously
presented reader-to-reader anticollision protocols.
Radio Frequency Identification (RFID) is a well-known identification technology
which is applied to several sectors, such as Supply Chain Management (SCM) [96],
traceability [53], and emergency management [93]. The majority of RFID systems
are composed by some RFID readers and many passive transponders, called tags.
Passive tags get their power supply from the electromagnetic field of the reader.
A reader can read and write the tag memories in its interrogation range, which is
limited by the power requirements of the tag. However, the low power messages
of the tags are affected by the stronger transmissions at the same frequency of the
close readers. A reader affects the communications of other readers in its interference
88

3 – RFID Reader-to-Reader Anti-collision
Interrogation Ranges
Interference Ranges
Reader 1 Reader 2
Figure 3.1.
Reader to Reader Collision
range. If two readers, within the reciprocal interference range, try simultaneously to
communicate with different tags, the two transmissions may collide (reader-to-reader
collision). Figure 3.1 shows an example of two tightly coupled readers.
Usually, RFID systems for auto-identification employ ultra high frequency (UHF).
In free space, the interrogation range of a reader that transmits at 33 dBm with tags
that require 14 dB is approximately 7 meters. According to the European regulation
for UHF RFID, ETSI EN 302 208-1 V1.2.1 [13], the threshold level over that signals
may degrade RFID transmissions shall be −35 dBm or less depending on the RFID
application. Therefore, the corresponding interference range is approximately 70
meters. The ratio between interrogation range and interference range is 10 times, as
stated also in [30]. According to the reader deployment analysis presented in [47],
the best placement model to cover a whole area is hexagonal. Figure 3.2 shows an
example of the interference range of a reader and its hexagonal deployed neighbors.
The high number of readers in the interference range can produce several collisions,
impairing the network performance. The reader-to-reader collision must be carefully
addressed, otherwise the RFID network could be ineffective.
Listen Before Talk (LBT) is the optional reader-to-reader anticollision protocol
proposed by the European standard [13], and it is based on Carrier Sense Multiple
Access (CSMA). Although various other anticollision protocols have been proposed,
the majority are not consistent with the readers actually produced, and require
additional resources and costs. Waldrop et al. presented DCS and Colorwave [126]
[125], based on time division. The transmissions are composed by rounds divided in
timeslots called colors. DCS does not have noteworthy additional requirements and
with a correct configuration it can provide good performance. Colorwave does not
89

3 – RFID Reader-to-Reader Anti-collision
need a specific configuration, but it requires to manage an additional transmission
among RFID readers. These protocols present an acceptable time efficiency and
provide a high probability that readers do not collide two times consecutively. Other
protocols, Pulse [30, 31], HiQ [68], and NFRA [47], try to reach better performance
using an additional control channel. However, these protocols require additional
resources and are more expensive. Gandino et al. [52] proposed to introduce a
new parameter in collision resolution of time division RFID anticollision protocols,
representing the probability to change timeslot after a collision.
This Section presents the Probabilistic DCS (PDCS) reader-to-reader anticollision
protocol which employs the probability P . In DCS after every collision a reader
randomly changes timeslot. Since this change can produce new collisions, in PDCS
after a collision readers change timeslot with probability P , so the number of readers
that change timeslot and the resulting new collisions are reduced. Moreover, PDCS
is a multichannel protocol, according to the majority of the international RFID regulations
(e.g. [13]). The existing evaluation critera are analyzed and an improved
evaluation method is presented, in order to find more accurately the fairness of the
protocols.
This Section presents a new theoretical analysis on the proposed protocol, and
it studies the effects of P . The behavior of PDCS has been simulated and compared
with DCS and Colorwave in order to compare their time performance and
to validate the results of the theoretical analysis. Experimental results show that
the number of Reader-to-Reader collisions after a slot changing decreases by over
30%, and demonstrate that PDCS presents limited additional constraints and better
time performance than previously proposed protocols with equivalent requirements.
Thanks to the smaller number of readers that change timeslot, PDCS results suitable
also to RFID reader networks with mobile nodes.
3.1 Performance Evaluation Criteria
According to the main state-of-the-art approaches recently proposed in the literature,
there is not accordance on the most effective criteria for performance evaluation
of a general RFID reader-to-reader anticollision protocol. In this section the main
evaluation approaches are described, and a novel proposal is presented.
The parameters that are used to evaluate RFID reader-to-reader anticollision
protocols are:
ˆ Waiting Time (WT), which corresponds to the time interval between the request
and the transmission; it involves:
– Average Reader Waiting Time (ARWT), which corresponds to the average
WT for all the transmissions of a specific reader;
90

3 – RFID Reader-to-Reader Anti-collision
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
Figure 3.2.
Reader-to-Reader Collision
– Total Average Waiting Time (TAWT), which corresponds to the average
WT for all the transmissions in the RFID network;
– Average Average Waiting Time (AAWT), which corresponds to the average
ARWT of all the readers in the RFID network;
– Variance of Average Waiting Time (VAWT), which corresponds to the
variance of ARWT of all the readers in the RFID network;
– Reader Waiting Time Variance (RWTV), which corresponds to the variance
of WT for all the transmissions of a specific reader;
– Total Waiting Time Variance (TWTV), which corresponds to the variance
of WT for all the transmissions in the RFID network;
– Average Waiting Time Variance (AWTV), which corresponds to the average
RWTV of all the readers in the RFID network;
– Maximum Waiting Time (MWT), which corresponds to the longest WT
among all the transmissions in the RFID network;.
91

3 – RFID Reader-to-Reader Anti-collision
ˆ Attempted Transmissions (AT), which corresponds to the total number of
attempted transmissions in the RFID network;
ˆ Number of Transmissions (NT), which corresponds to the total number of
successfully performed transmissions in the RFID network.
3.1.1 Adopted Metrics
In [46], Engels and Sarma state that the goals of reader-to-reader anti-collision
protocols are to minimize the time span required to let all readers communicate at
least once (MWT ), and to schedule all readers to communicate as often as possible
(NT ).
In [125], the authors consider the requirements of real-time applications as inventory
detection, so they propose the goal of scheduling readers to communicate
as often as possible (NT ). The total successful transmissions performed by a set
of readers according to different configurations is used to evaluate different configuration
of Colorwave and to compare Colorwave and DCS. In [126], the successful
transmission percentage ( NT ) is used to evaluate different configurations of DCS.
AT
Birari and Iyer [30] [31] use two parameters for the evaluation of anti-collision
protocols: the throughput, which corresponds to the total number of successful
transmissions performed by all the readers per unit of time ( NT ); and the efficiency,
time
which corresponds to the successful transmission percentage ( NT ). AT
In [68] the goal of anti-collision protocols is to maximize the number of readers
simultaneously communicating ( NT ). time
Gandino et al. [52] state that the goal of reader-to-reader protocols is to provide
short (TAWT ) and steady (TWTV ) waiting times.
3.1.2 Proposed Evaluation Criteria
Methods based only on NT evaluate positively protocols where AT is close to NT ,
AT
also when NT is low. Therefore, this kind of evaluation seems not effective, since it
does not consider the throughput.
The throughput is represented by NT , but this metric does not consider the
time distribution of the transmissions and the different contribution of each reader
to NT. Therefore, NT is not suitable for applications that require constant quality
of service for the whole RFID network.
T AW T and T W T V are effective indexes of the throughput and of the performance
stability. However, these parameters do not consider the differences among
the performance of the single readers. Moreover, a reader with optimal performance
can strongly increase T AW T , hiding several readers with very low performance,
because each transmission has the same weight. Therefore, we state that these
92

3 – RFID Reader-to-Reader Anti-collision
problems can be solved analyzing AAW T and V AW T , which give the same weight
to each reader, instead of to each transmission. More in detail, a protocol should
mainly minimize:
ˆ AAWT, in order to schedule readers to communicate as soon as possible,
ˆ VAWT, in order to minimize the quantity of readers with minor efficiency,
ˆ TWTV, in order to provide steady performance,
ˆ MWT, in order to avoid large gaps between two transmissions of the same
reader.
3.2 Related Work
Several approaches try to address the reader-to-reader collision problem [64, 115].
This section describes the main relevant anti-collision protocols and their requirements.
3.2.1 ETSI EN 302 208-1 V1.2.1
This standard [13] involves the optional use of a Carrier Sense Multiple Access
(CSMA) protocol named ”Listen Before Talk” (LBT). In this protocol readers check
if the channel is unoccupied before transmitting. However, collisions are possible
when the gap between the start of two transmissions is small. The limited duty
cycle provides all the RFID readers the opportunity to transmit.
This protocol requires readers that are able to check if the channel is occupied.
This can be considered the base ability which is now owned by all the readers that
implement a reader-to-reader anti-collision protocols.
3.2.2 Distributed Color System (DCS)
In DCS [126] [125] each communication round is composed by time slots. Each RFID
reader can communicate only during its time slot. When a transmission collides,
each involved reader stops the communication and randomly chooses a new timeslot
that it reserves, sending a specific signal named kick. When the reserved slot is used
by some neighbors, they choose a new slot and try at using it without reservation.
The communications are divided in rounds. Each round is composed by µ timeslots.
Each timeslot is composed by a kick phase and a transmission phase. The
identification of a timeslot is called color. A color is assigned to a reader, and it
works only during the corresponding time slot.
93

3 – RFID Reader-to-Reader Anti-collision
During the kick phase, each working reader that had collided at the previous
transmission sends a kick. Each working reader that receives a kick changes immediately
color.
During the transmission phase, each working reader that has to read tags executes
a transmission. If the transmission collides then the involved readers stop it
and randomly choose at a new color. At the subsequent round the colliding readers
will send a kick, in order to reserve the timeslot.
In the described protocol when more than one reader transmits a kick during
the same slot, all the transmitting readers also receive the kick, and so they choose
a new color.
The kick does not transport any additional information, but it is used only to
communicate to neighbor readers that the channel is busy, so the readers do not need
additional hardware in order to implement DCS. The only additional requirements
with respect to LBT is represented by the synchronization.
3.2.3 Colorwave
Colorwave [126] [125] is a protocol based on DCS. This protocol introduces a variable
quantity of timeslots that compose a round (µ), differently from DCS where the
number of timeslots is fixed. The value is dynamically changed in order to increase
the efficiency of the RFID network. When the number of collisions is high, the
number of used colors for round rises, while when it is small the number of colors
decreases. This protocol requires a special kick transmission, which states the change
to a new quantity of colors. The kick phase is divided in two subphases, where
normal kicks are sent during the first one, and color kicks during the second one.
In order to manage changes in the number of colors for round, Colorwave introduces
two couples of thresholds, one for the increases and the other for the decreases.
Each reader counts its percentage of successful transmissions. When the percentage
exceeds the second threshold of a couple the reader changes µ and communicated
the change to its neighbors during the second kick subphases; if a reader has exceeded
the first threshold of a couple and it receives color quantity kick compliant
with the exceeded threshold, then it changes µ and communicates the change to its
neighbors.
The variable number of colors for round allows Colorwave to find autonomously a
good configuration. However, in addition to the requirements of DCS, this protocol
requires also to manage the color number kicks.
3.2.4 Protocols with High Requirements
Various protocols characterized by larger requirements have been proposed. Typically
these protocols require an advanced communication system parallel to the
94

3 – RFID Reader-to-Reader Anti-collision
standard RFID network. Therefore, they cannot be implemented with readers actually
produced, and require additional costs.
The main protocol in this group is HiQ [68], which is based on reinforcement
learning, and which involves a hierarchical structure composed by three levels. The
RFID readers, which represent the lowest level, require channel resources to the
higher level. The elements of the second level require resources to the highest level,
and distribute them to the readers. This system requires a communication system
for the resources management.
A recent protocol which overcomes HiQ performance is NFRA [47]. This protocol
requires a central server, which communicate with the RFID readers through an
additional channel at 433 MHz. This communication system requires that each
reader owns an additional radio reception device for that frequency.
3.2.5 Protocols based on Power Control
An alternative system to avoid collisions is the Power Control [36] [83]. The power
can be decreased in order to reduce the interference range. These protocols try to
optimize the ratio between interference range and interrogation range. However,
the reduction of the interrogation range affects the performance of the RFID network.
According to ETSI EN 302 208-1 V1.2.1 [13], threshold level of the noise
for transmitting without interferences shall be -35 dBm e.r.p. or less. Approximately,
if a tag need -14 dBm in order to be in the interrogation range of the reader,
the ratio between the interference range and the interrogation range is close to 20
times. Therefore, in order to avoid reader-to-reader collisions reducing the power,
the interrogation area cannot be accurately covered.
3.3 Probabilistic DCS (PDCS) Protocol
In DCS, after sensing a collision, all the involved readers choose a new color and
reserve it. However, when a large part of the timeslots are just used, a change of
color probably generates a second change without timeslot reservation, so a probable
collision between two readers occurs. Furthermore, the kicked reader would not
transmit during the reserved round, and during the subsequent collision round, so it
would wait two rounds before transmitting. After a collision between two readers,
all the involved nodes will change their color, so both the readers will reserve a
new color. When the majority of the colors are used, both the new timeslots could
be engaged, so two readers would change their color. Therefore, this double color
change could generate two second generation collisions.
In [52], the authors state that the introduction of a new parameter P , which
represents the probability of readers to change color after a collision, can increase
95

3 – RFID Reader-to-Reader Anti-collision
the performance, decreasing the number of collisions generated by the change of
color due to a previous collision. According to [52], this section describes a new
protocol named Probabilistic DCS (PDCS) which is based on the introduction of P
in DCS. Differently by the probabilistic version of DCS presented in [52], PDCS is
a multichannel protocol, which can manage an arbitrary number or frequency channels,
according to the various regulations about RFID. Therefore, after a collision
in PDCS, readers choose both a new color, which represent the time slot, and a new
channel. Therefore, the total number of slots available each round is equal to the
number of colors multiplied for the number of channels.
The variables of the protocol are the following:
ˆ color i , the index of the time slot that the i th reader can use for transmissions;
ˆ channel i , the index of the frequency channel that the i th reader can use for
transmissions;
ˆ prev channel i , the index of the previous channel that the i th reader used for
transmissions;
ˆ µ, the number of time slots in a round;
ˆ µc, the number of channels in a round;
ˆ kickflag i , the boolean flag that is true when the i th reader requires a kick;
ˆ transflag i , the boolean flag that is true when the i th reader requires a transmission;
As in DCS, in PDCS the transmissions are organized in rounds divided in timeslots.
Each slot is composed by the following phases and subroutines:
ˆ Timeslot initialization, where the readers update the value of their variables;
– New timeslot:
∀i : color i = (color i + 1) mod (µ);
if (the i th reader has to read tags)
then transflag i = true;
ˆ Kick phase, where the readers send the kicks in order to manage the slot
reservation, and choses a new color if receives a kick.
– Kick sending:
if (kickflag i = true AND color i = 0)
then the i th reader sends the kick;
kickflag i = false;
96

3 – RFID Reader-to-Reader Anti-collision
– Kick resolution:
if (the i th reader receives a kick
on channel i AND color i = 0)
then prev channel i = channel i ;
while (color i = 0
AND channel i = prev channel i )
color i = random(µ);
channel i = random(µc);
ˆ Transmission phase, where the readers try to communicate with the tags, and
eventually choses a new color if collides.
– Transmission:
if (transflag i = true AND color i = 0)
then the i th reader transmits
transflag i = false;
– Collision resolution:
if (a transmission of the i th
collides AND random(1) < P )
then color i = random(µ);
channel i = random(µc);
kickflag i = true;
transflag i = true;
reader
3.4 Theoretical analysis
PDCS is characterized by the probability P . When P is equal to 1, PDCS corresponds
to DCS, so DCS can be considered a particular case of PDCS with P = 1.
The most relevant parameter for the evaluation of the time performance of an
anti-collision protocol for RFID networks is WT. The difference between PDCS and
DCS is the collision resolution, so its effects on WT must be carefully analyzed.
The first step of this theoretical analysis is focused on the behavior of PDCS
after one collision between two readers. A reader involved in a collision changes its
color with probability P , so after a collision between two readers three cases are
possible:
1. no reader changes its color, so at the subsequent round the involved readers
will receive a kick and they will change the color without reservation;
97

3 – RFID Reader-to-Reader Anti-collision
2. one reader changes its color, so at the subsequent round one reader will transmit
with the previous color, and the second reader will reserve a new color,
maybe requiring another reader to change;
3. both the readers change color, this case corresponds to the DCS collision resolution.
Case 1 is worse than DCS, since the involved readers will lose a second round.
Case 2 is better than DCS, since one reader probably will not produce second generation
collisions. Case 3 corresponds to DCS. According to the value of P, each
case has a characteristic probability, so a proper value of P maximizes the number
of occurrences of Case 2. Figure 3.3 shows the probability of each case, according
to P . Roughly analyzing the effects of P on the performance of the RFID reader
network, it is possible to consider that Case 1 is negative, Case 2 is positive, and
that Case 3 is intermediate. Starting from P = 1, a short decrease of P corresponds
to:
ˆ a slight rise of Case 1 (negative case);
ˆ a considerable grow of Case 2 (positive case);
ˆ a sharp fall of Case 3 (intermediate case).
Therefore, since Case 1 improves the performance of the protocol, and Case 2
decreases them, the values of P shown by the right part of the graph in Figure 3.3
should bring positive results.
Although WT is the best metric for RFID network evaluation, the effects of the
different cases on the time performance of the protocol can be more clearly analyzed
observing the number of second generation collisions (γ), which represents the
average number of readers involved by second generation collisions produced by the
first generation collisions (φ), which represents the number of colliding readers
in a round.
3.4.1 Second Generation Collisions
The collisions affect the time performance of RFID networks, since the involved
readers have to wait before transmitting. In DCS/PDCS, each collision generates
possible new collisions. This behavior can produce a relevant number of collisions
at each round, so it must be carefully analyzed. This section carefully analyzes
the effects of a collision between two readers. In order to calculate γ, it can be
partitioned in three γ i related to each case described in the previous section, so we
have:
98

3 – RFID Reader-to-Reader Anti-collision
Figure 3.3.
Color Change After a Collision Between Two Readers
Each γ i is determined by the following formula:
γ = γ 1 + γ 2 + γ 3 . (3.1)
γ i = γP i ∗ γc i . (3.2)
Where γP i represents the probability of Case i, as reported in Fig. 3.3, and where
γc i represents the number of second generation collision due to Case i. The formulas
to calculate each γ i are presented in the following, where γc i is determined by µ and
by the number of engaged color (ɛ),
The probability of Case 1 is:
γP 1 = (1 − P ) 2 . (3.3)
This case involves a given double kick. After the kick each reader changes color
without presentation, so the number of produced second generation collisions is
related with the state of the new colors. If:
ˆ both the colors are free, then no second generation collision is produced; the
related contribution to γc 1 is null;
ˆ one color is free and one color is engaged, then one second generation collision
between two readers is produced; the related contribution to γc 1 is:
99

3 – RFID Reader-to-Reader Anti-collision
γc 1a = 2 ·
ɛ
µ − 1 · 1 − ɛ · 2; (3.4)
µ − 1
ˆ both the colors are engaged, then two second generation collisions between
two couples of readers are produced; the related contribution to γc 1 is:
γc 1b =
ɛ
µ − 1 · ɛ − 1 · 4; (3.5)
µ − 1
ˆ the same free color is selected, then one second generation collision between
two readers is produced; the related contribution to γc 1 is:
γc 1c = 1 − ɛ
µ − 1 · 1 · 2; (3.6)
µ − 1
ˆ the same engaged color is selected, then one second generation collision between
three readers is produced; the related contribution to γc 1 is:
Therefore, we have that:
The probability of Case 2 is:
γc 1d =
ɛ
µ − 1 · 1 · 3; (3.7)
µ − 1
γ 1 = (1 − P ) 2 ∗ (γc 1a + γc 1b + γc 1c + γc 1d ). (3.8)
γP 2 = 2 · P · (1 − P ). (3.9)
In this case the reader that does not change the color does not produce second
generation collisions, but it can collide with the second reader, since it could choose
again the same color. The second reader changes color, so the number of produced
second generation collisions is related with the state of the new color. If:
ˆ the color is free, then no second generation collision is produced; the related
contribution to γc 2 is null;
ˆ the color is engaged, then one reader changes color without reservation, so a
collision between 2 readers has probability equal to the percentage of engaged
colors; the related contribution to γc 2 is:
γc 2a = ɛ µ ·
100
ɛ · 2; (3.10)
µ − 1

3 – RFID Reader-to-Reader Anti-collision
ˆ the color is the same of the previous collision, then there is a double kick
between the two readers of the first collision; the related contribution to γc 2
is:
Therefore, we have that:
The probability of Case 3 is:
γc 2b = 1 ɛ
· (2 · · 1−ɛ · 2 + ɛ · ɛ−1 · 4+
µ µ−1 µ−1 µ−1 µ−1
1−ɛ · 1 · 2 + ɛ · 1 · 3). (3.11)
µ−1 µ−1 µ−1 µ−1
γ 2 = 2 · P · (1 − P ) · (γc 2a + γc 2b ). (3.12)
γP 3 = P 2 . (3.13)
In this case both the readers change color. Also in this case the number of
produced second generation collisions is related with the state of the new colors. If:
Figure 3.4. (a) γc 1 (b) γc 2 (c) γc 3 with µ = 20
ˆ both the colors are free, then no second generation collision is produced; the
related contribution to γc 3 is null;
ˆ one color is free and one color is engaged, then one reader changes color without
reservation, so a collision between 2 readers has probability equal to the
percentage of engaged colors; the related contribution to γc 3 is:
γc 3a = 2 · ɛ
µ · 1 − ɛ
µ · ɛ · 2; (3.14)
µ − 1
ˆ both the colors are engaged, then two readers change color without reservation,
so they could produce:
101

3 – RFID Reader-to-Reader Anti-collision
– one collision between two readers,
γc 3b1 = 2 · ɛ−1 ɛ−1 · (1 − ) · 2+
µ−1 µ−1
(1 − ɛ−1 ) · 1 · 2, (3.15)
µ−1 µ−1
– two collisions between two couples of readers,
γc 3b2 = ɛ−2
µ−1 · ɛ−2
– one collision between three readers,
1 · ɛ−1
µ−1
µ−1 · 4+
µ−1 · 4, (3.16)
– or no collision;
γc 3b3 = ɛ − 1
µ − 1 · 1 · 3, (3.17)
µ − 1
the related contribution to γc 3 is:
γc 3 b = ɛ µ · ɛ − 1
µ · (γc 3b1 + γc 3b2 + γc 3b3 ); (3.18)
ˆ the same free color is selected, then there is a double kick between the two
readers of the first collision; the related contribution to γc 3 is:
γc 3c = (1 − ɛ ) · 1
µ µ·
ɛ
(2 · · (1 − ɛ ) · 2+
µ−1 µ−1
ɛ · ɛ−1 · 4+
µ−1 µ−1
(3.19)
(1 − ɛ ) · 1 · 2+
µ−1 µ−1
ɛ · 1 · 3); µ−1 µ−1
ˆ the same engaged color is selected, then three readers change color without
reservation, so they could produce:
– one collision between two readers,
γc 3d1 = 3 · ɛ−1 ɛ−1 · (1 − )·
µ−1 µ−1
(1 − ɛ ) · 2+
µ−1
(1 − ɛ−1 ) · (1 − ɛ )·
(3.20)
µ−1 µ−1
2 · 2, µ−1
102

3 – RFID Reader-to-Reader Anti-collision
– two collisions between two couples of readers,
γc 3d2 = 3 · ɛ−1
µ−1 · ɛ−2
µ−1
3 · ɛ−1
µ−1
ɛ−1 · (1 − ) · 4+
µ−1
· (1 −
ɛ−1
µ−1 · 1
– three collisions between three couples of readers,
– one collision between three readers,
µ−1 · 4, (3.21)
γc 3d3 = ɛ − 1
µ − 1 · ɛ − 2
µ − 1 · ɛ − 3 · 6, (3.22)
µ − 1
γc 3d4 =
( ) ( 2
1 − ɛ−1 1
·
µ−1 µ−1)
· 3+
3 · ɛ−1 ɛ−1 · (1 − ) · 1
µ−1 µ−1
µ−1 · 3, (3.23)
– one collision between three readers and one collision between two readers,
– one collision between four readers,
– or no collision.
the related contribution to γc 3 is:
Therefore, we have that:
γc 3d5 = ɛ − 1
µ − 1 · ɛ − 2
µ − 1 · 2 · 5, (3.24)
µ − 1
γc 3d6 = ɛ − 1 ( ) 2 1
µ − 1 · · 4, (3.25)
µ − 1
γc 3d = ɛ µ · 1
µ ·
6∑
γc 3di . (3.26)
i=1
γ 3 = P 2 · (γc 3a + γc 3b + γc 3c + γc 3d ). (3.27)
Figure 3.4 shows the values of γc 1 , γc 2 , and γc 3 , and of their components, with
µ equal to 20 and according to different values of ɛ. The component that mainly
affects the value of γc 1 is γc 1b , which represents the number of second generation
collisions due to the choice of two engaged new colors. γc 1 rises constantly, according
to the grow of ɛ. The component that mainly affects the value of γc 2 is γc 2a ,
which represents the number of second generation collisions due to a kick on an
103

3 – RFID Reader-to-Reader Anti-collision
engaged color, and to the subsequent change to a new engaged color. The component
that mainly affects the value of γc 3 is γc 3b , which represents the number of second
generation collisions due to two kicks on a engaged colors, and to the subsequent
change to two new colors.
Figure 3.5 compares the three γc i values according to max = 20 and to ɛ between
0 and 19. As it was supposed at the beginning of this analysis, γc 1 , which corresponds
to Case 1, produces the largest number of second generation collisions; γc 2 ,
which corresponds to Case 2, produces the smallest number of second generation
collisions; γc 3 , which corresponds to Case 3, produces a medium number of second
generation collisions.
Figure 3.5. γ i with max = 20
Figure 3.6 shows γ according to various values of P , with max = 20, and ɛ
between 0 and 19. The graph roughly highlights the effects of P on γ. With P
equal to 0 and 1, γ is respectively equal to γc 1 and to γc 3 . Since γc 1 is always
larger than γc 3 , the value of γ reached by P ′ < 0.50 is larger than γ reached by
P ′′ = 1−P ′ , so the minimization of γ requires P >= 0.50. When ɛ is between 0 and
3 the smallest γ is reached by P = 1, when ɛ is between 4 and 12 the smallest γ is
reached by P = 0.75, and when ɛ is between 15 and 19 the smallest γ is reached by
P = 0.50. Therefore, in order to minimize γ, at the rise of ɛ from 0 to µ − 1 should
correspond the decrease of P from 1 to 0.50.
104

3 – RFID Reader-to-Reader Anti-collision
When a collision among some readers produces new collisions among a larger
number of readers, the number of collisions increases, but the engaged colors decrease.
The decrease of engaged colors produces a decline in γ, until the number
of colliding readers is stable. Since γ is the average number of second generation
collision produced by the collision of two readers, when γ is greater than 2, the
number of collision rises, when γ is less than 2, the number of collision decreases,
and when γ is about 2 the number of collision is stable.
Figure 3.6.
γ with max = 20, according to various P values.
In order to find the optimal values of P that minimize γ, we can set the first
derivative of Function (3.1) to 0 and solve for P . So we have:
2γc 1 − γc 2
P =
. (3.28)
2γc 1 − 2γc 2 + 2γc 3
Figure 3.7 shows the values on P that minimize γ with µ equal to 20 and ɛ
between 0 and 19.
Figure 3.8 shows the comparison among the γ values reached by PDCS and
DCS. The comparison is performed for values of ɛ between µ and µ − 1, since an
2
efficient protocol should work with a value of ɛ quite next to µ. Setting P to a
value complaint with the value of ɛ, respect with DCS, PDCS reaches over 30% of
reduction of the second generation collisions.
105

3 – RFID Reader-to-Reader Anti-collision
Figure 3.7. Values of P that minimize γ with µ = 20.
3.4.2 DCS-Like Protocol Behavior
In order to compare PDCS to DCS, it is required to analyze the behavior of DCS.
At this purpose we can evaluate φ and γ. When
ˆ γ
φ > 1, ɛ decreases according to the larger number of colliding slots, so also γ φ
decreases;
ˆ γ
φ
= 1, the network is steady;
ˆ γ
φ < 1, ɛ increases, so also γ φ increases;
Therefore the network should approach a steady condition, where γ φ ∼ = 1. More
in deep, the behavior of the protocols changes according to three classes of configuration:
1. µ ≪ number of neighbors, in this class the number of colors is too low, so
the network is characterized by several collisions, the network approaches to
high γ and φ, and their values are greater when µ is lower; the provided WT
should be not good, since the readers have often to wait for many rounds;
106

3 – RFID Reader-to-Reader Anti-collision
2. µ ≫ number of neighbors, this class is characterized by some starting random
collisions, and γ ≫ 1, so the network approaches a steady condition, where
φ
there are no collision; however, WT converges to µ − 1, because each reader
must wait one round less a slot between two transmissions;
3. µ ∼ = number of neighbors, in this class there are the best configurations, since
it contains the configuration with the lowest µ so that the network approaches
a steady condition where there are no collision; apparently the best configuration
should be µ = number of neighbors + 1, but according to the previous
analysis, if γ > 1 then φ increases, so the effects of the starting random collisions
and the collisions due to a change of slot generated by a neighbor with
φ
a different neighborhood together with the high ɛ can make the network approaches
a steady condition with collisions; therefore the best configuration
shall require a larger µ.
The main effect of P < 1 is the reduction of γ for good configurations. This
result decreases also the value of γ , so when the network is in the third class, where
φ
µ ∼ = number of neighbors, it shall approach to a steady condition where there are
no collision with a lower µ.
Figure 3.8.
Percentage Difference of γ between PDCS with various P and DCS.
107

3 – RFID Reader-to-Reader Anti-collision
3.5 Experimental Simulations
Simulations of DCS, of Colorwave, and PDCS were performed on several kinds of
RFID networks. The characteristics of the simulated networks are:
ˆ total number of readers: 250;
ˆ number of neighbors for readers: average (AN) and variance (NV);
ˆ method of reader deployment: random deployment.
Each protocol configuration was simulated 50 times for 2 · 10 5 timeslots. The
simulator has been written in java language, and the simulations have been run on
a DELL WorkStation Precision T7500, under Linux.
3.5.1 PDCS Behavior According to µ
The value of µ must be carefully selected, in order to reach good performance. When
µ is too low, the percentage of colliding transmissions is high, so WT is high and
it is not steady. When µ is too high, WT is always similar to µ − 1 timeslots.
According to the theoretical analysis the best value of µ is the lowest so that WT is
steady. Furthermore, the theoretical analysis states that the introduction of P < 1
decreases the best µ improving WT.
Fig. 3.9 shows the AAWT provided by DCS and PDCS according to several µ
and P , on a network with AN = 9.94, NV = 9.41, and random deployment. This
graph is a good indicator of the time performance of the network. Fig. 3.10 shows
the TWTV in the same conditions, which is an indicator of the steadiness of the
network, VAWT, which is an indicator of the fairness of the network, and MWT.
The graphs support the results of the theoretical analysis presented in Section 3.4.2:
1. µ ≪ number of neighbors (µ ≪ 10), the provided WT is not good, since
the readers collide many times; DCS provides better performance, and PDCS
provides the best AAWT with P as close as possible to 1;
2. µ ≫ number of neighbors (µ ≫ 10), the network is steady, since there are
no collision; however, WT converges to µ − 1 timeslots, because each reader
must wait one round less a slot between two transmissions; DCS and PDCS
provide the same performance, independently by P ;
3. µ ∼ = number of neighbors (µ ∼ = 10), in this class there are the best configurations,
where the network approaches a steady condition without collisions
at the lowest µ; the best configurations require µ > 10; for DCS and PDCS
with a high probability (P ≥ 0.9), the best AAWT is provided with µ = 13;
108

3 – RFID Reader-to-Reader Anti-collision
Figure 3.9. AAWT provided by DCS and PDCS with AN = 9.94, NV =
9.41, and random deployment
Figure 3.10. TVWT (a), VAWT (b), and MWT provided by DCS and PDCS with
AN = 9.94, NV = 9.41, and random deployment
for PDCS with a low probability (P < 0.9), the best AAWT is provided with
µ = 12; both these cases provide AAWT similar to µ − 1 timeslots, so PDCS
with a low probability reaches the best time performance; the best AAWT is
provided by PDCS with P = 0.72 and µ = 12, where AAWT= 5.08 s, and it
is 21.87% better than AAWT provided by DCS with the same µ, and 8.69%
better than the best DCS configuration; the provided TWTV approaching
109

3 – RFID Reader-to-Reader Anti-collision
the best configuration rapidly falls, according to the lower number of colliding
transmissions; Tab. 3.1 shows the performance provided by PDCS and DCS
with µ = 12, and Tab. 3.2 shows the difference between PDCS and DCS in
percentage; all the indicators show that a low P provides good performance.
Table 3.1. Performance of DCS and PDC with µ = 12, AN = 9.94, NV =
9.41, and random deployment
PDCS
DCS
P 0.5 0.6 0.7 0.9 1.0
ST/s 44.31 44.46 44.85 41.11 37.13
MWT 105.41 99.42 88.29 85.52 102.28
TAWT 5.09 5.10 5.10 5.16 6.28
TWTV 1.68 0.78 1.15 6.72 10.92
VAWT 0.03 0.03 0.00 0.79 1.93
AAWT 2.37 2.36 2.36 2.65 2.99
Table 3.2. Percentage difference of the performance provided by PDCS
with respect to standard DCS, with µ = 12, AN = 9.94, NV = 9.41, and
random deployment
P = 0.5 P = 0.6 P = 0.7 P = 0.9
ST/s +19.34% +19.75% +20.79% +10.73%
MWT +3.06% -2.79% -13.68% -16.38%
TAWT -18.98% -18.75% -18.82% -17.82%
TWTV +243.27% -66.33% +135.67% +371.97%
VAWT -98.35% -98.70% -99.85% -59.27%
AAWT -20.78% -20.97% -20.99% -11.44%
Observing Fig. 3.9, Fig. 3.10, Table 3.1, and Table 3.2, we can state that:
ˆ PDCS with a low P and a proper µ is more efficient than DCS, since it provides
shorter AAWT;
ˆ with a too low µ the order of efficiency is inverted;
ˆ with a too high µ all the protocols provide the same efficiency;
110

3 – RFID Reader-to-Reader Anti-collision
ˆ with a high µ, when all the configurations reach a steady network, all the
protocols provide the same fairness, since VAWT is 0;
ˆ when µ ∼ = number of neighbors, PDCS with low P is the fairest, since more
readers are reaching a steady behavior;
ˆ with a too low µ, DCS is the most fairest;
ˆ the introduction of P reduces γ, decreasing the WT, but it increases the possibility
of a single reader that collides several consecutive times, according to
Case 1 described in Section 3.4, so the best MWT is normally provided by
PDCS with a high P , since it decreases WT, with a low occurrence of Case 1.
3.5.2 Best PDCS Configurations
In order to find the best PDCS configuration, it is possible to observe which value
of P provides the best AAWT. Fig. 3.11 shows the performance provided by DCS
and PDCS in a network with AN = 9.94, NV = 9.41, and random deployment.
The best results are provided from P = 0.5 to P = 0.78. In this interval AAWT
fluctuates between 5.08 and 5.19.
Figure 3.11. AAWT provided by DCS and PDCS with AN = 9.94, NV =
9.41, and random deployment
111

3 – RFID Reader-to-Reader Anti-collision
Also Colorwave has been simulated with the same network deployment. The
used thresholds are respectively 50%, 45%, 45%, and 30%. Colorwave provides a
very good TAWT, since it allows the readers with few neighbors to transmits very
fast, but readers with several neighbors can not reach a steady state, since their
neighbor can have different µ i . The TAWT provided with the previous network is
5.00 s, which is better than DCS and PDCS, but the AAWT is 24.46 s, which is the
worst.
Since several values of P provide good results with a proper µ, also their performance
with a worse µ must be analyzed. When µ is too high, P does not affect the
performance, and PDCS provides always the same result. However, when µ is too
low P affects strongly the performance. Fig. 3.12 shows PDCS with 0.5 ≤ P ≤ 0.7,
5 ≤ µ ≤ 7, and with the previous network. Although the values of P are similar,
AAWT does not fluctuate, and the higher P provides always lower AAWT.
Figure 3.12. AAWT provided by DCS and PDCS with AN = 9.94, NV =
9.41, and random deployment
Therefore, P = 0.7 is an optimal configuration, since it provides good AAWT
with a proper µ, and AAWT better than lower P with a low µ.
112

3 – RFID Reader-to-Reader Anti-collision
3.5.3 Multichannel Analysis
In order to analyze the performance of PDCS in a multichannel network, it has been
simulated with 10 channels, according to ETSI standard [13], on a network with
AN = 15.00, NV = 15.58, and random deployment. PDCS with P = 0.7 provides
the best AAWT when µ = 2, and AAWT is equal to 0.46 s. With P = 1, which is
the equivalent of DCS, the best result is also reached when µ = 2, and AAWT is
equal to 0.52 s. Also LBT, which is the protocol proposed by ETSI standard, has
been simulated with the same network. LBT provides an AAWT equal to 0.59 s.
3.5.4 Matrix Vs Random Deployment
In order to reach a selected number of neighbors, several random deployments have
been considered, with the same number of readers but on areas with different sizes.
However, in order to check how different deployments with similar AN affect the
performance, also a network with matrix deployment has been simulated. The
performance of PDC and DCS on a network with random deployment, AN = 9.94,
and NV = 9.41, and on a network with matrix deployment, AN = 9.94, and
NV = 3.90 are be analyzed. Fig. 3.13 shows the provided AAWT. All the protocols
provide better performance on the matrix deployment. However, matrix graphs are
very similar to random ones, shifted on both the axes. The best AAWT is provided
by PDCS with P = 0.5 and µ = 11, where AAWT= 4.68 s, and it is 22.92%
better than AAWT provided with the same µ, and 8.17% better than the best DCS
configuration.
3.5.5 Mobile RFID Networks
Real RFID applications can require networks composed by mobile readers mixed to
static readers. The presence of mobile readers affects the performance of anticollision
protocols, because when a reader changes location it finds new neighbors with new
colors, and it represents the introduction of a new reader, maybe with a busy color,
in a steady neighborhood.
Fig. 3.14 shows the AAWT provided by PDCS and DCS in a network with
AN = 9.94, NV = 9.41, random deployment, and 20% of mobile readers. Similarly
to static network, the best results, at µ = 15 instead of µ = 12, are provided by
PDCS with 50 ≤ P ≤ 70. For 12 ≤ µ ≤ 14, the best threshold are provided with
P = 70, which is the best configuration.
113

3 – RFID Reader-to-Reader Anti-collision
Figure 3.13. AAWT provided by DCS and PDCS with AN = 9.94, NV = 9.41,
random deployment and AN = 9.94, NV = 3.90, and matrix deployment
3.5.6 Dense RFID Networks
The results of the simulation of PDCS with dense RFID networks are similar to the
results for networks with less neighbors, but the gap between PDCS and DCS time
performance is larger. The simulations have been performed for all the P values
between 0.5 and 1, with a step of 0.1. In order to show the behavior of PDCS,
this section presents the result of the simulations for a network with AN = 29.92,
NV = 70.19, and random deployment.
Figure 3.15 shows the AAWT provided by PDC with different values of P and
DCS, according to various µ. The lowest AAWT is provided by PDCS with P = 0.6,
which reaches the best performance with µ, 3 units lower than DCS. For all the
values of µ close to the best configuration, PDCS provides the best AAWT. With
26 ≤ µ ≤ 33, the lowest AAWT is provided with P = 0.7. With 34 ≤ µ ≤ 37 the
best AAWT is provided with P = 0.6. From µ = 34, AAWT provided by all the
protocols starts to converge to µ − 1, at first the protocol with low P and then the
protocols with high P . From µ = 41, all the protocols provide the same AAWT. The
best AAWT is provided by PDCS with P = 0.6, which reaches the best performance
with µ, 3 units lower than DCS. The best AAWT, with P = 0.6 and µ = 37 reaches
18.75% time reduction with respect to the AAWT of DCS with the same µ, and
114

3 – RFID Reader-to-Reader Anti-collision
Figure 3.14. AAWT provided by DCS and PDCS with starting AN = 9.94,
NV = 9.41, random deployment, and 20% of mobile readers
9.69% with respect to the best AAWT provided by DCS with µ = 40.
Figure 3.16 shows the throughput provided by PDC with different values of P
and DCS, according to various µ. The behavior is specular to the graph of AAWT.
The best throughput is provided by PDCS with P = 0.6, which reaches it with
µ = 37, 3 units lower than the best result of DCS. The best throughput provided by
PDCS is 20.45% larger than the throughput of DCS with the same µ, and 10.38%
larger than the best throughput provided by DCS with µ = 40.
According to the topological analysis presented in [47], the best deployment
method to fully cover an area minimizing the number of RFID readers is an hexagonal
matrix. An hexagonal matrix deployment has been designed considering a ratio
between the interference range and the interrogation range equal to 10. The PDCS
configuration with P = 0.7 and DCS have been simulated with the network with
711 readers, AN = 97.20, NV = 535.05 and hexagonal matrix deployment. The
best AAWT has been provided by PDCS with µ = 125 and it is equal to 124.60 s.
The best AAWT provided by DCS, with µ = 136, is 135.29 s.
115

3 – RFID Reader-to-Reader Anti-collision
Figure 3.15. Effects of P on AAWT with AN = 29.92, NV = 70.19,
and random deployment
3.6 Conclusion
The paper proposes PDCS, a new reader-to-reader anticollision protocol. The proposed
protocol is multichannel, according to the international regulation for UHF
RFID. Thanks to the parameter p, representing the probability of changing color after
a collision, the number of collision is lower, and PDCS reaches a steady network
with a lower µ. A theoretical analysis demonstrates that the correct configuration
of p can provide over 30% of reduction of second generation collision (γ).
Several evaluation methods have been analyzed, and an evaluation approach
based on the Waiting Time (WT) has been adopted. The Average Average Waiting
Time (AAWT) has been chosen as the main parameter representing the network
efficiency. The simulation analysis shows that PDCS can reach a time reduction
just under 10%, with respect to the best DCS configuration. PDCS results also
fairer than DCS, since all readers have more opportunities to transmit.
The time performance provided by PDCS is better than Colorwave, DCS, and
LBT. A theoretical analysis justifies the improvement, and experimental simulations
validate the theoretical analysis.
116

3 – RFID Reader-to-Reader Anti-collision
Figure 3.16. Effects of P on the Throughput with AN = 29.92, NV =
70.19, and random deployment
117

Chapter 4
RFID for Agri-food Traceability
Traceability is considered today a crucial factor for the Agri-food sector. An effective
traceability system brings many benefits, such as increasing the security of
customers, and so their confidence, and controlling the effects of commodity withdrawal.
Furthermore, in many countries traceability is a mandatory requirement
for the agri-food sector. In EU, The European Parliament And The Council establishes
that “1. The traceability of food, feed, ... shall be established at all stages of
production, processing and distribution. 2. Food and feed business operators shall
be able to identify any person from whom they have been supplied with a food, ...
To this end, such operators shall have in place systems and procedures which allow
for this information to be made available to the competent authorities on demand.
3. Food and feed business operators shall have in place systems and procedures
to identify the other businesses to which their products have been supplied. This
information shall be made available to the competent authorities on demand. 4.
Food or feed which is placed on the market or is likely to be placed on the market in
the Community shall be adequately labeled or identified to facilitate its traceability,
through relevant documentation or information in accordance with the relevant
requirements of more specific provisions.” [4]
The Traceability in the agri-food sector is often managed by systems that employ
labels or barcodes for the commodity identification. However, the new requirements
of accuracy and efficiency have promoted the research of more efficient and effective
solutions for traceability management. One of the most promising alternatives to
traditional solutions is represented by the Radio Frequency Identification (RFID)
technology. RFID systems, constituted by passive low cost transponders, are currently
being used in a variety of applications and environments as detailed in this
book. Many research projects have been developed to evaluate if RFID technology
can be properly exploited for agri-food traceability activities.
The ISO 9001:2000 [3] standard defines traceability as the ”ability to trace the
history, application or location of that which is under consideration”. The activities
118

4 – RFID for Agri-food Traceability
involved by Traceability Management (TM) are also strongly linked to Supply Chain
Management (SCM). For The Council of Supply Chain Management Professionals
”SCM encompasses the planning and management of all activities involved in sourcing
and procurement, conversion, and all Logistics Management activities. Importantly,
it also includes coordination and collaboration with channel partners, which
can be suppliers, intermediaries, third-party service providers, and customers. In
essence, SCM integrates supply and demand management within and across companies”
[60]. On the one hand, TM aims at detect and record the path and the history
of items; on the other hand, SCM aims at improving the production chain, so SCM
can manage the traceability of products, but it is only an optional intermediate
step to reach business improvements. Furthermore there are issues that characterize
agri-food sector, and that affect both TM and SCM: (a) the management of perishable
products requires special solutions like controlled storages in refrigerating
rooms; (b) The Out-of-Shelves problem [41] is a threat for all kind of brands and
in particular for perishable products [85], producing direct losses to retailers and
manufacturers, such as lost sale, brand switch, and store switch. Therefore many
research projects provide data about SCM and Automatic Identification and Data
Capture (AIDC) that concern activities comprised by TM.
New traceability systems based on RFID technology are starting to be effectively
employed, but small and medium companies, which represent a large part of the agrifood
enterprises, are wayward to invest in technologies that are not conventional.
Hence, it is evident the importance of studies that present the knowledge about
features and properties of the RFID technology application.
4.1 Agri-Food Sector
The typical production chain in the agri-food sector is composed by the following
entities:
1. Producer: an entity that produces the agri-food raw materials, and sells them
to a manufacturing enterprise, e.g., a farm that cultivates grain or a cattleman
that breeds beefs.
2. Manufacturer: an enterprise that treats and transforms the agri-food raw materials;
the most elaborated products require the use of several agri-food raw
products and a complex manufacturing, e.g., a company that produces biscuits
needs many ingredients, such as sugar, flour, and butter, from different suppliers,
and adopts many processes from cooking and leavening to packaging;
also the products that are sold to customer apparently without manufacturing
need several treatments, e.g., fruits need to be cleaned, divided by caliber,
stored in refrigerating rooms, and packed.
119

4 – RFID for Agri-food Traceability
Figure 4.1.
The agri-food chain
3. Distributor: an enterprise that moves alimentary commodities; some large
enterprises have their own distribution centers; mainly distributors get commodities
from manufacturing enterprises and they give the commodities to
retailers; normally, in a distribution center commodities are not treated, but
they are only stored under determined conditions and then shipped to their
destination.
4. Retailer: an enterprise that sells alimentary commodities directly to customers;
this category includes many kind of enterprises, from little alimentary shops
to large hypermarkets, that sell all kind of commodities.
Figure 4.1 shows the agri-food production chain and the interactions among its
members.
4.2 Traceability Management
Today, the businesses in the agri-food sector have to manage carefully the traceability
of their commodities, in order to satisfy the expectations of customers and the
law requirements. However, some years ago the demand of security and transparency
was limited, and several companies in the agri-food sector have not still completely
120

4 – RFID for Agri-food Traceability
Figure 4.2.
The traceability chain
Table 4.1. The Traceability Activities
Activity
Description
Internal Traceability (ITr) correct matching of input and output food information
inside a company; the internal traceability
system has to follow the path of a specific unit
within the company
Business to Business Traceability
(BtoBTr)
business to the next one, throughout the produc-
management of the information exchange from a
tion chain
Business to Customer Trace-
management of the transfer of information from
ability (BtoCTr)
Whole Chain Traceability
(WCTr)
the retailer to the final customer
management of the information on the whole path
of a commodity, from the producer to the final
customer
adjusted their processes. The gap between requirements and actual situation has
motivated the research of innovative solutions for TM. In the meat sector DNAbased
traceability can be used to check presence of genetic modification, and to
overcome security problems of label-based systems [91]. However, the management
of traceability inside the production flow requires the use of labels for an immediate
identification of products.
TM can be divided in four activities, which are described in Table 4.1. Each
of these activities has its peculiarities, and so it needs to be managed by a specific
system, but they have to be considered all together, since each activity affects the
other ones. In Figure 4.2, an example of traceability chain in the agri-food sector is
shown.
121

4 – RFID for Agri-food Traceability
Internal Traceability.
The ITr in an agri-food enterprise may require:
1. the identification and the registration of food that enters in the enterprise;
2. the registration of the food that is produced;
3. the tracking of the food movements;
4. the registration of the treatments that are executed on the food;
5. the registration of the interactions among alimentary commodities; and
6. the registration of the exit from the enterprise of the food.
The kind and the number of information about every operation, treatment and
alimentary commodity, change according to the accuracy of the ITr system. ITr
systems are typically based on the matching of labels to objects that must be identified.
Alternatively, some systems tag containers of objects. The container tagging
method requires less labels and work, but it is less accurate than the former. However,
with both methods the obtained data must be gathered and recorded in a
database.
The ITr is often managed by systems based on paper labels or barcodes. Systems
that employ paper labels are characterized by low automation and low costs for the
infrastructures involved. Normally, these systems are slow, so they can treat only
a limited number of information. Systems based on barcodes are characterized by
more automation than paper label-based systems, but the number of information
stored on a bar code is still limited. However some barcode-based systems employ
the barcode like a link to a record in a central database, where all the information
are stored. In a ITr system based on RFID technology, the tags can be used to
replace paper labels and barcodes. Every tag could be matched to a commodity,
or to a bin of commodities; the tag could directly hold the information about the
commodities, or it could simply store a code that is used as a record in a database.
The tag could be detected by portal readers, when it is moved through a portal or
with hand-held RFID readers.
Business to Business Traceability. The main scope of BtoBTr is so preserve
the information about the path of an alimentary commodity between two enterprises.
The BtoBTr for agri-food enterprises may require:
1. the registration of the food exit from the enterprise of provenance;
2. the tracking of the food movements; and
3. the registration of the food entrance in the destination enterprise.
122

4 – RFID for Agri-food Traceability
The data collected for the BtoBTr should be stored by both the enterprises, or
in a common database. Typically, the BtoBTr systems identifying the single alimentary
commodities, match a barcode to the commodity. The number of recorded
information and precision of the identification, from item level to pallet level, change
according to the accuracy of the BtoBTr system.
RFID could be used for BtoBTr by matching an RFID tag to all the commodities
that are moved between the two businesses. The tag could hold the information
about the commodity, or the identification code of the tag could be used to store
a record in a common database, so a portal reader could identify the incoming
commodity.
Business to Customer Traceability. The BtoCTr is the connection between
the traceability systems and the customer, transfering the obtained information to
the customer.
Normally, the BtoCTr is based on labels and texts written on the package of
alimentary commodities, but this method allows the transfer of limited information.
Currently the employment of RFID tags is applicable only for expensive commodities.
The tag could hold the information about the commodity, or the identification
of the tag could be used to access, eventually through Internet, to information stored
in a database. In order to access to data in the tag memory, customers could use
RFID readers available in the shops.
Whole Chain Traceability. WCTr provides the information on the whole path
of the commodity; it should link all the stored data. The WCTr can be used by
businesses in the chain, in order to manage also the BtoBTr, furthermore it can be
used by a third part, like the food security competent authority, in order to check
the path of commodities for food disease prevention.
Typically, the WCTr is managed by searching the information in the database of
the single companies of the production chain, step by step, looking in each database
for the enterprises that had supplied the alimentary commodity. Alternatively, all
the information are stored by the operators in the production chain in a common
database, in order to allow a fast access to the required data.
The RFID technology could be used for WCTr in different ways. These information
could be recorded on the tag memory, or the identification of the tag could
allow the access to the information stored in a distributed database composed by
the databases of all the operators of the production chain. This is a very important
activity for agri-food traceability, because its aim is to make accessible all the
useful information about food immediately, and the fast availability of traceability
information can be crucial in case of food security emergency.
123

4 – RFID for Agri-food Traceability
4.3 State-of-the-art Analysis
In this section an overview of the state-of-the-art research studies on RFID for agrifood
traceability is presented. In addition, some remarkable research projects about
RFID, supply chain, and food traceability are reported in order to provide a deep
comprehension of the treated topics. All the studies are analysed and compared
with the model described in Section 4.2.
This section is divided in the following parts: theoretical model, where some
critical features useful for the design of a model of traceability systems are described;
business impact analysis, where the influence of RFID adoption on business processes
is evaluated; system proposals, where characteristics and performances of RFIDbased
traceability systems are described; simulation analysis, where the effects of
a real RFID application are simulated; and field studies, where the experimental
results on the field are reported.
4.3.1 Theoretical Model
Traceability in the US Food Supply: Dead End or Superhighway [61]
This paper, which is focused on traceability systems in US food supply and on the
comparison of mandatory and voluntary systems, presents some interesting elements
of food traceability systems that can be useful to be considered when analysing an
RFID traceability system.
The identified motivations of food suppliers to adopt traceability systems are:
1. to improve supply-side management;
2. to differentiate and introduce added value on food with subtle or undetectable
quality attributes; and
3. to facilitate traceback for food safety and quality.
The identified characteristics are:
1. breadth, the quantity of recorded information; the number of data about food
is huge, so enterprises have to select the ones with the highest value;
2. depth, the number of recorded members, back and forward in the traceability
chain; many enterprises record only direct suppliers and customers; and
3. precision, the degree of tracking assurance, that is composed by the acceptable
error rate, which is the number of elements in a wrong group, and the unit of
analysis, which is the dimension of tracking groups of elements.
124

4 – RFID for Agri-food Traceability
4.3.2 Business Impact Analysis
The studies presented in this section are focused on the processes executed in the
supply chain to manage the traceability. The adopted research methodology is based
on interviews and field analysis. The main result of these study is the identification
of changes in the processes due to RFID adoption.
Figure 4.3.
Use case traceability activities
White Paper. Auto-ID Use Case: Food Manufacturing Company Distribution
[82]
This use case is focused on a generic auto-ID implementation in the food manufacturing
company distribution, and especially on the operation of placing the products
onto trailers for transportation. The use case does not analyse the technology characteristics,
but only the impact of the auto-ID on a business.
The use case describes the Auto-ID procedures and the gained benefits, it analyses
the present situation, and it searches business benefits in order to justify the
proposed solution.
The barcode is identified as the only current technology available for identification
but it is evaluated slow and expensive. Instead RFID technology can solve some
typical problems, e.g., portal readers can avoid incoherence due to possible errors in
the list of shipped pallets. A benefit of the auto-ID is the reduction of human labour
applied to repetitive tasks. A problem for the implementation of an auto-ID system
is the resistance by the workforce to change the work processes. Pre-requirements
to be guaranteed are the 100% of scanning accuracy and the scanning rate, since
the system have to scan pallets with different rates, and maybe also simultaneously
passing. Different possible implementations with different costs were identified; the
low cost implementation involves fixed portal readers, pallet level tagging and a
basic integration with the information system (IS); instead the medium cost implementation
involves also mobile readers and more integration with the IS; the high
cost implementation involves also case level tagging, a higher number readers, and
a tight integration with the IS.
125

4 – RFID for Agri-food Traceability
Authors conclude that basic implementations require only few changes to the
IS and the introduction of auto-ID infrastructure, and that this kind of implementation
brings benefits for organizations. High cost implementations can bring all
described benefits of auto-ID, and they could be adopted by passing through basic
implementations.
Figure 4.3 shows the traceability activities managed in the use case. The main
activity managed by the system is the ITr of the distributor, which is leaded at
different levels according to the implemented version of the system. The BtoBTr is
managed by using the tags, but the system considers the option in which suppliers
had not tagged the pallets, and so they are tagged at their entrance in the distributor
building.
Figure 4.4.
Enabler traceability activities
RFID as an Enabler of B-to-B e-Commerce and its Impact on Business
Processes: A Pilot Study on a Supply Chain in the Retail Industry [89]
This paper presents empirical data collected by analysing four firms that are part
of three layers of the same supply chain. The analysis is focused on the potential of
RFID in a supply chain in the retail industry, and especially on open-loop supply
chain applications, which involve multiple members of the chain together. The main
research site is a distribution center; the other analysed firms are the two first-tier
suppliers of the distribution center and one retailer. The paper does not treat
directly agri-food traceability, but it explores general aspects of BtoBTr that are
valid also for the agri-food sector.
The research was devised in different steps, grouped in three macro phases: Opportunity
Seeking; Scenario Building; and Scenario Validation. The data collection
was based on:
ˆ a focus group with 9 functional managers and IT experts;
ˆ an on-site observations; and
ˆ a semi-structured interviews conducted in the four research sites.
126

4 – RFID for Agri-food Traceability
The identified motivations for RFID adoption are: to reach an agile supply chain,
the reduction of cost for traceability activities, the reduction of incoherences between
the inventory and the reality, and the reduction of lead times. The author
identified the list of process executed in the distribution center. The four firms
employ barcode-based systems, however the distributor employs some automatic
information management systems.
The scenario obtained integrating RFID was validated with the focus group. The
results are that:
ˆ the RFID technology facilitates the emergence of a model named cross-docking,
where products move through the distribution center without being stored,
or with short stop, since the automation in traceability activities makes less
relevant the putting-away and the picking; this model allows faster delivery of
commodities, which is very relevant for short life products, which are a large
part of agri-food products;
ˆ many processes become automatic or disappear;
ˆ the time consuming is reduced, the quantity and the integrity of information
are larger; (d) RFID-based system can bring additional value, and it includes
intelligent processes managed by automatic decisions;
ˆ the integration among supply chain members is increased, and each member
can continuously get updated information about products in the chain.
Authors conclude that the application of RFID in supply chain requires:
ˆ radical changes of the business processes, with significant reduction of human
work for traceability;
ˆ systems that can manage a large quantity of data;
ˆ the authorization to share, between chain members, information that were
previously considered proprietary.
The changing to the cross-docking model is considered the major changing. A
problem for RFID large adoption is considered the lack of standards.
Figure 4.4 shows the traceability activities analysed in the use case. The paper is
focused on the impact on business processes in BtoBTr, which is managed by using
the RFID tags.
4.3.3 System Proposals
In this section different kinds of studies are reported. All of them are characterized
by the presentation of a traceability system and by its evaluation.
127

4 – RFID for Agri-food Traceability
Figure 4.5.
The food transportation traceability activities
Spatial temperature profiling by semi-passive RFID loggers for perishable
food transportation [74]
The monitoring of the cold chain is very important for perishable food, so an accurate
traceability system may manage this activity. The authors analyze the use
of miniaturized RFID temperature loggers for monitoring of cold chain inside the
transports.
Some tests were performed in a climatic chamber in order to compare three
types of RFID miniaturized data loggers. The best type of data logger has been
evaluated according to average and standard deviation for test temperatures. The
analysis of variance performed on the refrigerator unit internal temperature shows
that the independent variables that affect the temperature are: location of RFID
data-loggers, truck type, and ambient temperature. The one-by-one analysis of these
factors shows that all of them are significant for temperature variation, and that the
most important is the coordinate on the axis that better correspond to the distance
from the cooling equipment.
The number of loggers can be reduced in order to avoid inaccuracy by using
interpolation. However, the interpolation can not calculate temperature spots.
The data recorded by the system can be used with a shelf life food model in order
to evaluate how much the temperature affected the products during a transport. In
order to know immediately after the transport if products are safe, authors claim
that an RFID implementation requires that RFID data loggers pre-process the data
in order to communicate the checking result with a short message instead of a long
list of data.
Authors conclude that RFID can be useful for cold chain monitoring, but relevant
drawbacks are the short reading range that require manual handling, and the huge
volume of data, which can be difficult to manage. The number of data could not be
efficiently transmitted by RIFDs, so they may have the computational capacity to
pre-process the data.
Figure 4.5 shows the traceability activities managed in the system. The analyzed
128

4 – RFID for Agri-food Traceability
cold chain monitoring system manages the ITr during the transportation. Furthermore,
the paper states the BtoBTr is an open issue, since it requires semi-passive
RFID tags with additional computation capacity, or different transition methods.
Figure 4.6.
Sushi management system activities
Development of an RFID-based sushi management system: The case of
a conveyor-belt sushi restaurant [98]
The authors have designed and evaluated an RFID-based management system for
conveyor-belt sushi restaurants. The aim of the study is to analyze the benefits of
RFID in the food industry.
For the authors the main challenges of traditional conveyor-belt are:
ˆ the waste of time due to manual billing calculation, which is performed looking
the colors of the sold plates which are matched to a price;
ˆ potential errors in billing;
ˆ potential food hazard due to the method of removing expired food from the
belt, which is manually performed by the chef only according to his opinion;
ˆ inefficiency in the stock control on the belt, which is performed by the chef
without precise data.
The design and development were organized in six stages. The first is the business
process analysis, where observation and interviews with restaurant employers and
customers in some restaurants have shown business processes that can be redesigned,
as the replenishment, the sushi-tracking, and the billing process. The subsequent
steps are: requirements analysis and RF site survey; system architecture, system
design, system implementation, system testing and evaluation. For the evaluation
some chefs and managers have filled in a questionnaire, and they have rated highly
both the effectiveness and the usability of the system.
129

4 – RFID for Agri-food Traceability
The authors have identified some benefits of RFID management system:
ˆ electronic inventory of raw materials for sushi; real time inventory of food on
the belt;
ˆ enabling responsive replenishment;
ˆ automatic detection of expired food;
ˆ fast and accurate billing;
ˆ and better communication with customers about food.
The identified challenges are:
ˆ lack of RFID expertise for deployment;
ˆ cost;
ˆ and lack of support.
Figure 4.6 shows the traceability activities managed in the system: the ITr inside
the restaurant, and the BtoC traceability, which is performed by providing customers
with detailed information about food.
Figure 4.7.
Live fish traceability system activities
A RFID-enabled traceability system for the supply chain of live fish [72]
The authors present an RFID traceability system for live fish supply chain. The
system is focused on live fish center, but it manages the whole chain. The RFID
tags are put on live fish in order to link the fish logistic center, restaurants and
130

4 – RFID for Agri-food Traceability
customers. The information is exchanged from farmers to customers, by using a
web-based system.
Although live fish represent very high quality expensive products, in Taiwan their
traceability is not complete, since some chain partners employ inadequate systems.
The live fish chain involves the aqua-farm, the inspector center, the fish center, and
the restaurant. The proposed system is composed by a set of sub systems connected
on internet: the legacy system and web service, which collects data from farmers; the
water quality monitoring system, which automatically record data about the quality
of the water; point of sales system, which manages the procurement, inventory,
and sales activities; production resume inquiring and demonstration system, which
checks the information about fish. The authors have detected some challenges for
the adoption of RFID in live fish chain: how to attach the RFID on the live fish;
and the water interference.
Figure 4.7 shows the traceability activities managed by the presented system.
The main activity managed by the system is the WCTr, but several other activities
are managed.
Figure 4.8.
Food supervisor traceability activities
Radio Frequency Identification in Food Supervision [134]
This paper presents a food security supervision system that manages the food chain
traceability. The paper is focused on the producer and the retailer, since these
members of the chain are considered the most critical for food security threats.
The supervision system is based on a Food and Drug Administrator (FDA),
which supervises the chain, and which includes a food security database. UHF
RFID-based systems of the members of the food chain interact with RFID tags; an
RFID middleware elaborates the data and communicates with the FDA. The system
architecture is based on the following steps:
131

4 – RFID for Agri-food Traceability
1. the producer stores on the tag memory information concerning the food and
the producer himself;
2. FDA checks the food and writes the relative information on the tag;
3. when the product is transported to a member of the chain the relative information
are sent to the FDA;
4. each member of the chain records its own information;
5. the customer can check the food in the public database of the FDA;
6. when problems occur the FDA sends a warning to all members of the chain.
Authors found several issues that obstruct adoption of the RFID-based traceability
systems:
ˆ the recognition rate of liquid food is very low;
ˆ the cost of tags is too high;
ˆ the read rate must reach 100%;
ˆ the enterprises want to adopt technology characterized by clear and sure standards.
Therefore the authors indicate that the development of an RFID simulator can allow
to reach wider range of data about RFID systems.
Figure 4.8 shows the traceability activities managed by the presented system.
The main activity managed by the system is the WCTr, which is managed by communicating
the information about the food and its movements to the FDA. The
system manages also the BtoCTr, by using the information recorded in the tag
memory and the Internet access to the database of the FDA. The BtoBTr is managed
by writing the information about the commodities directly in the tag memories
and by querying the database of the FDA. It is assured that the ITr is managed by
the RFID-based traceability system.
Electronic Tracking and Tracing in Food and Feed Traceability [21]
In this paper printed graphic identifiers, RFIDs and electronic data interchange protocols
are presented. The description and the preliminary results of an experiment
are reported aiming at evaluating UHF RFID application of modified atmosphere
packaged meat.
The experiment was conducted to evaluate if the readability of class 1 generation
1 UHF RFID system as applied to beef and pork samples is affected by material
132

4 – RFID for Agri-food Traceability
properties inside and around the meat. The results of the experiment are that the
linearly polarized type antennas yielded better reading rates over larger distances,
but no significant differences between linearly and circularly polarized antennas are
detected up to a distance of 0.5 m. Preliminary results show a better readability over
longer distances with the presence of bone in meat samples; authors suggest that
the bone causes less loss than meat. The paper presents some graphical examples
of the preliminary results of the described test. The graphics show clearly that the
system works effectively only with short distances, up to 0.7 m, or with high power,
next to 2 W.
Authors conclude that the adoption of RFID system for beef and pork items
requires to improve performance in detection. The problems to operate in a wide
high-attenuation environment and the high cost of the technology are considered an
open issue for the large adoption of RFID.
Figure 4.9.
Traceability activities in the simulation
4.3.4 Simulation Analysis
Exploring the impact of RFID on supply chain dynamics [88]
In this paper a quantitative analysis of impact of RFID technology on supply chain
performance is presented. The analysis is based on a simulation model developed by
the authors in order to quantify the indirect benefits of RFID. The model considers:
ˆ the inventory accuracy, that is affected by problems like stock loss, transaction
error, and incorrect product identification;
ˆ the shelf replenishment policy, that thanks to RFID technology can be based
on a real time inventory; and
ˆ the visibility of the inventory through out the entire supply chain.
The model consists of a three layer supply chain that is composed by a manufacturer,
a distribution center and a retail store. The RFID readers are placed
133

4 – RFID for Agri-food Traceability
at the receiving and shipping points, at the end of the production line, and in the
backroom and at the shelves of the retail store. Tags are applied at the item level.
The model is characterized by some parameters, and the most important ones are
the reorder point, which is the number of products that requires a replacement, and
the target inventory, which is the number of products to reach by the replacement;
these parameters are used for the replacement of both shelves and backroom. The
physical inventory is performed every 3 months. The simulations use metrics such
as lost sales, surpluses and costs.
Some simulations with different parameters are analysed in order to find the
impact of RFID application. The simulations show some benefits due to RFID
application:
ˆ a reduction of 99% for the back order quantity, in cases with the same parameters;
ˆ it is possible to reach a smaller inventory with a lower reduction;
ˆ there is a reduction of 99% of the lost sales also with restricting parameters;
ˆ the reached reduction of lost sales is of 84% with a lower backroom inventory
target;
ˆ both assuming that by means of RFID the manufacturer knows the inventory
of the distribution center, and assuming that it knows also the inventory of the
retailer, the back orders of the distribution center are deleted and the average
quantity of products in the inventory is lower.
Authors conclude that RFID technology can provide benefits to supply chain,
but analysed scenarios are too simply and not completely realistic, so the results
can not be directly used.
Figure 4.9 shows the traceability activities managed in the model. The main
activities managed by the system is the BtoBTr, which is managed by writing the
information about the commodities directly in the tag memories, and the WCTr.
The producer and the distributor seemingly use the RFID traceability system only
for BtoBTr and WCTr, instead, the retailer uses the system also for the ITr, indeed
inside the shop the RFID system is used to detect the movement through and from
the backroom and to detect the commodities in the shelves. The tagging level is the
single commodity. The technological and practice aspects of the traceability system
are not considered in deep by the model, which is focused on the business impact
of AIDC, possibly RFID-based, so implementation problems and error rate are not
evaluated.
134

4 – RFID for Agri-food Traceability
Figure 4.10.
The Sainsbury’s trial traceability activities
4.3.5 Field Studies
Increasing efficiency in the supply chain for short shelf life goods using
RFID tagging [121]
Karkkainen, in order to discuss the application of RFID technology in the supply
chain of short shelf life products, analyses a trial conducted at Sainsbury’s, which
is a chain of supermarkets in the UK that sells a large volume of different short
shelf-life goods. The author discusses the impact of RFID for retailers and also for
other supply chain participants.
Shelf life is the period when the defined quality of the goods remains acceptable.
Short shelf-life goods are a large part of agri-food commodities, they are characterized
by a high number of product variants, need of temperature control and all the
traceability requirements of agri-food commodities. Therefore short shelf-life food
needs a strictly rotation monitoring.
At Sainsbury’s short shelf-life commodities are packed on recyclable plastic transportation
crates that are tagged by barcodes. The path of the crates starts from a
producer, then they are moved to a distribution depot and finally to a store. The focus
of the trial is the retail store, since it was considered the operator with the major
difficulties due to the effort required for barcode-based traceability management.
The trial, which started with one ready-meal supplier, one depot and one store,
was designed as follows. RFID tags are applied to recyclable plastic crates; the
information stored in the tag memories are:
ˆ the description and quantity of products in the crate,
ˆ the use-by date of products, and
ˆ the ID number that identifies the crate.
An RFID reader, which writes on the tag the information related to the products in
the crate, is located at the end of the production line. A gate reader at the depot
detects the incoming of the products. At the store, another gate reader, between the
chilled storage and the store areas, detects the incoming into the chilled storage of
the products from the depot and the moving out through the store areas. After the
135

4 – RFID for Agri-food Traceability
first phase, the trial was scaled up. During the second trial phase, all the products
for the store that come from any supplier are tagged, but the information about the
product from the suppliers out the trial are written by a gate reader that is located
at the depot. The scaled-up phase took three months.
The labour standards, which are work study timings for key activities in store
processes, are used by Sainsbury’s to calculate the benefits of different store activities.
Recalculating the standards for the RFID trial, the total benefits for Sainsbury’s,
without the supplier participation, were estimated to be £8.5 million a year;
the largest origins of the savings are the stock loss reduction, stock check saving,
and replenishment productivity improvement. The requested investment to adopt
the system was calculated to be between £18 million and £24 million. The payback
period was estimated to be between two and three years. With the participation of
suppliers the benefits are estimated to be notably larger, despite the higher investment
costs.
The analysis of the trial focused on retailers concludes that a traceability system
based on RFID applied to recyclable transports offers possibilities with a large return
of investment. The system is evaluated useful also for suppliers, mainly for the
reduction of out-of-stock rate, since short life products are highly subject to brand
switching for stock-outs and the difficulties in their management bring to a high
stock-out rate. During the trial it was evaluated that the used RFID tag memories
can store additional information to get added value.
Figure 4.10 shows the traceability activities managed in the presented system.
The main activity managed by the system is the BtoBTr, that is managed by writing
the information about the commodities directly in the tag memories. The producer
and the distributor seemingly use the RFID traceability system only for the BtoBTr,
instead the retailer uses the system also for the ITr, indeed inside the shop the RFID
system is used to detect the movement through and from the chilled storage.
Figure 4.11.
The Wal-Mart traceability activities
136

4 – RFID for Agri-food Traceability
Does RFID Reduce Out of Stocks? A Preliminary Analysis [66]
This paper presents the preliminary results of a trial conducted between February 14
to September 12 2005 in 24 stores at Wal-Mart, which is the world’s largest public
corporation by revenue and which runs a chain of large, discount department store.
The aim of the study is to assess the impact of RFID technology on out of stocks,
which generate a huge economic lost, especially for agri-food firms [85].
In the implemented system the commodity cases were labeled by RFID tags; a
set of RFID readers detect the tags that pass in their field and record their data.
In the distribution center there are: receiving door readers, conveyor readers and
shipping door readers; these three reader points allow to detect the entrance, the
sorting phase, and the exit of each case, however when cases are in a pallet it is not
possible to read all the tags, so the reading can be completed only after the cases are
put out of the pallet. In the retailers there are: receiving door readers, backroom
shelf readers, sales floor door readers, and box crusher readers; these three reader
points allow to detect the entrance in the backroom storage area, the movement into
the sale area, and the crashing of cases.
A method used at Wal-Mart for the replenish stock on the shelves is based on a
picklist; employers put a new element to be replenished in the list, maybe by using a
hand-held barcode scanner, when they see a shelf near to out of stock. This method
is laborious and the replenishment is slow. By using point of sale RFID readers is
possible to generate an automatic picklist, based on the number of cases moved in
the sale area, and on the number of sold commodities.
The trial was executed in 12 “test” stores; other 12 stores with similar characteristics
were chosen to compare the results. Along the 29 weeks of the trial, the test
and the control stores were scanned daily at the same time along the same path, in
order to detect Out-Of-Stock, empty shelf spaces, in the majority of the sections of
the stores. The trial in the test stores evolved through three phases:
1. no RFID,
2. partial RFID on some selected products, and
3. full RFID.
The results of the trial are:
ˆ a reduction of 13% of Out-Of-Stock from no RFID phase to partial RFID
phase and a reduction of 26% of Out-Of-Stock from no RFID phase to full
RFID phase;
ˆ also in control stores there was a reduction of Out-Of-Stock, which was probably
due to the other Wal Mart supply chain improvement initiatives and to
137

4 – RFID for Agri-food Traceability
influence of evaluation on employers, however in the test stores the reduction
is 63% higher than in control stores;
ˆ a comparison among Out-Of-Stock of tagged products and non tagged products
in the same stores, shows that the reduction of Out-Of-Stock for non
tagged ones is very lower;
ˆ the adoption of automatic picklist in parallel to traditional picklist, shows that
a variable amount of Out-Of-Stock was found by the automatic picklist.
Authors conclude that the adoption of RFID technology can reduce consistently
the Out-Of-Stock without large changes of the work processes. However a better
isolation of RFID effect is considered existential to determinate its contribution.
Figure 4.11 shows the traceability activities managed in the Wal-Mart trial. The
main activity of the trial is the ITr in retailers, this activity allows to manage the
Out-Of-Stocks problem, by utilizing the information about the number of products
in the retailer, and their approximative collocation. The tagging is at case level,
however the authors think that a tagging at item level can bring better improvements.
The only variable stored on a tag is the EPC code, the other information
are recorded in a database. The system manages also the BtoBTr and the ITr in
the distribution centers, but the analysis in focused on the ITr in the retailers.
Figure 4.12.
The Future Store traceability activities
RFID Technology and Applications in the Retail Supply Chain:
Early Metro Group Pilot [90]
The
This paper provides the results of the trial conducted at Metro Group’s Future Store.
The Metro Group is one of the most globalised retail and wholesale corporations.
The trial is conducted in the Future Store that was build in one of the Metro Group’s
supermarkets in Germany.
In the trial the tagging is exploited at item level, on three products, among
which a cream cheese; the tags are prepared by suppliers and then attached in the
Future Store. The shelves of these products were equipped with RFID readers, that
can detect the tags of the commodities on the shelves. In addition to the standard
138

4 – RFID for Agri-food Traceability
traceability system activities, a specific application is tested on each product: antitheft
protection, marketing improvement, and, on the cream cheese, the management
of expiration dates.
The trial underlined benefits and drawbacks of RFID application for traceability
systems. The main advantages are:
ˆ better inventory monitoring, and consequent improvement of replenishment
management;
ˆ reduction of out-of stock due to the better monitoring of shelves;
ˆ better knowledge of the demand that improves production planning;
ˆ better knowledge of the conditions under which goods are sold;
ˆ reduction of storage space;
ˆ reduction of labor time due to automation.
On the other hand the trial underlined also some challenges:
ˆ need of standardisation among company processes;
ˆ problems due to products material;
ˆ management of a huge number of information;
ˆ privacy issues.
Authors conclude that RFID technology can bring many benefits but its adoption
in supply chain management and traceability requires a stronger roll-out for
achieving necessary economies of scale and quantitative insights.
Figure 4.12 shows the traceability activities managed in the Metro Group’s Future
Shop trial. The trial is focused on the ITr in a retailer, this activity allows to
manage problems such as Out-Of-Stocks and expiration date, thanks to the tagging
at item level. The system potentially manages also the BtoBTr but the study treats
only the ITr.
4.3.6 Discussion
By analyzing the described studies it is possible to highlight the main opportunities
and drawbacks of RFID technology application to agri-food traceability.
Several studies identify obstacles to the RFID large adoption such as:
ˆ the lack of universal technology standards;
139

4 – RFID for Agri-food Traceability
Figure 4.13.
RFID Traceability Drawbacks
ˆ the need of changes in process standard;
ˆ the low detection rate due to problems such as interferences with product and
package materials;
ˆ lack of computation capacity to perform data preprocessing;
ˆ the need to deal with a huge number of data;
ˆ the need of cooperation, cost division, and sharing of information between the
chain members;
ˆ the lack of final system suppliers, expertises, and support;
ˆ the privacy problems;
ˆ the high costs and doubts about return of investment.
140

4 – RFID for Agri-food Traceability
Figure 4.14.
RFID Traceability Benefits
Figure 4.13 shows the quantity of papers that highlight each specific drawback of
RFID application, in order to indicate how much each one is evaluated relevant.
The drawback identified by the greatest number of studies as relevant obstacle to
RFID diffusion is the low range detection. Several studies recognize also the lack of
standard and the high cost of the technology as key constraints.
Some studies underline the opportunity for an enterprise to implement low cost
systems, in order to evaluate their effectiveness, and then eventually to adopt a more
advanced system.
The described studies identify some key benefits of RFID-based traceability system
adoption:
ˆ improvement of the production planning along the whole chain;
ˆ reduction of storage space;
ˆ improvement of replenishment management and reduction of out-of-stock;
ˆ reduction of human labor and relative precision improvement;
ˆ reduced investment with reusable case tagging level;
141

4 – RFID for Agri-food Traceability
ˆ efficient management of WCTr, for food hazard prevention.
Therefore RFID can improve the traceability management in terms of efficiency,
accuracy, human labor, and used area; however this improvements require cooperation
among the chain companies. Figure 4.14 shows the quantity of studies that
highlight each specific benefit of RFID application, in order to indicate how much
each one is evaluated relevant. The most widely recognized benefit for RFID in
agri-food is the high precision due to automation.
The described research projects examine RFID-based traceability systems from
different points of view. The studies in the business impact analysis section are
focused on the effects of RFID and auto-ID business processes, and their results
are mainly based on field analysis and discussions. These studies conclude that an
advanced auto-ID system implementation requires radical changes in the company
processes. The studies described in system proposals section present different traceability
systems and evaluate practical problems. The simulation paper shows the
opportunity of analysis that comes from the use of simulators. The field studies describe
the results of trials executed in real-life conditions; these studies demonstrate
the economic and technological feasibility of RFID-based traceability systems.
On the one hand, the most appealing motivations that are allowing the wide
adoption of RFID technology in agri-food traceability management are the improvements
in precision and accuracy due to elimination of human labor, and the space
saving inside the supply chain, due to the better SCM. On the other hand, the growing
requirements of food security, commodity quality, and food origin certification,
are making better traceability systems necessary in the agri-food market. However,
the diffidence on the possibility to solve technological problems, and on the ratio
between the cost of the technology and the economic benefits that RFID technology
brings, are slowing the diffusion of RFID-based traceability systems. Nevertheless,
several agri-food companies, especially in perishable food sector, where an efficient
supply chain management can avoid consistent waste, and in the high cost food
sector, where the price of a single product allows the use of RFID tags for reaching
added value after the point-of-sell, have adopted with success RFID, demonstrating
the benefits of this technology.
4.4 Framework for Traceability Analysis
RFID technology, widely adopted for supply chain management, can be used effectively
for the traceability management. In this section, a framework for the
evaluation of a traceability system for the agri-food industry is presented and the
automation level in an RFID-based traceability system is analyzed and compared
with respect to traditional ones.
142

4 – RFID for Agri-food Traceability
Internal and external traceability are both considered and formalized, in order
to classify different environments, according to their automation level.
The characteristics of a traceability system, and mainly its automation level,
strongly affect the traceability cost and accuracy. Automation is defined as the
execution by a machine agent of a function that was previously carried out by a
human being; the provided economic benefits are known in many domains, from
aviation to medicine [103].
Although food sector is characterized by technologically advanced innovations,
e.g. new sterilization methods [121] and food evaluation [129], its companies typically
have not an advanced level of automation, because of lack of assets of small
enterprises, the extensive condition of agricultural fields, and the “historic distance”
between rural life style and technology. However, in large enterprises, there are examples
of high automation. In the most technologically advanced countries, there
is an advanced agriculture that uses standardized technology and that is subject to
rapid changes [32, 109].
The most advanced agricultural enterprises are characterized by a tightly aligned
food supply chain and by the important role of information and communication technology
(ICT) [32]. Usually, these enterprises use spontaneously a traceability system,
which typically is very efficient and fully automated. Instead, small enterprises that
have an efficient traceability system often add the traceability management to their
normal operations, decreasing the efficiency and increasing the costs. The lack of
assets and the difficulties to see the benefits due to the use of an effective traceability
system, bring them to implement the traceability management in the most
simple way, often manual or semiautomatic. Presently one considerable challenge
in the agri-food business is the developing of appropriate traceability technology for
small-scale farmers [102].
According to the technological novelties and opportunities introduced by the
application of ICT in the agri-food sector, the main contributions presented in this
section are the analysis of the automation characteristics of traceability systems used
in the agri-food sector and the evaluation of the automation improvement achievable
by RFID technology.
4.4.1 Internal Traceability System Features
The main operation executed by an internal traceability system is the identification/registration,
which is repeated every time that a product is subjected to an
action.
In this paragraph the main features of internal traceability systems are illustrated.
ˆ Data storage. Data must be stored during the permanence of the commodity
143

4 – RFID for Agri-food Traceability
in the enterprise and after its exit. When the commodity exits, data must be
maintained, in order to manage the external traceability. The elements that
characterize the data storage are:
– data location
* totally distributed, data are stored on commodities by using labels;
* compressed and distributed, data are stored on commodity labels in
a compressed form -e.g. short codes-, and it is possible to read the
information from the object by using reference tables;
* centralized, commodities are matched with an ID that is stored on
commodity label; the ID is used as a link to a record in a central
database;
– the type of database
* paper database, requires a manual transcription and a large amount
of work;
* computer database, can be updated by a manual transcription or by
an automatic transcription.
ˆ Tagged objects. Labels are used in order to identify and store data. There
are two alternative methods of tagging, which is the activity of labeling objects:
– commodity tagging method, the tagged objects are the commodities themselves;
the tag is uniquely matched to the commodity and it is not
reusable.
– container tagging method, the tagged objects are the containers of commodities;
in this way each tag is matched to one container, and the tag
could be potentially used for the whole life of the container.
ˆ Kind of data. Kind and number of data can differ according to precision and
effectiveness aims; the quantity of data affects the size and the time used to
manage them. The stored data are divided in three groups:
– identification code, this code identifies the object;
– commodity characteristics, these data are used to identify the commodities
and to save additional information that can be useful for activities
such as value adding, supply chain management or quality certification;
– operation data, they describe the history of the object, the operations
executed on it, its movements, and its timetable.
144

4 – RFID for Agri-food Traceability
ˆ Data format. Data can be represented in different formats, which differ for
technological levels; more than one format can be used simultaneously. There
is a tight coupling between the adopted format and the automation of the
operation that manages the data, so the choice of the data format depends on
the required automation. The main choices are:
– written words, data are written directly by human operators;
– alphanumerical code, data are contracted and conveyed by an alphanumerical
written code;
– barcode, data are contracted and conveyed by a barcode that needs to be
read by an appropriate device;
– electronic code, normally through RFID tags; the number of recordable
data is limited by the size of the tag memory, but it is the largest among
the analyzed formats.
4.4.2 Writing/Reading and Tagging Automation
The identification/registration (IR) activity (see Table 4.2 for the list of symbols),
which is composed by the reading and, if needed, by the writing and the tagging,
is the core of the internal traceability system. Since these actions are iterated
continuously, they get large resources, so enterprises have to execute them in an
optimized way.
The traceability system of each company requires a set of specific IR operations,
each of them is composed by a specific number of reading, writing and tagging
operations.
In a system that employs the commodity tagging method normally the same
IR operations are performed on each product, and so the total time requested for
IR, T IR, is a function of IT , which is the number of single items: T IR = f(IT ).
An execution of the i th type of IR operation, among the n IR operations applied,
requires an average time IR i , and it is executed o i times on each commodity. T IR is
also affected by the error management; according to the kind of errors, the execution
of corrective operations (e.g., the repetition of the faulty operations) is required, so
T IR = IT
n∑
(o i · (1 + e i ) · IR i ).
i=0
where, e i is the error occurrence probability. In a system adopting the container
tagging method, a set of IR operations are performed on each container. IT must
145

4 – RFID for Agri-food Traceability
Symbol
T IR
IR i
IT
IT CN
CN
n
AR
AW
AT
DBC
DBQ
C i
CC i
HC i
MV i
o i
e i
r i
IDr i
Mr i
w i
t i
d i
T T
RF ID ARID
RF ID ARM
RF ID
T raditional
i
Table 4.2. Framework List of Symbols
Description
Total time requested by IR operations
average time requested by the i th IR operation
number of ITems
Number of ITems in a Container
Number of Containers
Number of the kinds of IR operations
Average time for a Reading
Average time for a Writing
Average time for a Tagging
average time for a Database Connection
average time for a Database Query
average time for Computation in the i th IR op.
av. time for Computer Comput. in the i th IR op.
av. time for Human Computation in the i th IR op.
average time for MoVement in the i th IR op.
Occurrences of the i th IR operation
Error occurrence probability
number of Readings in the i th IR operation
number of tag ID Readings in the i th IR operation
number of tag Memory Readings in the i th IR op.
number of Writings in the i th IR operation
number of Taggings in the i th IR operation
number of Database queries in the i th IR operation
Total time for Tagging
Average time for an RFID Reading of a tag ID
Average time for a Memory RFID Reading
prefix for systems with RFID
prefix for systems without RFID
subscript for the i th IR operation
be divided by the number of items per container (IT CN), and
T IR =
IT
IT CN
n∑
(o i · (1 + e i ) · IR i )
i=0
In each traceability system IR i is dependent on the type of employed technology.
The time requested by one single operation is mainly dependent on the automation
of the employed technology. IR i corresponds to the sum of the time required by
146

4 – RFID for Agri-food Traceability
each operation that composes the i th IR operation; these operations are:
ˆ the reading that requires an average time AR and that is executed r i times,
ˆ the writing that requires an average time AW and it is executed w i times,
ˆ the tagging that requires an average time AT and that is executed t i times,
ˆ the access to a database that requires an average time DBC and that is executed
one or zero times,
ˆ the elaboration in the database that requires an average time DBQ and that
is executed d i times,
ˆ the elaboration of the i th operation that requires the average time C i , and
ˆ the movement of the entity that executes the i th operation that requires the
average time MV i .
Therefore, the formula for calculating IR i is:
IR i = r i · AR + w i · AW + t i · AT +
+ min(d i ,1) · DBC + d i · DBQ + C i + MV i .
Each operation involved in an internal traceability system is executed with different
automation levels. The automation levels, according to the classification used
by [111], are:
ˆ manual, the activities are executed directly by a human operator; the C i and
the MV i are respectively used by the human operator to analyze the operation,
and to move in the right position for the execution of an action;
ˆ semi-automatic, an operator uses a hand-device to improve the efficiency of
the work; the time MV i is used by the human operator to bring the device
in the correct position; the time C i is composed by the time used by the tool
to elaborate the data (CC i ), and the time needed by the human operator to
analyze the operation (HC i ):
C i = CC i + HC i ;
ˆ automatic, human operators only control the activities, which are done by
a mechatronic device; C i corresponds to the time needed by the device to
elaborate data; normally in an automatic system MV i is null.
The automation level is closely tied to the adopted data format; in the following the
different operations are detailed.
147

4 – RFID for Agri-food Traceability
ˆ Reading. The reading of the labels has the purpose to identify commodities
and to get the commodity data, which can be used for other operations. The
reading is the core part of IR activity, since each IR operation requires at least
one reading: r i > 1; ∀i. The average time of a reading (AR) is dependent on
the automation of the action.
– The manual reading is performed directly by human operators and it is
characterized by a low value of r i and a high value of AR.
– The semi-automatic reading is performed by human operators that use
hand device and it is characterized by a high value of r i , and a low value
of AR.
– Usually, the automatic reading is performed by fixed readers, or by mobile
readers. Like the semi-automatic one, it is characterized by a high value
of r i , and a low value of AR.
ˆ Writing. The writing operation changes the data on the labels, so this operation
is required only by some IR operations. In order to write data on the
labels, the data must be in a suitable form for the used method of writing.
The average time of a writing (AW ) is dependent on the automation of the
action (manual, semi-automatic, or automatic).
ˆ Tagging. These operations can take a long time; the total time requested by
the tagging actions (T T ) mainly depends on the employed tagging method.
In a system that employs the commodity tagging method every item must
normally be tagged at every writing, so T T is a function of the number of
items: T T = f(IT ).
In a system that employs the container tagging method, if the labels are not
rewritable, every container must be tagged every time that a writing is required,
and IT must be divided by IT CN. If the labels are rewritable and
the containers are reusable, each container can be tagged only once, since all
the writing operations can be executed on the same label. Furthermore, the
tagging operation can be performed off-line. The T T is a function of CN,
which is the number of containers: T T = f(CN). The average time required
for each tagging action (AT ) is mainly dependent on the automation level.
4.4.3 Established Internal Traceability Systems
The list that follows contains a representative sample of traceability systems adopted
by agri-food enterprises.
148

4 – RFID for Agri-food Traceability
ˆ Fully manual tag system. In this system there is no automation. The
commodities are not identified singly, but they are organized in groups with
common characteristics.
ˆ Stamp system. The automation is almost absent. The commodities are
identified only as part of a group with the same characteristics. This system
uses labels with an alphanumeric code. The labels are tagged and written in
a semi-automatic way by human operators that use hand labelers and stamps.
Operators manually read the labels.
ˆ Printed tag system. Only some traceability operations are executed in an
automatic way. This system uses labels with written words. The labels are
tagged, in a semi-automatic way, by human operators that use hand labelers;
human operators read the labels. The data about the set of commodities and
about the operations are stored in the central database.
ˆ Fully automatic barcode system. All the traceability operations are executed
in a fully automatic way. The recorded data are the ID of the single
commodity, a set of characteristics, and the time of the operations. The ID
and the commodity characteristics are located both on the commodity and in
the central database, while the time of the operation is recorded only in the
database.
4.5 Case Study
The internal traceability systems used in the fruit sector are experimentally analyzed,
showing that by using RFID technology, agri-food enterprises increase their
automation level and also their efficiency, in a sustainable way.
In order to evaluate the automation improvement achievable by RFID technology,
a fruit warehouse was selected as a case study. In this section the selection of the
fruit warehouse is motivated and the case of study is analyzed.
A new traceability system based on RFID technology has been designed and
evaluated. Different case studies have been considered, tacking into account various
scenarios, in order to evaluate the effectiveness of the proposed approach, underlining
the benefits and losses; aspects as efficiency, costs, added values and speed are
analyzed, without missing out the usability. The main benefit of the RFID adoption
is the opportunity to match traceability and other activities, such as supply chain
management.
In this section it is described a traceability system, based on RFID technology
and designed for fruit warehouse. In this kind of warehouse, fruit comes in from
different farmers, it is treated and stoked and then it is sold to distributors. This
149

4 – RFID for Agri-food Traceability
business is a good model for all the element of the fruit chain, since it involve all
the problem that can be found in the whole chain.
The proposed traceability system implements the internal traceability, and it
matches inside information to data about origin and destination of fruit. RFID
tags, due to the storing opportunities from the memory size, hold directly the data
about fruit. The pervasive presence of data is a strategic factor; in fact it allows
the continuous working of the system even where the installation of a wireless net
is unfeasible. Different levels of automation are available, according to the specific
requirements of the operator. The aim of the system is ensure an easy and thorough
data capture, integration and management.
The proposed traceability system is compared with a traditional system. The experimental
results show that the adoption of an RFID system increases the efficiency
of traceability management and reduces the labor costs.
Figure 4.15.
Warehouse organization
4.5.1 Fruit warehouse
In order to test RFID-based traceability systems, we selected the fruit sector, since
it presents interesting characteristics, such as the high numbers of direct relations
among companies in the chain, of total companies in the same chain, of different
products and of product characteristics. Different RFID traceability systems were
150

4 – RFID for Agri-food Traceability
examined, then a system based on RFID was put on trial in a fruit company, in
order to compare its characteristics with respect to the ones of traditional systems.
Agri-food sector presents particular features that affect the design of a traceability
system. In this section, in order to explain the relevant needs of fruit sector and
traceability management are introduced, and properties of traceability systems are
detailed.
The operators in the typical fruit chain are:
1. the farmer, he/she sells fruit to one or more warehouses;
2. the warehouse, it gets fruit from some farmers, treats and stores the fruit, and
sells the fruit to some distributors;
3. the distributor, it gets fruit from several warehouses, transports the fruit, and
sells the fruit to several retailers;
4. the retailer, it gets fruit from a distributor, and sells the fruit to customers.
A fruit warehouse buys fruit from many producers and sells it to different distributors;
in a warehouse the fruit is treated and products from different groups are
merged, so the internal traceability is not a trivial operation.
In order to detect the characteristics of fruit warehouses and in particular of
their traceability systems, 10 small/medium fruit warehouses companies and one
big fruit warehouse company were analyzed, then the collected data were evaluated
in collaboration with 2 companies that supply consulting to agri-food companies. In
the following fruit warehouse characteristics, achieved by our survey, are described.
Fruit warehouses are mainly differentiated by production size and destination
market. In the warehouse the fruit is held in containers called bins, which can
usually hold 250-300 kilograms of fruit, and which are moved by fork lifts. The
dimension of a fruit warehouse usually is measured in bins: a medium warehouse
disposes of a number of bins between 1000 and 100000; each calibration line can
treat 50 bins/hour.
A warehouse uses treatments and its own image presentation methods according
to its destination market. A fruit warehouse needs a premium brand and high
quality treatments in order to access to markets with high quality standards.
Regardless of differences among different warehouses, operations that take place
in warehouses can be modeled as in Fig. 4.15. The main operations that they have
to exploit are the same:
ˆ storing in refrigerating room; its aim is preserving fruit; this can be executed
more than once, or not executed at all; in the refrigerating room the fruit is
held in bins;
151

4 – RFID for Agri-food Traceability
ˆ calibration; its aim is to separate fruit according to its caliber; fruit bins are
loaded in the calibrator machine, a queue of other empty bins is filled by one
of the output lines of the calibrator, one for each caliber;
ˆ fruit packing; this operation is often required before fruit departure; the filled
bins are emptied into the packer.
The operations can be executed in any order, and some of them could be not executed,
according to characteristics of the fruit. In addition, other operations, such as
quality selection, fruit cleaning and color selection, are often matched to calibration
or packing.
In Italy the majority of fruit warehouses are small and medium companies. This
kind of companies is often characterized by a low automation. The calibration
and the packing are usually executed by automatic machines. The management of
refrigerating rooms is performed by an automatic system. Inside the warehouse, the
movement of bins is performed by using a fork lift; in big companies some highly
utilized paths can be constituted by conveyor belt. The quality selection in small
and medium companies is executed manually by workers that visually examine the
fruits in a production line. In some big companies there are video cameras that
detect some characteristics of the fruits.
These traceability management systems are composed by two macro-activities:
the identification of the fruit in the bins and the recording of the information about
the fruit in a central database. The identification, which aims at matching bins
with the data that identify the contained fruit, involves tagging, reading and writing
tags. Instead, the automation of the data recording in the central database usually
depends on the kind of the identification activities: if the identification is highly
automatic, hardly the company employs a paper database, because it would nullify
the benefits of automatic identification; only if the identification system manages
digital data, these can be automatically recorded in the database, otherwise a manual
transcription is needed.
Table 4.3 shows the analyzed traceability systems, which can be classified according
to the general models shown in Section 4.4.3. Additionally, the printed/manual
tag system column represents an hybrid case, where the print of labels is joined or
alternated to manual writing.
The majority of the analyzed warehouses employ a “Printed Tag” traceability
system. Two warehouses utilize printed tags, but they utilize also written labels
when it is more useful, e.g., when the number of labels is small. Only one warehouse
employs the “Stamp system”. The “Fully automatic barcode system” is employed
only by the large company.
152

4 – RFID for Agri-food Traceability
Table 4.3.
Analyzed Traceability Systems
Enterprise dimension
Stamp
system
Printed
tag
system
Printed/
Manual
tag system
Large 0 0 0 0 1
Small/Medium 0 1 7 2 0
Fully manual
tag system
Fully automatic
barcode
system
RFID for Fruit Warehouses
The RFID technology can be used for many activities in the agri-food traceability.
Using RFIDs for internal traceability, reading and writing operations are managed
by RFID tags and readers. All the data are digital, so they can be used for an easy
automatic update of the central database.
The memory of every RFID tag holds an ID that can uniquely identify the
tagged object, furthermore some tags have a rewritable memory that can contain
data about the object. The data in the memory can directly describe the object,
alternatively they can hold short codes that are used like links to reference tables,
which are stored in a central database, or located on distributed devices. Therefore,
an RFID-based internal traceability system can employ any data location described
in Section 4.4.1. An RFID-based traceability system normally uses a computer
database, in order to get advantage from the digital form of information.
RFID can be used both for commodity tagging method and for container tagging
method. The systems based on written labels or barcodes, by using the container
method, have to tag containers every time the contained products change. So for
those systems tagging the containers in comparison to tag commodities does not
bring real benefits, except the labels saving and the tagging time saving. Barcodebased
system could match one ID to a container for its whole life, and they could
use it like a link to a database, but normally fruit warehouse operators prefer to use
codes that describe the commodity, where each part of the code has its own meaning,
and the use of this kind of code requires the change of the barcode every time the
commodities in the container are changed. Instead RFID-based systems allow to
rewrite data on tags every time the commodities in the container are changed, so
they can reach the full saving due to container tagging method.
The high number of produced fruits makes the commodity tagging method unfeasible;
in fact, also traditional methods employ the container tagging method. For
an RFID-based system the inadequacy of the direct tagging method is increased by
the higher cost of RFID tags, so it must employ the container tagging method. In
a warehouse the fruits with different characteristics are often merged, and the data
153

4 – RFID for Agri-food Traceability
system must manage this situation. The container tagging method, applied in a
fruit warehouse, can be used with all the described identification methods:
ˆ Totally distributed. The information about the fruit is directly written in the
tag memory, and the ID identifies the fruit bin. The information must be
updated, according to the changes of the fruit in the bin.
ˆ Compressed and distributed. Short codes that describe the fruit are stored in
the tag memory, and also in this case the ID identifies the fruit bin, since the
tag and the bin are uniquely matched. The codes must be updated, according
to the changes of the fruit in the bin. The system needs to manage the reference
tables to get the codes.
ˆ Centralized. The ID of the tag identifies a fruit bin. The ID is used to access
to the information about the fruit in the bin, which are stored in the central
database. The information has to change according to the changes of the fruit
in the bin.
An RFID system can manage many data, both when the ID of the tag is used like a
link to the database and when the tag memory holds some codes that describe the
commodity. If the information is stored in the database, the size could be considered
as unlimited; if the information is described by codes or it is directly written in the
tag memory, the memory size represents a strict limit.
Table 4.4. IR Operations. The underlined words represent the data that every
traceability system must record.
i Operation Characteristics Data on the
of the fruit operation
0 Entrance into the warehouse Culture, variety, Date and time
producer, weight
1 Entrance into the refrigerating room None Date and time,
room number
2 Exit from the refrigerating room None Date and time
3 Calibrator emptying None Date and time
4 Calibrator filling Caliber Date and time
5 Packing Pack ID Date and time
6 Exit from the warehouse None Date and time
Another critical point is the required time. The identification of a commodity requires
an RFID transmission and optionally a query to the central database. These
154

4 – RFID for Agri-food Traceability
Table 4.5. IR Operations and their Parameters for Centralized (Cen) and Distributed
(Dis) Implementations.
i o i r i w i t i
All Cen Dis Cen Dis Cen Dis
0 1 1 1..14 0 8..12 2..7 off line
1 0..3 1 2..8 0 5..7 1 off line
2 0..3 1 2..8 0 5..7 1 off line
3 0..1 1 1..11 0 5..7 2 off line
4 0..1 1 4..11 0 9..13 1..2 off line
5 1 1 1..11 0 5..7 2 off line
6 1 1 1..11 0 0 2 off line
Central
Computing System
PDA/
Portal Processor
RFID
Reader
RFID
Tag
Send tag ID
and operation data
Ask ID
Send ID
Ask ID
Send ID
Update
database
Send fruit data
Show
results
Only Semi-automatic
Systems
(a)
PDA/
Portal Processor
RFID
Reader
RFID
Tag
Ask ID and Data
Send ID and Data
Write New Data
Ask ID and Data
Send ID and Data
Write New Data
Show
results
Only Semi-automatic
Systems
(b)
Figure 4.16. Automatic and semi-automatic IR interactions with centralized (a)
and distributed (b) data location
communications require some time, but they are often faster than traditional identification
system. Furthermore the management of detailed information can increase
the frequency of identifications and so the employed time, for example the additional
155

4 – RFID for Agri-food Traceability
registration of an operation could require an additional brief stop, according to the
modalities of the identification. The managed information must be carefully chosen,
according to the time saving and the accuracy targets of the system.
In a fruit warehouse, the typically treated data are the producer, the caliber,
the variety, the culture of the fruit, and the operations executed on fruit. Manual
systems try to treat the minimum possible number of information, but producer,
caliber, variety and culture are required for identification.
The most important characteristic for a company that is evaluating the adoption
of an RFID based internal traceability system is the automation of the system. In a
fruit warehouse, which adopts an RFID based traceability system and the container
tagging method with centralized data or rewritable tags with any kind of data
location, every bin has to be tagged only once, since bins and tags are both reusable;
this activity is not embedded in the production flow, and it can be performed off
line. So the T T required by RFID based systems (RF ID T T ), differently from T T
required by traditional systems (T raditional T T ), is not function of the quantity
of treated fruit, but it is a function of the number of bins owned by the warehouse.
Furthermore, according to the formulas described in Section 4.4.2, the number of
tagging actions RF ID t i that contribute to the average time required by each i th
IR operation in an RFID-based system (RF ID IR i ) is RF ID t i = 0, so
RF ID t i ≤ T raditional t i .
The tagging can be manually, semi-automatically or automatically executed, as described
in Section 4.4.2. The implementation of this activity, can be chosen without
considering the production flow, but only evaluating the number of bins, the required
work hours and the device cost.
Reading and writing operations can be semi-automatic or automatic. The RFID
technology allows executing both these operations by a digital communication. The
IR activity, that is composed by the reading and if needed by the writing, is the
core of the internal traceability system. The T IR required by RFID based system
(RF ID T IR) is a function of the number of treated fruits IT . Therefore, to optimize
the internal traceability system firstly the IR activity must be optimized. According
to Section 4.4.2, the complete formulas to calculate RF ID T IR are:
RF ID T IR =
IT
IT CN
n∑
(o i · (1 + e i ) · RF ID IR i );
i=0
RF ID IR i = r i · RF ID AR + w i · RF ID AW +
+ min (d i ,1) · DBC + d i · DBQ + CC i + HC i + MV i .
However, normally it is not possible to use a single RF ID AR, since the average
time that is required by a reading of the tag ID (RF ID ARID), which is performed
156

4 – RFID for Agri-food Traceability
IDr i times, is usually several times larger than the time for a reading of a normal
area of the tag memory (RF ID ARM), which is performed Mr i times. Therefore,
RF ID IR i = IDr i · RF ID ARID+
+ Mr i · RF ID ARM + w i · RF ID AW + MV i
+ min (d i ,1) · DBC + d i · DBQ + CC i + HC i
(4.1)
The IR operations that can be executed in a fruit warehouse are shown in Table 4.4.
The underlined words represent the data that every traceability system must record.
Each operation involves also the error checking, i.e., coherence comparison with
previous operations. Furthermore, there is also an additional error management
operation (i = 7). The characteristics of this operation are strictly related to the
employed traceability system. o 7 represents the average number of wrong data
insertions performed for each filled bin.
Fig. 4.16 shows the interaction diagrams of automatic and semi-automatic IR
implementations with centralized (a) and distributed (b) data location
In a semi-automatic system the reading and writing actions are executed by
using mobile devices, like a Personal Digital Assistant (PDA). Human operators, for
every described operation that is supported by the implementation, have to move the
mobile reader next to the tag and to type the information needed by the operation.
When an error affects a writing or a reading (e i ), the whole operation is repeated.
This kind of error is mainly due to the incorrect use of the devices. Furthermore,
when the system detects the introduction of possible wrong data (o 7 ), it requires
that a human operator confirms the operation.
In an automatic system based on RFID portal gates the reading and writing
actions are automatically executed by the portals. Human operators normally do
not need special devices, but for some operations, like the entrance of the fruit in
the warehouse, they have to type the data about the fruit. However, this kind of
system must allow RFID reading by using manual devices, in order to allow operators
to supervise the system. Differently from a semi-automatic system, an automatic
system can interact with tags for a strictly limited time, and the use of multiple
RFID reading and writing operations can be a problem. In an automatic system
the highest threat is the missed detection of a tag. The system may use devices like
infrared sensors in order to detect the correct number of bins, and so to alert human
operators of the missed detection of a bin.
By analyzing the practical implementations of the described RFID based traceability
systems, we identified the ranges of possible values of constants in (4.1) that
are shown in Table 4.5.
157

4 – RFID for Agri-food Traceability
4.5.2 Implementation of the RFID Traceability System
Several fruit warehouses were examined in order to detect their needs for an internal
traceability system. The requirements considered at the design step are:
ˆ reliability increase, as protection against legal problems;
ˆ granularity precision increase, in order to limit withdrawal effects;
ˆ integration with the productive process, to avoid re-engineering;
ˆ time saving, to increase the effectiveness;
ˆ low costs, according to the resources of a small enterprise;
ˆ high usability, in order to allow the use of the system to seasonal manual
workers with low technological background;
ˆ brand prestige enhancement, to acces to new markets, with higher expectations.
Proposed Internal Traceability System
The proposed system was designed according to needs and resources of small and
medium agri-food companies. The aim of the system is to manage internal traceability
of fruit warehouses in an effective and inexpensive way.
The proposed system tries to accomplish the described requirements through the
RFID technology. The main features of the system are described in the following.
Every bin in the warehouse is tagged with an RFID tag. The bin life lasts several
years, like the theoretical RFID tag life; so the specific tag is matched with a specific
bin for their whole lifetime.
The data about fruit and treatments are recorded directly on tag memories and in
a central database. Operators use a PDA RFID reader. According to the activities
they are performing, operators read and update data on tags by using the tool on
the PDA. The tool records a copy of the data on the PDA.
The warehouse is modeled by four key zones: entrance, refrigerating room, calibrator
and fruit packer. On PDAs there is a specific and appropriate interface for
each key zone. Operators have to enter the key data, while the tool manages other
information.
Periodically (e.g., each day), the data that are stored on the PDA are used to
update the central database.
The system is based on a cheap RFID implementation, with PDA RFID readers
and without a wireless network. However the system upgrade is quickly achievable,
158

4 – RFID for Agri-food Traceability
by the installation of RFID gate and the change of the data management tool,
without database alterations.
The data system is designed in a modular way. Optional data, useful to improve
traceability and to achieve added values, are joined to the central part of the data
system, which includes the data necessary to the system operation. An enterprise
could initially use only the essential part of the data system, and then could increase
the quantity of used data, according to its needs.
The macro targets of the proposed system are the following:
ˆ to facilitate the global traceability, surpassing law requirements;
ˆ to join traceability management with other complementary activities;
ˆ to reach a structure that is easy to upgrade;
ˆ to fulfill fruit warehouse needs.
In order to facilitate the global traceability, the system can easily manage detailed
information about fruit origin. This information could be used to immediately detect
the source of a problem from the enterprise database, or they could be directly
recorded on the output commodities. In addition the system univocally identifies
commodities, with a fine granularity of number of fruits, so precision and security
are increased, and frauds require more effort.
In order to join traceability with other activities, the system records with precision,
in addition to other information, the time of the main operations. Recorded
data allow tracking a specific commodity for its whole stay in the warehouse and
allow a thorough check of the production rate. So, one complementary activity is
the production flow control. Another activity is listing, in fact the system records
all the commodities present in the warehouse at any instant.
In order to reach an easy to upgrade structure, the database is modular, in fact
some entities could be unused, according to warehouse needs. PDA implementation
can be changed with a higher automation level, without changing the database and
tagged RFID tags.
Warehouse requirements are fulfilled as follows.
To increase reliability the system is managed by hand devices, so operators can
continually monitor its correct working; the univocal identification number of an
RFID tag allows discriminating every fruit bin load; the proposed system tracks
fruits, along their movements through different bins, with the best possible granularity
precision. The system was adapted to the typical process flow of a fruit
warehouse, so as to reach a good integration.
The activity of traceability management is executed by few fast actions, which
need short time. Each operation that concerns the fruit must be recorded; the
159

4 – RFID for Agri-food Traceability
recording is made by an operator by means of a PDA RFID reader; the staff that
treats the fruit has to manage this activity concurrently; anyway each enterprise has
its working processes, so the best way to match traceability management activities
with daily operations may change.
The lack of a comprehensive wireless network, the use of PDA RFID reader
instead of gate readers, and the time saving, reduce costs.
The low number of actions involved to manage the system, allows a high usability.
The great quantity of recorded information can be used for brand management,
for instance data could be shown on a website, so the accuracy and precision demonstration
will enhance the brand prestige.
Figure 4.17.
Data about warehouse treatments ER diagram
Information System
The database is divided in “static” data that are fixed and independent on the fruit
arrival, “dynamic” data that are related to warehouse treatments, and mixed data.
Static data can be recorded before fruit picking. They describe the fruit that
will be treated, and the fruit origin. The most part of entities in this group are
”static”, their values could remain unchanged for long periods, and mainly through
one picking time.
These entities are:
160

4 – RFID for Agri-food Traceability
ˆ culture, which represents the list of treated cultures;
ˆ variety, which represents the list of treated varieties;
ˆ producer, which represents the list of producers that are suppliers of the warehouse,
and their related information;
ˆ action name, which represents the list of actions that are managed by the
system;
ˆ field, which represents the list of plots of ground from which the treated fruits
arrive; the field is an entity that is used by farmers, and it isn’t cadastral;
ˆ particle, which represents the list of cadastral particles from which treated
fruits arrive;
ˆ particles for field, which represents the links between particles and fields; a
field contains some particles, but a particle can belong to more than one field;
ˆ cultivations for superblock, which represents the links between cultivations
and superblocks; see later in this section for explanations.
The Entity-Relationship (ER) diagram of data that are related to warehouse
treatments is shown in figure 3. These data are recorded while the fruit is treated.
They track fruits and they describe fruit treatments. The most part of entities in
this diagram are ”dynamic”, their values change continuously.
These entities are:
ˆ action, which represents the list of fruit treatment kinds; block, which represents
the list of fruit blocks in the warehouse; a fruit block stands for a group
of fruits in one bin, and it is used as fruit base unit by the traceability system;
ˆ superblock, which represents the list of superblocks in the warehouse; a fruit
superblock stands for a set of fruits that aren’t in bins; for instance when fruits
of some bins are put in the calibrator they form a superblock;
ˆ superblock origin, which represents the links between two origin superblocks
and one destination superblock; the aim of this entity is to manage fruit merging,
which could often occur, especially in the calibrator;
ˆ cultivations for superblocks, which represents the links between superblocks
and their cultivations; see later in this section for explanations about cultivations.
The entity cultivation represents the connection between the two parts of the
database. The aim of this entity is describing the features of fruit superblocks, such
as culture, variety, producer and origin particles.
161

4 – RFID for Agri-food Traceability
Table 4.6. Operation Occurrences of the Tested RFID System (RF) and
Traditional System (T)
Para- RF T RF T RF T RF T RF T RF T
meter i = 0 i = 1 i = 2 i = 3 i = 4 i = 5/6
o i 1 1 2 2 2 2 1 1 1 1 1 1
IDr i 2 0 1 0 1 0 2 0 2 0 2 0
Mr i 12 1 7 0 7 0 9 0 9 1 9 0
w i 9 1 4 0 4 0 1 0 8 1 1 0
t i 0 1 0 0 0 0 0 0 0 1 0 0
4.5.3 RFID-Based Traceability System Performance
The proposed semiautomatic RFID-based traceability system was tested in a working
fruit warehouse in order to evaluate the automation improvements. The testing
was conducted in a single calibration line warehouse in Italy; sets of bins were tagged
and tracked along the normal production flow.
The used hardware included RFID passive tags SRIX4K from STMicroelectronics,
compliant with ISO14443, with an EEPROM of 4 kbits; and an RFID reader
ACG Dual ISO CF Card Reader Module, compliant with ISO14443, at frequency
13.56 Mhz. The test tool was programmed in C# language by using Microsoft Visual
Studio 2005, and it requires just 70 Kbytes on PDAs and 200 Kbytes on a central
PC. The operators can interact with the tool by using a graphical interface on the
PDA. The tool on the PDA manages the communications between the PDA reader
and the tags, and it sends the resulting information to the central PC. The tool on
the PC receives the information and it interacts with a Microsoft SQL Server 2005
database in order to record them.
The employed readers cost about 260e, the PDAs cost 180eeach; one RFID tag
unit costs up to 0.7e. Therefore, the hardware for a system that involves 10 readers
and 10000 tags costs less than 11000¿. The software development has required about
20 developer-months. The estimated cost of the software, including customization,
for a small-medium company is lower than 5000e.
The characteristics of the RFID system are:
ˆ Data storage: compressed and distributed, computer database.
ˆ Tagged object: container tagging method.
ˆ Kind of data: ID, commodity characteristics, operation data.
ˆ Data format: electronic code.
162

4 – RFID for Agri-food Traceability
ˆ Writing/reading automation: semiautomatic.
ˆ Tagging: off line.
According to the specific production flow of the warehouse used for the testing, the
packing (i = 5) and the exit (i = 6) are managed as a unique activity. The average
occurrences of the operations are shown in Table 4.6. The tagging is performed
off line, so ti is always null. The number of readings and writings is high, since it
represents the call to a reading method of the RFID reader. In a manual system,
as shown in Table 4.6, the number of reading is lower, but the time required by
each reading operation is quite longer. The average time required by the system to
execute the operations is:
RF ID ARID = 205ms; RF ID ARM = 21ms;
RF ID AW = 37ms;
CC i = {30ms; 25ms; 25ms; 94ms; 85ms; 94ms}.
For i = 0...5 .
e i is inversely proportional to the experience of the operators with the tool.
Considering a pessimistic case, let assume that e i is under 0.01 for each type of
operation. o 7 is partially due to the low experience with the tool, and to normal
errors, so its value in a semi-automatic system approaches the same value of a
traditional system. However, for a traditional system the effects of wrong data
insertion is negligible on T IR, so o 7 is close to 0. The time MV i depends on how the
production flow is organized. However the MV i of a semiautomatic system is similar
to the manual one. When the traceability IR activity is performed by a suitable
operator the MV i will be quite low, approximately 2 s; however, when this activity is
performed by the operator that drives the forklift, the MV i is larger, approximately
10 s. Let assume that an efficient organization requires that an operator is in charge
of the execution of traceability operations. At the entrance of a bin the operator
sets its characteristics, so HC 0 is similar to the C 0 of a manual system. For all the
other activities HC i is very low, approximately 200 ms, since the evaluated semiautomatic
tool manages all the data, and the operator does not need to know and
to analyze them. The resulting RF ID IR i and RF ID T IR are:
RF ID IR 0 = 3025ms + HC 0 ,RF ID IR 1 = 2725ms,
RF ID IR 2 = 2725ms,RF ID IR 3 = 2930ms,
RF ID IR 4 = 3170ms,RF ID IR 5 = 2930ms;
RF ID T IR =
IT n∑
(o i · 1.01 · RF ID IR i ) =
IT CN
i=0
= (IT/IT CN) · (23185ms + 1.01 · HC 0 ).
The characteristics of the traditional traceability system employed by the warehouse
are:
163

4 – RFID for Agri-food Traceability
ˆ Data storage: distributed, computer database.
ˆ Tagged object: container tagging method.
ˆ Kind of data: ID, commodity characteristics.
ˆ Data format: written words.
ˆ Reading automation: manual.
ˆ Writing automation: automatic.
ˆ Tagging automation: manual.
The second and third steps (i = 1 and 2) are not supported. The data about the
treatments are not recorded for any bin, so only the exit from the calibrator and
the entrance in the warehouse require writing operations, but each writing involves
also a tagging operation. The reading is used for the traceability management only
before calibration and packing. The approximate average time required to execute
the operations is:
T raditional AR = 2s; T raditional AW = 2s;
T raditional AT = 5s.
e i = 0, since it is negligible for manual systems. C i = HC i , so C i is steady for all
the steps, and it is similar to the HC 0 of the RFID tool. MV i is longer for the steps
that involve a tagging operation, where it requires about 5 s, since this operation
requires that the operator gets the labels; for the other operations MV i is similar to
the MV i of the RFID system. The resulting traditional IR i are:
IR 0 = 12s + C i ,IR 1 = 0,IR 2 = 0,IR 3 = 4s + C i ,
IR 4 = 12s + C i ,IR 5 = 4s + C i ;
T raditional T IR = (IT/IT CN) · (32s + 4C i ).
In order to evaluate the feasibility of the RFID traceability system we need
to compare it to the printed tag system. According to the previously specified
characteristics we can state that:
IT
IT CN (23.18s + 1.01HC 0) <
IT
IT CN (32s + 4C i);
by simplifying (IT/IT CN), and since HC 0 is almost equal to C i , we have:
RF ID T IR < traditional T IR.
Therefore, with an efficient organization of the work we can state that the RFID
system manages more detailed data, in a shorter time than the printed tag system.
The time saving allows increasing the production flow of the company. The RFID
164

4 – RFID for Agri-food Traceability
semi-automatic systems require a larger starting cost than traditional systems, but
the maintenance of both the systems is mainly due to labor cost. According to the
time analysis and to the described costs, for small/medium companies that spend
the equivalent of 1 full time employer for traceability management, the estimated
payback period is about 2 years. This result is also compatible with a previous
analysis on an RFID trial [121].
4.5.4 Conclusion
The traceability in agri-food sector is a key factor, and its management has a great
impact on the production flow of a company. For this reason an effective traceability
system is fundamental for avoiding large waste of resources. Automation is regarded
as the key factor to realize an effective internal traceability system, since manual
activities require more time. Furthermore, a high automation brings warranties of
accuracy, completeness, and reliability. Therefore, to implement traceability without
carefully considering all the automation options could entail the wastage of human
and economic resources.
In order to analyze the traceability management, a precise definition of traceability,
and a classification of the automation levels of the agri-food company have been
presented and described. The proposed framework may allow both researchers and
practitioners to perform deterministic analysis on the performance of traceability
systems.
An RFID-based traceability system can treat several data in short time. The analyzed
system, which is based on a semiautomatic implementation, can reach good
benefits: it is inexpensive, it requires a larger starting cost than traditional systems,
but its maintenance is smaller; it manages detailed information about products and
treatments, and it requires lower execution time than traditional systems. The
analysis has shown that the majority of the reached time saving is due first to the
tagging operation, which in RFID system can be performed off line, and second to
the differences between the time required by semiautomatic reading/writing operations,
and manual reading/writing operations. Furthermore, the analysis has shown
that manual systems require more time in order to allow employers to analyze the
operations and to make decisions.
165

Chapter 5
Conclusion
Pervasive technologies represent a good opportunity to improve the majority of
human activities. However, they involve great problems for information security
and efficiency. This study has deeply analyzed RFID technology, which represents
one of the more promising and widely employed pervasive technology. Both the
security and the communications topics have been studied.
The security problems involved by RFID are discussed. Data-tampering is deeply
analyzed; tamper-evident and tamper-resistant approaches for RFID have been surveyed,
classified and compared, highlighting their benefits and drawbacks. The application
of public key cryptography to RFID context is analyzed, highlighting the
strength and weakness points. New approaches based on public key cryptography
have been presented. The first proposal is to use standard RFID tags to implement
an anti-counterfeit mechanism in selected wine production environments. Then,
some security protocols for traceability and SCM have been proposed. These approaches,
which are based on RFID tags without cryptographic capability, protect
the privacy, and provide additional security features. The last approach implements
an anti-counterfeit mechanism thanks to additional cryptographic hardware
designed for UHF RFID tags.
The efficiency problems due to RFID reader-to-reader collision, which represents
the mutual interference generated by RFID readers in the same area, have been described.
An evaluation method is proposed, and then, a new multichannel protocol,
which improves previous approaches, has been presented and evaluated.
Finally, the agri-food sector has been analyzed, and a tool for traceability management
based on RFID has been developed, in order to verify on the field the
technological characteristics of RFID. Furthermore, a precise definition of traceability,
and a classification of the automation levels of agri-food companies have been
presented and described. The proposed framework may allow both researchers and
practitioners to perform deterministic analysis on the performance of traceability
systems.
166

Bibliography
[1] Annual report to parliament 2005 - report on the personal information protection
and electronic documents act.
[2] Combating counterfeit drugs: A report of the food and drug administration.
[3] Iso 9001-2000.
[4] Laying down the general principles and requirements of food law, establishing
the European Food Safety Authority and laying down procedures in matters
of food safety. REGULATION (EC) No 178/2002 OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL of 28 January 2002.
[5] Ntru. genuid.
[6] Rfid position statement of consumer privacy and civil liberties organizations,
Nov 2003.
[7] Traceability implementation, 2003.
[8] EPC radio-frequency identity protocols class-1 generation-2 UHF RFID protocol
for communications at 860 MHz – 960 MHz, 2004.
[9] RSA-200 is factored!, 2005. available at http://www.rsa.com/rsalabs/
node.asp?id=2879.
[10] Smart (rfid) tags: Safeguards applying to their use, March 2005. Bollettino
del n. 59.
[11] Working document on data protection issues related to rfid technology, Nov
2005. Article 29.
[12] ETSI 4.2.1-Telecommunications and internet converged services and protocols
for advanced networking (TISPAN); methods and protocols; part 1: Method
and proforma for threat, risk, vulnerability analysis, 12 2006. Technical Specification.
[13] Electromagnetic compatibility and radio spectrum matters (erm); radio frequency
identification equipment operating in the band 865 mhz to 868 mhz
with power levels up to 2 w; part 1: Technical requirements and methods of
measurement, 2008.
[14] MF3ICD21, MF3ICD41, MF3ICD81 - MIFARE DESFire EV1 contactless
multi-application IC. Product short data sheet, March 2009. Rev. 02.
167

Bibliography
[15] S. Agarwal, A. Joshi, T. Finin, Y. Yesha, and T. Ganous. A pervasive computing
system for the operating room of the future. Mobile Networks and
Applications, 12(2):215–228, 2007.
[16] Syed A. Ahson and Mohammad Ilyas, editors. RFID Handbook : Applications,
Technology, Security, and Privacy. CRC Press, 2008.
[17] Giuseppe Ateniese, Jan Camenisch, and Breno de Medeiros. Untraceable
RFID tags via insubvertible encryption. In CCS ’05: Proceedings of the 12th
ACM conference on Computer and communications security, pages 92–101,
New York, NY, USA, 2005. ACM.
[18] C. Atock. Where’s my stuff? Manufacturing Engineer, 82(2):24–27, April
2003.
[19] Gildas Avoine. Adversarial model for radio frequency identification. Cryptology
ePrint Archive, Report 2005/049, 2005. http://eprint.iacr.org/.
[20] Gildas Avoine and Philippe Oechslin. A scalable and provably secure hashbased
RFID protocol. In PERCOMW ’05: Proceedings of the Third IEEE International
Conference on Pervasive Computing and Communications Workshops,
pages 110–114, Washington, DC, USA, 2005. IEEE Computer Society.
[21] G. Ayalew, U. McCarthy, K. McDonnell, F. Butler, P. B. McNulty, and S. M.
Ward. Electronic tracking and tracing in food and feed traceability. LogForum,
2(2):1–17, 2006.
[22] L. Batina, J. Guajardo, T. Kerins, N. Mentens, P. Tuyls, and I. Verbauwhede.
An elliptic curve processor suitable for rfid-tags, 2006.
[23] L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I. Verbauwhede. Lowcost
elliptic curve cryptography for wireless sensor networks. In Security and
Privacy in Ad-Hoc and Sensor Networks, LNCS, pages 6–17. Springer Berlin
/ Heidelberg, 2006.
[24] M. Bellare, A. Boldreva, A. Desai, and D. Pointcheval. Key-privacy in publickey
encryption. In Advances in Cryptology — ASIACRYPT 2001, LNCS,
pages 566–582. Springer Berlin / Heidelberg, 2001.
[25] Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Keying hash functions for
message authentication. In Advances in Cryptology — CRYPTO ’96, LNCS,
pages 1–15. Springer Berlin / Heidelberg, 2005.
[26] A.R. Beresford and F. Stajano. Location privacy in pervasive computing.
Pervasive Computing, IEEE, 2(1):46–55, jan-mar 2003.
[27] P. Bernardi, C. Demartini, F. Gandino, B. Montrucchio, M. Rebaudengo, and
E.R. Sanchez. Agri-food traceability management using a RFID system with
privacy protection. In Advanced Information Networking and Applications,
2007. AINA ’07. 21st International Conference on, pages 68–75, May 2007.
[28] P. Bernardi, F. Gandino, F. Lamberti, B. Montrucchio, M. Rebaudengo, and
E.R. Sanchez. An anti-counterfeit mechanism for the application layer in
168

Bibliography
low-cost RFID devices. In Circuits and Systems for Communications, 2008.
ECCSC 2008. 4th European Conference on, pages 227–231, July 2008.
[29] Paolo Bernardi, Filippo Gandino, Bartolomeo Montrucchio, Maurizio Rebaudengo,
and Erwing Ricardo Sanchez. Design of an uhf rfid transponder for
secure authentication. In GLSVLSI ’07: Proceedings of the 17th ACM Great
Lakes symposium on VLSI, pages 387–392, New York, NY, USA, 2007. ACM.
[30] S.M. Birari and S. Iyer. Mitigating the reader collision problem in RFID
networks with mobile readers. In Networks, 2005. Jointly held with the 2005
IEEE 7th Malaysia International Conference on Communication., 2005 13th
IEEE International Conference on, volume 1, page 6 pp., Nov. 2005.
[31] S.M. Birari and S. Iyer. PULSE: A MAC protocol for RFID networks. In
Embedded and Ubiquitous Computing, volume 1 of LNCS, pages 1036–1046.
2005.
[32] Michael Boehlje and Otto Doering. Farm policy in an industrialized agriculture.
Journal of Agribusiness, 18(1):53–60, March 2000.
[33] Dan Boneh. The decision diffie-hellman problem. In Algorithmic Number
Theory, LNCS, pages 48–63. Springer Berlin / Heidelberg, 1998.
[34] R. W Boss. RFID technology for libraries. Library Technology Reports, 39(6),
2003.
[35] Jan Camenisch and Anna Lysyanskaya. Signature schemes and anonymous
credentials from bilinear maps. In Advances in Cryptology – CRYPTO 2004,
LNCS, pages 56–72. Springer Berlin / Heidelberg, 2004.
[36] Kainan Cha, S. Jagannathan, and D. Pommerenke. Adaptive power control
protocol with hardware implementation for wireless sensor and rfid reader
networks. Systems Journal, IEEE, 1(2):145–159, Dec. 2007.
[37] David L. Chaum. Untraceable electronic mail, return addresses, and digital
pseudonyms. Commun. ACM, 24(2):84–90, 1981.
[38] Shuo Chen„, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K.
Iyer„. Non-control-data attacks are realistic threats. In SSYM’05: Proceedings
of the 14th conference on USENIX Security Symposium, pages 12–12, Berkeley,
CA, USA, 2005. USENIX Association.
[39] B. Chor and R.L. Rivest. A knapsack-type public key cryptosystem based
on arithmetic in finite fields. Information Theory, IEEE Transactions on,
34(5):901–909, sep 1988.
[40] C.S. Collberg and C. Thomborson. Watermarking, tamper-proofing, and obfuscation
- tools for software protection. Software Engineering, IEEE Transactions
on, 28(8):735–746, Aug 2002.
[41] D. Corsten and T.W. Gruen. Stock-outs cause walkouts. Harvard Business
Review, pages 26–28, 2004.
[42] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the weil pairing.
Journal of Cryptology, 17(4):297–319, Sep. 2004.
169

Bibliography
[43] W. Diffie and M. Hellman. New directions in cryptography. Information
Theory, IEEE Transactions on, 22(6):644–654, nov 1976.
[44] Tassos Dimitriou. A secure and efficient rfid protocol that could make big
brother (partially) obsolete. In PERCOM ’06: Proceedings of the Fourth
Annual IEEE International Conference on Pervasive Computing and Communications,
pages 269–275, Washington, DC, USA, 2006. IEEE Computer
Society.
[45] T. Elgamal. A public key cryptosystem and a signature scheme based on
discrete logarithms. Information Theory, IEEE Transactions on, 31(4):469–
472, Jul 1985.
[46] D.W. Engels and S.E. Sarma. The reader collision problem. In Systems, Man
and Cybernetics, 2002 IEEE International Conference on, volume 3, pages 6
pp. vol.3–, Oct. 2002.
[47] Jun-Bong Eom, Soon-Bin Yim, and Tae-Jin Lee. An efficient reader anticollision
algorithm in dense RFID networks with mobile RFID readers. Industrial
Electronics, IEEE Transactions on, 56(7):2326–2336, July 2009.
[48] Martin Feldhofer. An authentication protocol in a security layer for rfid smart
tags. In Stiftung Secure Information and Communication Technologies SIC,
pages 759–762. IEEE, 2004.
[49] Klaus Finkenzeller. RFID Handbook: Fundamentals and Applications in Contactless
Smart Cards and Identification. John Wiley & Sons, Inc., New York,
NY, USA, 2003.
[50] Caroline Fontaine and Fabien Galand. A survey of homomorphic encryption
for nonspecialists. EURASIP Journal on Information Security, 24(2), 2007.
[51] Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric
and symmetric encryption schemes. In CRYPTO ’99: Proceedings of the 19th
Annual International Cryptology Conference on Advances in Cryptology, pages
537–554, London, UK, 1999. Springer-Verlag.
[52] F. Gandino, R. Ferrero, B. Montrucchio, and M. Rebaudengo. Introducing
probability in RFID reader-to-reader anti-collision. In Network Computing
and Applications, 2009. NCA 2009. Eighth IEEE International Symposium
on, pages 250–257, July 2009.
[53] F. Gandino, B. Montrucchio, M. Rebaudengo, and E. R. Sanchez. On improving
automation by integrating RFID in the traceability management of the
agri-food sector. Industrial Electronics, IEEE Transactions on, 56(7):2357–
2365, July 2009.
[54] F. Gandino, B. Montrucchio, M. Rebaudengo, and E.R. Sanchez. Analysis of
an RFID-based information system for tracking and tracing in an agri-food
chain. In RFID Eurasia, 2007 1st Annual, pages 1–6, Sept. 2007.
[55] J. Garcia-Alfaro, M. Barbeau, and E. Kranakis. Analysis of threats to the
security of EPC networks. In Communication Networks and Services Research
170

Bibliography
Conference, 2008. CNSR 2008. 6th Annual, pages 67–74, May 2008.
[56] J. Garcia-Alfaro, M. Barbeau, and E. Kranakis. Security threats on EPC
based RFID systems. In Information Technology: New Generations, 2008.
ITNG 2008. Fifth International Conference on, pages 1242–1244, April 2008.
[57] S.L. Garfinkel, A. Juels, and R. Pappu. RFID privacy: an overview of problems
and proposed solutions. Security & Privacy, IEEE, 3(3):34–43, May-June
2005.
[58] Blaise Gassend, Dwaine Clarke, Marten van Dijk, and Srinivas Devadas. Silicon
physical random functions. In CCS ’02: Proceedings of the 9th ACM
conference on Computer and communications security, pages 148–160, New
York, NY, USA, 2002. ACM.
[59] G. Gaubatz, J.-P. Kaps, E. Ozturk, and B. Sunar. State of the art in ultra-low
power public key cryptography for wireless sensor networks. pages 146–150,
march 2005.
[60] B J Gibson, J T Mentzer, and R L Cook. Supply chain management: the
pursuit of a consensus definition. Journal of Business Logistics, 26(2):17–25,
2005.
[61] E. Golan, B. Krissoff, F. Kuchler, K. Nelson, G. Price, and L. Calvin. Traceability
in the US food supply: Dead end or superhighway? Choices, 18(2):17–
20, 2003.
[62] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer
and System Sciences, 2:270–299, apr 1984.
[63] Philippe Golle, Markus Jakobsson, Ari Juels, and Paul Syverson. Universal
re-encryption for mixnets. In Topics in Cryptology – CT-RSA 2004, LNCS.
Springer Berlin / Heidelberg, 2004.
[64] Sung Won Kim Gyanendra Prasad Joshi. Survey, nomenclature and comparison
of reader anti-collision protocols in RFID. IETE Technical Review,
25(5):285–292, 2008.
[65] Soonshin Han, HyungSoo Lim, and JangMyung Lee. An efficient localization
scheme for a differential-driving mobile robot based on RFID system. Industrial
Electronics, IEEE Transactions on, 54(6):3362–3369, Dec. 2007.
[66] B.C. Hardgrave, M. Waller, and R. Miller. Does rfid reduce out of stocks? a
preliminary analysis, 2005. Tech. report.
[67] H. Hartenstein and K.P. Laberteaux. Topics in ad hoc and sensor networks -
a tutorial survey on vehicular ad hoc networks. Communications Magazine,
IEEE, 46(6):164–171, June 2008.
[68] Junius Ho, Daniel W. Engels, and Sanjay E. Sarma. HiQ: A hierarchical
q-learning algorithm to solve the reader collision problem. In SAINT-W
’06: Proceedings of the International Symposium on Applications on Internet
Workshops, pages 88–91, Washington, DC, USA, 2006. IEEE Computer
Society.
171

Bibliography
[69] Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. Ntru: A ring-based
public key cryptosystem. In Algorithmic Number Theory, LNCS, pages 267–
288. Springer Berlin / Heidelberg, 1998.
[70] Jeffrey Hoffstein and Joseph Silverman. Optimizations for ntru. In In Publickey
Cryptography and Computational Number Theory., pages 11–15, 2000.
[71] Michael Howard and David Leblanc. Writing Secure Code. Microsoft Press,
Redmond, WA, USA, 2001. Foreword By-Valentine,, Brian.
[72] Yu-Chia Hsu, An-Pin Chen, and Chun-Hung Wang. A RFID-enabled traceability
system for the supply chain of live fish. pages 81–86, sept. 2008.
[73] International Organization for Standardization, Geneva, Switzerland.
ISO/IEC 9798-2 - Information technology - Security techniques - Entity authentication
- Part 2: Mechanisms using symmetric encipherment algorithms,
1994.
[74] Reiner Jedermann, Luis Ruiz-Garcia, and Walter Lang. Spatial temperature
profiling by semi-passive rfid loggers for perishable food transportation. Comput.
Electron. Agric., 65(2):145–154, 2009.
[75] N J Jeon, C S Leem, M H Kim, and H G Shin. A taxonomy of ubiquitous computing
applications. Wireless Personal Communications, 43(4):1229–1239,
2007.
[76] Wen-Shenq Juang, Sian-Teng Chen, and Horng-Twu Liaw. Robust and efficient
password-authenticated key agreement using smart cards. Industrial
Electronics, IEEE Transactions on, 55(6):2551–2556, June 2008.
[77] A. Juels. RFID security and privacy: a research survey. Selected Areas in
Communications, IEEE Journal on, 24(2):381–394, Feb. 2006.
[78] Ari Juels. Minimalist cryptography for low-cost rfid tags. pages 149–164.
Springer-Verlag, 2003.
[79] Ari Juels and Ravikanth Pappu. Squealing euros: Privacy protection in
RFID-enabled banknotes. In Financial Cryptography, LNCS, pages 103–121.
Springer Berlin / Heidelberg, 2003.
[80] Ari Juels, Ronald L. Rivest, and Michael Szydlo. The blocker tag: Selective
blocking of RFID tags for consumer privacy. In 8th ACM Conference on
Computer and Communications Security, pages 103–111. ACM Press, 2003.
[81] B. Kalisk. PKCS #1: RSA Encryption. RSA Laboratories East, 1998. available
at http://www.ietf.org/rfc/rfc2313.txt.
[82] Karl Prince, Humberto Morán, and Duncan McFarlane. Auto-ID use case:
Food manufacturing company distribution, 2003.
[83] Joongheon Kim, Wonjun Lee, Eunkyo Kim, Dongshin Kim, and Kyoungwon
Suh. Optimized transmission power control of interrogators for collision arbitration
in uhf rfid systems. Communications Letters, IEEE, 11(1):22–24, Jan.
2007.
172

Bibliography
[84] Paris Kitsos and Yan Zhang, editors. RFID Security: Techniques, Protocols
and System-On-Chip Design. Springer Publishing Company, Incorporated,
2008.
[85] A. Kranendonk and S. Rackebrandt. Optimising availability - getting products
on the shelf! In Official ECR Europe Conference, 2002.
[86] S. Kumar and C. Paar. Are standards compliant elliptic curve cryptosystems
feasible on rfid? In Workshop on RFID Security, pages 11–15, Jul 2006.
[87] RSA LABS. available at http://www.rsa.com/rsalabs/.
[88] Young M. Lee, Feng Cheng, and Ying Tat Leung. Exploring the impact of
RFID on supply chain dynamics. In WSC ’04: Proceedings of the 36th conference
on Winter simulation, pages 1145–1152. Winter Simulation Conference,
2004.
[89] Louis A. Lefebvre, Elisabeth Lefebvre, Ygal Bendavid, Samuel Fosso Wamba,
and Harold Boeck. Rfid as an enabler of b-to-b e-commerce and its impact on
business processes: A pilot study of a supply chain in the retail industry. In
HICSS ’06: Proceedings of the 39th Annual Hawaii International Conference
on System Sciences, page 104.1, Washington, DC, USA, 2006. IEEE Computer
Society.
[90] C. Loebbecke. RFID technology and applications in the retail supply chain:
The early metro group pilot. In 18th Bled conference on eIntegration in action,
2005.
[91] R. Loftus. Traceability of biotech-derived animals: application of DNA
technology. Scientific and Technical Review - The Office International des
épizooties, 24(1):231–242, 2005.
[92] Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, and Stefan Wolf.
Pseudonym systems. In Selected Areas in Cryptography, LNCS, pages 184–
199. Springer Berlin / Heidelberg, 2000.
[93] R. Martí, S. Robles, A. Martin-Campillo, and J. Cucurull. Providing early
resource allocation during emergencies: The mobile triage tag. Journal of
Network and Computer Applications, 32(6):1167–1182, 2009.
[94] Alfred J. Menezes, Scott A. Vanstone, and Paul C. Van Oorschot. Handbook
of Applied Cryptography. CRC Press, Inc., Boca Raton, FL, USA, 1996.
[95] Gerome Miklau and Dan Suciu. Implementing a tamper-evident database
system. In Advances in Computer Science – ASIAN 2005, LNCS, pages 28–
48. Springer Berlin / Heidelberg, 2005.
[96] M.-L. Ming-Ling Chuang and W.H. Shaw. RFID: Integration stages in supply
chain management. Engineering Management Review, IEEE, 35(2):80–87,
Quarter 2007.
[97] M. Mohan, V. Potdar, and E. Chang. Recovering and restoring tampered
RFID data using steganographic principles. In Industrial Technology, 2006.
ICIT 2006. IEEE International Conference on, pages 2853–2859, Dec. 2006.
173

Bibliography
[98] E.W.T. Ngai, F.F.C. Suk, and S.Y.Y. Lo. Development of an rfid-based sushi
management system: The case of a conveyor-belt sushi restaurant. International
Journal of Production Economics, 112(2):630–645, 2008. Special Section
on RFID: Technology, Applications, and Impact on Business Operations.
[99] Obi Obowoware. Security issues in mobile ad-hoc networks: A survey. The
17th White House Papers Graduate Research In Informatics at Sussex, pages
40–44, June 2004.
[100] Akihiro Ogino, Sae-Ueng Somkiat, and Toshikazu Kato. The inspiring store:
Decision support system for shopping based on individual interests. In G. Salvendy
M.J. Smith, editor, Human Interface and the Management of Information.
Interacting in Information Environments, LNCS, pages 948–954.
Springer-Verlag, 2007.
[101] M. Ohkubo, K. Suzuki, and S. Kinoshita. Efficient hash-chain based RFID
privacy protection scheme. In International Conference on Ubiquitous Computing
– Ubicomp, Workshop Privacy: Current Status and Future Directions,
2004.
[102] L. U. Opara. Traceability in agriculture and food supply chain: a review of
basic concepts, technological implications, and future prospects. Journal of
Food, Agriculture and Environment, 1(1):101–106, 2003.
[103] Raja Parasuraman and Victor Riley. Humans and automation: Use, misuse,
disuse, abuse. Human Factors, 39(2):230–253, June 1997.
[104] S. Park and S. Hashimoto. Autonomous mobile robot navigation using passive
RFID in indoor environment. Industrial Electronics, IEEE Transactions on,
56(7):2366–2373, July 2009.
[105] M. Potdar, E. Chang, and V. Potdar. Applications of RFID in pharmaceutical
industry. In Industrial Technology, 2006. ICIT 2006. IEEE International
Conference on, pages 2860–2865, Dec. 2006.
[106] V. Potdar and E. Chang. Tamper detection in RFID tags using fragile watermarking.
In Industrial Technology, 2006. ICIT 2006. IEEE International
Conference on, pages 2846–2852, Dec. 2006.
[107] Vidyasagar Potdar, Chen Wu, and Elizabeth Chang. Tamper detection for
ubiquitous RFID-enabled supply chain. In Computational Intelligence and
Security - CIS 2005, LNCS, pages 273–278. Springer Berlin / Heidelberg,
2005.
[108] Damith C. Ranasinghe, Daniel W. Engels, and Peter H. Cole. Low-cost RFID
systems: Confronting security and privacy. In Auto-ID Labs Research Workshop,
2005.
[109] John F. Reid, Qin Zhang, Noboru Noguchi, and Monte Dickson. Agricultural
automatic guidance research in north america. Computers and Electronics in
Agriculture, 25(1-2):155–167, 2000.
174

Bibliography
[110] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures
and public-key cryptosystems. Commun. ACM, 21(2):120–126, 1978.
[111] E. Sahin, Y. Dallery, and S. Gershwin. Performance evaluation of a traceability
system. an application to the radio frequency identification technology.
In Systems, Man and Cybernetics, 2002 IEEE International Conference on,
volume 3, pages 6 pp. vol.3–, Oct. 2002.
[112] Junichiro Saito, Junichiro Saito, Jae-Cheol Ryou, and Kouichi Sakurai. Enhancing
privacy of universal re-encryption scheme for rfid tags. In Embedded
and Ubiquitous Computing, LNCS, pages 55–84. Springer Berlin / Heidelberg,
2000.
[113] E.R. Sanchez, F. Gandino, B. Montrucchio, and M. Rebaudengo. Public-key
in RFIDs: Appeal for asymmetry. In Y. Zhang and P. Kitsos, editors, Security
in RFID and Sensor Networks. Auerbach Publications, TaylorFrancis Group,
2009.
[114] Q.Z. Sheng, Xue Li, and S. Zeadally. Enabling next-generation RFID applications:
Solutions and challenges. Computer, 41(9):21–28, Sept. 2008.
[115] Dong-Her Shih, Po-Ling Sun, David C. Yen, and Shi-Ming Huang. Taxonomy
and survey of RFID anti-collision protocols. Computer Communications,
29(11):2150–2166, 2006.
[116] A. Soylemezoglu, M. J. Zawodniok, and S. Jagannathan. RFID-based smart
freezer. Industrial Electronics, IEEE Transactions on, 56(7):2347–2356, July
2009.
[117] Sarah Spiekermann. RFID and privacy: what consumers really want and fear.
Personal and Ubiquitous Computing, 13(6):423–434, 08 2009.
[118] Sarah Spiekermann and Sergei Evdokimov. Critical RFID privacy-enhancing
technologies. Security & Privacy, IEEE, 7(2):56–62, March-April 2009.
[119] Douglas R. Stinson. Cryptography: theory and practice. CRC Press, 1995.
[120] D.-Z. Sun, J.-P. Huai, J.-Z. Sun, J.-X. Li, J.-W. Zhang, and Z.-Y. Feng. Improvements
of Juang’s password-authenticated key agreement scheme using
smart cards. Industrial Electronics, IEEE Transactions on, 56(6):2284–2291,
June 2009.
[121] Sheng-Yu Tseng, Tsai-Fu Wu, and Yaow-Ming Chen. Wide pulse combined
with narrow-pulse generator for food sterilization. Industrial Electronics,
IEEE Transactions on, 55(2):741–748, Feb. 2008.
[122] Yiannis Tsiounis and Moti Yung. On the security of elgamal based encryption.
In Public Key Cryptography, LNCS, pages 117–134. Springer Berlin /
Heidelberg, 1998.
[123] Gene Tsudik. YA-TRAP: Yet another trivial RFID authentication protocol.
In PERCOMW ’06: Proceedings of the 4th annual IEEE international conference
on Pervasive Computing and Communications Workshops, page 640,
2006.
175

Bibliography
[124] Pim Tuyls and Lejla Batina. Rfid-tags for anti-counterfeiting. In Topics in
Cryptology – CT-RSA 2006, LNCS, pages 115–131. Springer Berlin / Heidelberg,
2006.
[125] J. Waldrop, D.W. Engels, and S.E. Sarma. Colorwave: a MAC for RFID
reader networks. In Wireless Communications and Networking, 2003. WCNC
2003. 2003 IEEE, volume 3, pages 1701–1704, March 2003.
[126] J. Waldrop, D.W. Engels, and S.E. Sarma. Colorwave: an anticollision algorithm
for the reader collision problem. In Communications, 2003. ICC ’03.
IEEE International Conference on, volume 2, pages 1206–1210, May 2003.
[127] S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engels. Security and
privacy aspects of low-cost radio frequency identification systems. In Security
in Pervasive Computing, LNCS, pages 50–59. Springer Berlin / Heidelberg,
2004.
[128] J. Wolkerstorfer. Scaling ecc hardware to a minimum. In ECRYPT workshop
- Cryptographic Advances in Secure Hardware - CRASH 2005, pages 11–15,
Sep 2005.
[129] W.L. Xu, J.D. Torrance, B.Q. Chen, J. Potgieter, J.E. Bronlund, and J.-
S. Pap. Kinematics and experiments of a life-sized masticatory robot for
characterizing food texture. Industrial Electronics, IEEE Transactions on,
55(5):2121–2132, May 2008.
[130] A. Yamamoto, S. Suzuki, H. Hada, J. Mitsugi, F. Teraoka, and O. Nakamura.
A tamper detection method for RFID tag data. In RFID, 2008 IEEE
International Conference on, pages 51–57, April 2008.
[131] T Yamazaki. Beyond the smart home. In International Conference on Hybrid
Information Technology, 2006. ICHIT ’06, volume 2, pages 350–355, 2006.
[132] J. Zachary and R. Brooks. Bidirectional mobile code trust management using
tamper resistant hardware. Mobile Networks and Applications, 8(2):137–143,
2003.
[133] Kun Zhang, Tao Zhang, and Santosh Pande. Memory protection through
dynamic access control. In Microarchitecture, 2006. MICRO-39. 39th Annual
IEEE/ACM International Symposium on, pages 123–134, Dec. 2006.
[134] D. Zhen-hua, L. Jin-tao, and F. Bo. Radio frequency identification in food
supervision. volume 10, pages 529–536, 2007.
[135] S. Zhong and Y. R. Yang. Verifiable distributed oblivious transfer and mobile
agent security. Mobile Networks and Applications, 11(2):201–210, 2006.
176