A New Secure RFID Anti-Counterfeiting and Anti-Theft Scheme for Merchandise

Abstract

Counterfeiting and theft have always been problems that incur high costs and result in considerable losses for international markets. In this research paper, we address the issue of counterfeiting while using radio frequency identification RFID technology in retail systems or other industries by presenting a new anti-counterfeiting and anti-theft system for the retail market. This system addresses the two abovementioned issues and provides a solution that can save retail systems millions of dollars yearly. The proposed system achieves the objective of preventing or minimising the counterfeiting and theft of tagged products. At the same time, it provides a strong indication of suspiciously sold or obtained items. Furthermore, we conducted a security analysis to prove the correctness of our protocol on the basis of the strand spaces.

1. Introduction

Counterfeiting is one of the major problems affecting merchandising and retailing systems worldwide. According to a Grand View research report, the counterfeiting industry has cost US manufacturers more than USD 200 billion over the past two decades [1,2]. Although many researchers have adopted radio frequency identification RFID technology instead of barcode technology to address the counterfeiting problem, the problem continues to plague this industry. RFID is a reliable technology that can address many security issues, including counterfeiting and cloning. A number of researchers have proposed several methods to address these problems. Some of these methods are track-and-trace methods or Physical Unclonable Function (PUF) -based methods. However, most of the existing methods do not provide a sufficiently integrated picture to address counterfeiting and theft problems. Here, we propose a new anti-counterfeiting and anti-theft scheme for retail systems, which prevents the counterfeiting of the RFID tags attached to the products. The proposed protocol also addresses other security aspects such as authentication and confidentiality. The proposed scheme establishes strong authentication by using shared secrets, the XOR function, and randomly generated numbers, as it needs to establish trust before exchanging the tags’ information to identify these tags and determine whether the products are counterfeit or not. The communication between readers and tags is processed with wireless RF. signals in an RFID tag; therefore, eavesdroppers may listen to the communication to obtain the secret. Moreover, a tag’s memory can be read in the absence of access control; the proposed protocol also addresses this variability issue. RFID systems can be composed of frequency jamming, denial-of service (DOS) attacks, or RFID blocking, as well as exploiting tag signalling anti-collision mechanisms, etc. The physical theft of goods is common in the retail business sector as well as in the supply chain. In our study, we also considered an anti-theft system which determines whether the product was subject to theft. This will give buyers and retailers the ability to identify any stolen goods or products, thus enabling them to avoid these goods before buying them or report them to the authorities at a later stage. The proposed protocol also covers the theft of goods. Technically, we can say that the motivation of this research was to establish an RFID anti-counterfeiting and anti-theft protocol which allows us to detect any counterfeit goods or materials that use the RFID technology. It was based on a new method that takes other studies into consideration to reduce costs and increase security. Moreover, the objective was achieved by preventing the sale of tagged items or goods which had been subject to theft. Therefore, we can say that the main objective of this research was to establish a secure novelty system to prevent the counterfeiting of RFID tagged items by improving the existing RFID anti-counterfeiting methods that use cryptography as well as e-pedigree methods. The proposed protocol also addresses other security properties such as the following:

Authentication: the proposed scheme establishes strong authentication by using shared secrets and randomly generated numbers, as it needs to establish trust before exchanging the tag information to identify them and determine whether the products were counterfeit or not. Confidentiality: as the communication between readers and tags is processed with wireless RF signals in RFID technology in general, eavesdroppers may listen to obtain the secret. Moreover, the tag’s memory can be read if there is no access control. The proposed protocol also addresses this variability issue. Availability: most RFID systems can easily be disturbed by frequency jamming, denial-of service (DOS) attacks, or RFID blocking, as well as being exploited by tag signalling anti-collision mechanisms which interrupt the communication between the readers and the tags. However, these attacks are not effective when using the proposed scheme, as it takes the attacker considerable effort and time to perform a single attack with which to interrupt the process. This is still not efficient enough to stop the entire operation involved in identifying the counterfeit goods and products. Spoofing and counterfeiting: the main focus of the proposed scheme was to expose the spoofed tags and counterfeit goods, as the main purpose of the protocol was anti-counterfeiting, as discussed in Section 3. Physical theft: we also discuss an anti-theft system which determines whether the product was subject to theft. This gives buyers and retailers the ability to identify any stolen goods or products, thus enabling them to avoid these goods before buying them or report them to the authorities at a later stage. Security from threats and attacks: the proposed scheme also provides security from other threats and attacks that target RFID technology, such as replay attacks, man-in-the-middle (MITM) attacks, and de-synchronisation attacks, as detailed in the protocol process. Therefore, in general, we can say that our main contribution in this research paper is a secure anti-counterfeiting and anti-theft protocol that requires less resources and less complicated operations, which results in easy troubleshooting and updates in case of an error. Moreover, we will provide a formal security analysis at the end for the proposed protocol on the basis of the strand space method to prove that the proposed protocol is secure [3]. The rest of this paper is organised as follows: in the next section, we elaborate on the existing technologies that address the considered issues and the different methods used by previous researchers. Then, in Section 3, we explore the proposed scheme and the system set-up before we present the proposed protocol supported by figures, tables, and equations in Section 4. Later, in Section 5, we discuss the security analysis conducted using a formal method of strand spaces to test the new scheme secrets by applying a nonce test, authentication guarantee test, and encryption test to prove the secrecy of the protocol and the correctness of our scheme.

2. Literature Review

The purpose of counterfeiting products or the tags attached to them is to defraud, for example, creating counterfeit currency, watches, etc. According to a report by the International Chamber of Commerce (ICC), the global market loss reached USD 1.7 trillion by 2015 because of counterfeit goods. While every year, counterfeit goods account for 7% to 8% of the world’s trade, which results in a USD 512 billion yearly loss in global sales. US companies also lose between USD 200 billion and USD 250 billion every year [4,5]. In addition, 2.5 million jobs have been lost as a result of fake products. Furthermore, a significant number of injuries and deaths have occurred because of counterfeit materials, such as fake pharmaceutical medicines [6,7,8]. As a result, many anti-counterfeiting techniques or solutions have been proposed, such as barcodes and RFID tags.

2.1. RFID Counterfeiting Definition

RFID tag counterfeiting can be defined as creating a replica of a tag by either replicating the hardware component of a tag or by copying its software in such a way that the genuine reader, database, or users would not know the difference between the genuine tag and the replicated one.

2.2. Our Previous Work

Previously, in Reference [8], we compared the available methods which are used to address RFID counterfeiting. We also showed results of the comparison between the available techniques, such as physical [9,10] or PUF [11], track and trace [12], distance bounding [13,14] and cryptography [15] in relation to cost, adaptability and security. In Reference [16] and Reference [17], the authors presented a new method to manage RFID tags in the supply chain and to prevent tags and goods from being counterfeited by using a new protocol called the Matryoshka protocol. This protocol is a new method for managing RFID tags that reduces the reads to a minimum to achieve better security and privacy results. This was not the first work which the authors produced in the field of RFID tag security as they had previously researched the topic and proposed a secure method of authentication in Reference [18,19,20] and Reference [21]. In addition, we proposed a framework to prevent counterfeiting in Reference [3]; this was not the first work of its kind as recent system proposed by Reference [15] consists of a tag authentication protocol, which has four key players: the RFID tag, the reader, the server and the seller; and the database correction protocol, which has two players: the seller and the server. The first protocol authenticates the tags without revealing their sensitive information and allows the customer to inquire whether the tag is genuine or not; while the database correction protocol guarantees the correctness of the tag status. The tag authentication protocol determines whether a product is genuine by using $\mathit{t-id}$ and the random number $R1$. The authors also used a cryptographic one-way function F to share the secret S which is known by the legit tag. With respect to their security analysis, the authors assumed that there would be two major goals for the potential adversary: the first was to counterfeit tags by stealing the secret information of the tags, and the second was to corrupt the system functionality by attacking the server database. Both of them can be intercepted and protected against by the tag authentication protocol and the database correction protocol. In contrast, in the case of RFID tag counterfeiting, the adversary must know the secret (S) corresponding to the tag $\mathit{t-id}$, as this S is at least 128 bits in length, which satisfies the key size requirement according to ECRYPT II NIST, which enables the adversary to brute force a search to figure out S, according to the authors in Reference [22].

2.3. Other Anti-Counterfeiting Proposed Schemes

Cheung [23] also proposed a two-layer RFID-based track-and-trace anti-counterfeiting system: the front-end RFID-enabled layer is for tag programming and product data acquisition, and the back-end anti-counterfeiting layer is for processing product pedigree and authentication for high-end bottled products, such as brandy and MouTai wine. The back-end layer consists of a set of system servers that enforce a track-and-trace anti-counterfeiting information server to collect the company’s information from the Sc, an authentication server to verify the transaction records, a pedigree server to generate the complete pedigree for the products through the Internet and the mobile network, and a record server to store the screened records. At the same time, the products are identified by the embedded RFID tags which have a unique tag identification number $\left(ID\right)$ that is used to form the transaction record, which will be later verified by the authentication server to detect suspicious activities while the supply chain partners verify the partial product pedigree from the pedigree server. However, the system faces a couple of implementation issues in RFID-based track-and-trace anti-counterfeiting, such as partial tag programming; this is data loss when the tag moving speed is too fast, which leads to an incomplete information write on the tag, as it stays for such a short period of time. Other implementation issues, such as a duplication error, might occur when a unique number is programmed into two or more tags, which hamper the subsequent product authentication. A case study was also conducted to examine the implementation problems; it revealed that the use of a C1G2 UHF RFID reader for tag programming was possible by designing an Electronic Product Code (EPC) numbering scheme for the product identifier and the implementation for tag programming. Earlier, in Reference [24], the researchers proposed a feasible security mechanism for anti-counterfeiting and privacy protection, which featured mutual two-pass authentication and used a hash function as well as an XOR operation to enhance the RFID tag’s security. Although the protocol can be described as a low-cost protocol which deals with low-cost RFID tags, the protocol requires the system to store the authorised reader IDs, which might lead to further security complications. In Reference [25], the authors discussed an RFID anti-counterfeiting system for liquor products on the basis of RFID and two-dimensional barcode technologies. Furthermore, in Reference [26], the authors presented an anti-counterfeiting system for agricultural production based on five phases, which can be divided into the design of readers, tags, and the data management system. These phases are the production phase, process phase, transportation phase, storage phase, and sales phase. The idea is basic; it deals with each phase independently, yet the design needs more elaboration to clearly identify the scenarios of the anti-counterfeiting solution. In Reference [27], the authors presented a track-and-trace system for RFID-based anti-counterfeiting for pharmaceutical drugs and wine products, as they caused huge losses in revenue to genuine companies. However, some enterprises used packaging technologies such as holograms, barcodes, security inks, chemical markers, and radio frequency identification (RFID) systems. In addition, some work was done in off-the-shelf passive RFID tags in Reference [28] and Reference [29], then in Reference [30], the researchers designed a crowd monitoring approach using a mobile phone for crowd detection which adopted clustering methods and implemented the design on off-the-shelf smartphones. Furthermore, in Reference [31], the authors modified an ownership transfer protocol proposed by Kapoor and Piramuthu in Reference [32]. They could detect the counterfeit and track and trace the products in the supply chain. The suggested protocol had three phases to operate: the product delivery phase, the product takeover phase and the product sale phase. However, the researchers did not show exactly how the system was secure against all the security attacks although they claimed that their protocol protects against all types of security attacks (see

Table 1. A comparison of different anti-counterfeiting techniques.

Properties	Physical	Track and Trace	Distance Bounding Protocols	Cryptography
Use of Resources	High	Medium	Medium	Low
Complexity	Medium	Medium	Low	High
Security	High	Medium	High	Medium
Limitations	High	Low	High	Low
Adaptability	Low	High	Low	High
Research	Medium	High	Low	Medium
Pros	Impossible to clone	More reliable in industry	Best for large scale RFID tags	Low cost
Cons	Expensive and not adaptable for every industry	Issues in synchronization between e-pedigree	Distance limitations	Weak security

).

3. The Proposed Scheme

3.1. System Set-Up

Before we go through the system, we first assume that the tagged items are in a retail store and have not been compromised, as they have all been stored in a secure environment. We also assume the following:

• The product always has two tags: one attached to the product itself, and the other attached with the warranty card;
• The tag issuer is the product manufacturer who feeds the system with $\mathit{t-id}$;
• The product manufacturer also feeds the anti-counterfeiting server (AC) with the warranty card ID $\mathit{Wt-id}$;
• The product service hub (PSH), see

  Table 2. Protocol Notations.

  Notations
  AC	Anti-counterfeiting server
  AT	Anti-theft server
  PSH	Product service Hub
  $\mathit{t-id}$	Unique tag id attached to product
  S	Secret stored in the tags
  NGP	Not genuine product
  $\mathit{NO-ID}$	New owner ID
  $\mathit{EX-ID}$	Existing owner ID
  $OK$	Genuine product
  $Mt$	Warranty tag missing
  $R1$	Random number
  Q	Item number
  $R2$	Second random number
  A,B,C,D,E,F,$RF$,$Q^{\prime }$	Variables
  w	Updated Reader secret
  $\mathit{user-id}$	User id generated by PSH
  $\mathit{Wt-id}$	Unique tag id attached to warranty card or boxes

  , which is an intermediate server connected to both the AC and the anti-theft (AT) servers, is accessible by any reader with a correct $\mathit{user-id}$ to prevent the use of unauthorised or malicious applications. The reader is a device used by the customer or any Supply Chain (SC) entity and can be a smartphone with the authentication protocol downloaded from the PSH; only readers with this application can check and verify whether the product is genuine;
• Every time the buyer, customer, seller, distributor or any SC entity downloads the application from the PSH, the AT server issues an application ID to the downloader;
• If the application ID is not correct, the PSH responds ‘not correct application’ and terminates;
• The AC responds with $Ok$ to the PSH once the product is verified using the authentication method which we discuss later;
• The reader must read both tags simultaneously, otherwise, the read is incorrect or missing. In case of missing read, the PSH checks with the AT server whether the reader has an existing owner ID and application ID database, and if the tag ID is correct, it responds with $OK$ to the PSH;
• If the AC did not respond or responds incorrectly to the PSH, the PSH responds with ‘not genuine product’ ($NGP$), indicating that the product is not genuine;
• If both the AC and the AT server respond with OK to the PSH, the PSH responds with $OK$ and the AT server issues a new owner record;
• If there is no warranty card tag ID and no existing owner number, the PSH provides the response ‘invalid’ and report the application ID for checking;
• Every two tags for the same product have the same secret stored in the tags (S).

3.2. System Flow

Now, we consider a seller/buyer case were each RFID tag attached to the product stores a unique $\mathit{t-id}$ and the corresponding secret S as well as the item number Q. The reader is a device used by the customer such as a mobile phone with a genuine user ID $\mathit{user-id}$ and authentication software, which is downloaded from the PSH. The $\mathit{Wt-id}$ is a unique tag ID for the warranty card which can be found on the labels, boxes or warranty cards of the products; the same reader must read both $\mathit{t-id}$ and $\mathit{Wt-id}$ simultaneously in order to authenticate the product, as we discuss later in this paper. If the products are very small and numerous, such as is the case where many products share one box, we might also use the Matryoshka protocol. The product manufacturer is the tag issuer for both the product tags and the warranty card tags. It feeds the data of the tags to the AC server which provides authentication and confidentiality to the scheme. The entities of the database are $\mathit{t-id}$, $\mathit{Wt-id}$, S and $\mathit{user-id}$, as well as the product serial number Q. In contrast, the AT server is fed by the supplier or the retailers, as they need to provide their consent to store the buyers’ records and information in their database, which the manufacturer cannot do easily.

4. The System Process

4.1. Anti-Counterfeiting (AC) Server Process

The elements which play a role in this process are $\mathit{t-id}$, $\mathit{user-id}$, $\mathit{Wt-id}$, Q, the secret S and the reader secret w or w${}^{-1}$.

• Step 1: the reader first downloads the software or application from the PSH site. The PSH in return issues a $\mathit{user-id}$ for the buyer, including his name, his address and maybe his apple store or android ID (to obtain more security) depending on the operating system he uses (particularly when using his mobile phone), which is stored later in the AT server. The buyer can use this application to make an enquiry about a certain product in the retail store, for example, by scanning a barcode or entering the product serial number Q and sending it to the PSH through the software downloaded earlier. The reader initiates the protocol by sending Q to the reader, see Figure 1;
• Step 2: in this step, once Q is received, the PSH generates a w or a reader secret. This happens each time the reader has a request. Then, the PSH stores the w in the AC server. The PSH also verifies w from

  Table 3. Anti-counterfeiting (AC) server records.

  AC Server Records
  Serial Number	Sticker or Bar Code Number	Product Tag ID	Warranty Tag ID	Secret
  n	Q	$\mathit{t-id}$	$W\mathit{t-id}$	S

  and calculate RE from Equation (1) by generating a random number R1 and XOR-ing Q, R1 and S, before sending the results to the reader;
• Step 3: the reader forwards RE to the tags attached to the product and the warranty card. Then, the tags solve RE, determine R1 and calculate A and B. Then, the tags respond to the reader with A and B from Equations (2) and (3), as shown in Figure 2;

  $$RE=R1\oplus Q\oplus S$$

  (1)

  $$A=\mathit{t-id}\oplus S\oplus R1$$

  (2)

  $$B=w\mathit{t-id}\oplus S\oplus R1$$

  (3)
• Step 4:
  once A and B have been received by the reader, the reader generates the random number $R2$ then calculate $RF$, $Q^{\prime }$ and create C and D from Equations (4)–(7). Then, the reader sends C,D to PSH;
• Step 5: in this step, the PSH determines the user-id and the secret S, if the user-id and S are correct, it continues. If not, it terminates, then it contacts the AC server via a secure channel to determine the database of the t-id as well as the wt-ID in the record with Q, see the Table 3;

  $$RF=R2\oplus w$$

  (4)

  $$Q^{\prime }=Q\oplus w\oplus R2$$

  (5)

  $$C=A\oplus \mathit{user-id}\oplus w$$

  (6)

  $$D=B\oplus \mathit{user-id}\oplus w$$

  (7)
  The PSH gets R2 from Equation (8) then checks if Q = $Q^{\prime }\oplus w\oplus R2$ or Q = $Q^{\prime }\oplus w^{-}1\oplus R2$ and if it is true, then it extracts C and D then check if $\mathit{t-id}=A\oplus R1\oplus S$ and if $W\mathit{t-id}$ = $B\oplus R1\oplus S$, again if true, the PSH determines the N value from

  Table 4. N Value.

  N Value
  OK	1
  MT	2
  NGP	3

  .
  If all the elements $\mathit{t-id}$, $W\mathit{t-id}$ and S match the record, then it responds with $OK$ signifying that the product is genuine to the PSH; if the $\mathit{t-id}$ or the secret S is not correct, the server responds $NGP$ signifying that the product is not genuine. If the $\mathit{tw-id}$ is missing or 0, the PSH replies $Mt$ or tag missing. Then, it calculates E and F from Equations (9) and (10) and generate a new w before updating w(−1) with w and sending E and F to the reader;
• Step 6: in this step, the reader checks if $\mathit{user-id}$ = $F\oplus R2$, and if N = $E\oplus w\oplus \mathit{user-id}$, then it updates the w.

  $$R2=RF\oplus w$$

  (8)

  $$E=\mathit{user-id}\oplus N\oplus w$$

  (9)

  $$E=\mathit{user-id}\oplus R2$$

  (10)

4.2. Anti-Theft Server AT Process

The system can provide a feature to determine whether the product which is subject to investigation is stolen or not. The PSH and the AT server are the main players in this process after the AC server has responded with $OK$. A case whereby the buyers check if the product is genuine and want to buy it from the legal retailer or seller is called the ‘theft-check use case’. The seller generates a $\mathit{NO-ID}$ for the new owner and changes the existing ownership of the product by sending $\mathit{t-id}$, $\mathit{Wt-id}$ and $\mathit{NO-ID}$ to PSH which is in turn forwarded to the AT for updating. Therefore, in the AT database, the record is saved, as in

Table 5. Anti-theft (AT) server records.

AT Server Records
Record Number	Tag ID	Warranty Tag ID	New Owner ID	Existing Owner ID
n	$\mathit{t-id}$	$W\mathit{t-id}$	$\mathit{NO-ID}$	$\mathit{EX-ID}$

below:

Now, if we assume that the AT server has received a request from PSH to identify if the product is stolen or not; usually, this process is conducted once the AC server has responded with $OK$. Then, the AT server requests the $\mathit{EX-ID}$ from the PSH which in turn requests it from the user; the user must then submit a valid $\mathit{EX-ID}$ to the PSH. Once the AT server has received a valid $\mathit{EX-ID}$ from the PSH, it compares it to the record to see if it has the same $\mathit{t-id}$ and $\mathit{Wt-id}$. If it does, then the AT responds with $OK$. If the $\mathit{EX-ID}$ does not match with the $\mathit{t-id}$ and $\mathit{Wt-id}$, then the AT responds with ‘suspected item’. The seller has to submit a valid $\mathit{EX-ID}$ or a new owner ID in order to declare the product genuine otherwise it will be flagged as a ‘suspected item’. When a selling operation occurs, the genuine existing owner has to provide the seller with an owner ID for the product in order to finalise the selling operation; this enables the new owner to obtain a new owner ID. If this does not happen, the selling operation cannot be completed and the old owner can still claim ownership of the product. However, the genuine buyer still has the paperwork in order to stop the old owner claiming ownership, or, in worst case scenario, to have proof if the new owner forgets to obtain the existing owner ID or does not change the ownership of the product to the new owner ID. In other words, both the new owner ID and the existing owner ID provide a genuine ownership claim for the genuine owner who is requesting the AT server for the product; this provides flexibility and also helps trace the product to the previous owner, which helps in cases where the buyer wants to return the product or there is a warranty issue that forces the buyer to return the product.

5. Security Analysis

In order to test that our protocol Anti-Counterfeiting protocol (ACP) is correct and resistant to attacks, we started analysing it using a formal security method based on the strand and strand space technique [33,34,35,36]. The strand is a finite sequence of transmissions and receptions, or a sequence of events representing executions performed by a legitimate party or by a penetrator. The strand space is a collection of strands generated by casual interactions occurring. We suppose that PSH has executed the first node of a session by sending $RE$ to the the reader which forwards it to the tags. Does the PSH guarantee that an adversary would never be able to replicate or repeat $RF$ by listening to previous rounds? If $RE$ lacks randomness, it would allow an adversary to generate or replicate $RE$ from listening to previous rounds between the reader and the tags or between the PSH and the reader. However, this is not the case in this protocol since $RE$ contains R1 which is a random number generated by the PSH which makes $RE$ unique. Even if the penetrator was able to find the values of Q and $RE$, he would not be able to discover the randomly generated value of $R1$ or compromise the secret S since our protocol requires an initiator $AA$ to generate a fresh symmetric key $R1$ then store it in the value of $RE$ for the responder $BB$, which is in this case the reader, and the other responders $CC1$ and $CC2$ which represent the tags [33]. The responder $BB$ waits for the message A and B, which have to contain the secret S.

5.1. $AA$’s Point of View—The Nonce Test and Checking the Secrecy of $R1$

Proposition 1.

Principle 1.1 (the nonce test). Suppose that $R1$ is unique, and $R1$ is found in some rounds in the skeleton $AA$ at the node $n_1$. Moreover, suppose that, in the message of $n_1$, $R1$ is found outside all of a number of encrypted forms the term $R{E}_1$, and so in any enrichment of $BB$ of $AA$. such as $BB$ is a possible execution, either: (1) One of the matching decryption keys S is disclosed before $n_1$ occurs, so that $\mathit{t-id}$ could be extracted by the adversary; or else (2) some regular strand contains a node $m_1$ in which $R1$ is transmitted outside $RE$; however in all previous nodes $m_0$ = ${>}^{+}{m}_1$, so $R1$ was found only with this encryption and $m_1$ occurs before $n_1$. By saying that $R1$ can be obtained or extracted from the XORed forms then the adversary can do so, as in the first example above, or else some regular strand has done so (the second example above). Case 1 was excluded by the assumption S can be defined as nonoriginating (non). The protocol in Figure 3 does not appoint any instance of the behaviour described in Case 2.

Proof of Proposition 1.

  □

We start by exploring AA’s point of view by assuming that $AA$ was active in a session of $ACP$ and ask if there was any other behaviour which has occurred during the session. Exploring the behavioural activity from the $AA$ point of view is essential for analysing the protocol as it tells us which behaviour must have occurred in the system. We suppose that the initiator $AA$ has executed the first node of a session, transmitting the secret $R1$ within the message $RE$. Does $AA$ guarantee that an adversary can never obtain the value of the secret random number $R1$? The answer is no in at least two cases.

1. When the secret generator lacks randomness then an adversary may generate the key and test which one was sent. Otherwise, the way $R1$ was chosen may suggest that it is fresh and not guessable ‘uniquely originating’ for such a $R1$. This is not the case in $ACP$ since the value of $R1$ was XORed with a value that contained the secret S in $RE$;

2. When the value of $RE$ is compromised, the adversary can then extract the values of S, then also extract $R1$.

It is not important if $CC1$ or $CC2$ are dishonest or whether the $CC$’s secret S has been compromised. In both cases, $CC$’s secret has been used in a way that is not stipulated in the protocol definition. All local behaviour divides into a strand of the protocol called a regular strand and an adversary behaviour. Therefore, the principle $AA$ is regular only if its secret key is used in regular strand.

The minimal principle states that in any execution, if a set of transmission $EE$ and reception nodes are not empty in any given execution, then $EE$ has the earliest member. We call this the uncompromised key nonoriginating or ‘non’. Because of $A{A}_0$, there is a node in which $R1$ appears without encryption; however, according to the minimal principle, there is no earliest point which $R1$ appears outside of cryptography protection $RE$. The adversary could use S, via the adversary decryption; however, the assumption that S belongs to ‘non’ excludes that. If the adversary was able to reoriginate the same $R1$ by chance, then the reorigination would be an earliest unprotected transmission by $RE$. The assumption that R1 is unique excludes this. Thus, the earliest transmission of $R1$ outside the form $RE$ lies in a regular strand of our protocol. Therefore, since $R1$ is unique, it is impossible for the adversary to compromise the tags. When we examine Figure 4, we notice that the key is received by a participant only on the first node of a responder strand. While $BB$ forwards it to $CC$ after XORing it in $RE$, and since the step is executed instantly, there is no risk that the adversary or listener node between $AA$ and $CC$ can repeat this message to $CC1$ and $CC2$ to obtain the response A and B. However, if the adversary was able to do so, he would not be able to mutate the correct $RF$. This would lead to the discovery of the attempt, the operation would be held and the secret random number $R1$ would not be in danger. Which means that $A{A}_0$ is a dead end or a dead skeleton.

5.2. AA’s Point of View—The Encryption Test Checking the Secrecy of $\mathit{t-id}$

Proposition 2.

Principle 1.2 ( the encryption test ). Suppose that $\mathit{t-id}$ is found in some message received in a skeleton $BB$ at a node $n_1$. Then, in any enrichment $CC$ of $BB$ such that $CC$ is a possible execution, either: (1) The encryption key S is disclosed before $n1$ occurs, so that the adversary could construct $t_s$; or else (2) a regular strand contains a node m1 in which $\mathit{t-id}$ is transmitted, but no earlier node $m_0$ = >${}^{+}{m}_1$ contains $\mathit{t-id}$, and $m1$ occurs before n1. When applying Principle 1.2 to construct skeletons $BB1$, $BB2$, using the instance t= S, the aforementioned first example yields $BB1$ and the second example yields $BB2$. The node n1 is the later (reception) node of $BB$, see Figure 4.

Proof of Proposition 2.

  □

Suppose that an initiator has executed a local session of its role in the protocol. What forms are possible for execution as a whole behaviour? To answer this question, we assume that $t_0$ = A and B, then we analyse the transmission. Since $CC$ transmits A and B, the first node requires no explanation. The second node, through the $BB$ reception of A and B, requires an explanation, i.e., where did A and B came from? To make it easy, we only discuss A since the same case scenario applies for B. (1) Is it possible that $R1$ is disclosed to the adversary and he might have used it to prepare the message A? We can test this by adding a listener node to witness the disclosure of the encryption random number $R1$. (2) We may add a strand of the protocol, including a node that transmits A, this must be the second node of a responder strand. However, what values are possible for other parameters of the strand? This leads us to $B{B}_2$, since we excluded $B{B}_1$ which must be a deadend because it is an enrichment of $C{C}_0$. The $B{B}_2$ has an unexplained node, the upper-right node $n_D$ receiving A. If we apply principle 1.1, the value $R1$ is only observed in $t_0$, and is now received on $n_D$ in a different form. Since S belongs to the ‘non’ category, the first example does not apply, so we must have a regular strand that receives $R1$ only with encrypted form $t_0$ and retransmits it outside of $t_0$. However, in analysing $C{C}_0$, we have already seen that the protocol has no strand, which leads us to a single case of $B{B}_2$ that is similar to $B{B}_1$, so that any execution compatible with $BB$ must contain at least the behaviour shown in $B{B}_{2}1$

5.3. CC’s Point of View—The Authentication Guarantee Test Checking the Secrecy of S

Proposition 3.

Principle 1.3 (the CC’s authentication guarantee test). Suppose that S is unique, and S is found in some rounds in the skeleton $AA$ at the node $n_1$. Moreover, suppose that, in the message of $n_1$,S is found outside all of a number of encrypted forms in the term $A_1$, so in any enrichment of $CC$ of $AA$. Such as $CC$ is a possible execution, either: (1) one of the matching decryption keys S is disclosed before $n_1$ occurs, so that S could be extracted by the adversary; or else (2) some regular strand contains a node $m_1$ in which S is transmitted outside A, but in all previous nodes, S was found only with this encryption and $m_1$ occurs before $n_1$. By saying that if S can be obtained or extracted from the XORed forms then the adversary can do so ‘Case one’ or else some regular strand has done so (Case 2). Case 1 was excluded by the assumption S belongs to non.

Proof of Proposition 3.

  □

We start by exploring CC’s point of view by assuming that $CC$ was active in a session of $ACP$ and ask if there was any other behaviour which occurred during the session. Exploring the behaviour activity from the $CC$ point of view is essential for analysing the protocol as it tells us which behaviour must have occurred in the system. We suppose that the initiator $CC$ has executed the first node of a session, transmitting the secret S within the message A or B. Does $CC$ guarantee that an adversary can never obtain the value of the secret S? the answer is no in at least two cases. (1) When the secret generator lacks randomness, so an adversary may generate the key and test which one was sent. Otherwise the way S was chosen may suggest that it is fresh and not guessable or ‘uniquely originating’ for such an S. This is not the case in $ACP$ since the value of S was XORed with a value that contains a random number $R1$ in A and B. (2) When the value of $CC1$ or $CC2$ is compromised, the adversary can then extract the values of $R1$, $\mathit{t-id}$,$\mathit{Wt-id}$ then also extract S.

We notice that $CC$ sends S to $BB$ after XORing it in A and B. Because the step is executed instantly, there is no risk that the adversary or the listener node between $CC$ and $BB$ can repeat this message to $CC$ to obtain the response A and B. However, if the adversary was able to do so, he would not be able to mutate the correct A. This would lead to the discovery of the attempt, the operation would be held and the disclosure of the secret S would not be in danger. This means that $C{C}_0$ is a deadend or a dead skeleton.

6. Conclusions

Counterfeiting and theft have always been problems that incur considerable losses for international trading markets. However, not a lot of work has been done to address these problems. Here, we present a new scheme for retail markets that addresses these two issues and provides a solution that can save retailers millions of dollars every year. We applied a formal security analysis based on strand space (see Section 5) in order to prove that our scheme is secure and immune against known attacks, and provides authentication and confidentiality. There is no practical implementation for the proposed scheme yet, but we plan to do that in the near future. We also plan to add benchmarks of results to show the improvement or novelty of our proposed method compared to other proposed schemes.