Banknote Validation through an Embedded RFID Chip and an NFC-Enabled Smartphone

With the new, state-of-the-art printing devices and equipment, there has been rapid growth in the counterfeiting of banknotes. Traditional security features on banknotes are easy targets for counterfeiters, and they can easily imitate the original banknotes with fake ones. Conventional methods for validating currency require specialized devices for the authentication of banknotes. However, cost and lack of mobility of sophisticated banknote validation devices are big problems for general consumers. Modern digital solutions are attempting to complement the traditional security features through embedding radio frequency identification (RFID) chips in the banknotes, for example, Euro currency. Unfortunately, the requirement of specialized RFID readers for banknote validation impedes their widespread proliferation among consumers. To overcome this problem, a new method of banknote validation using an RFID chip and an NFC-enabled smartphone is presented. The consumer sends a banknote validation request to the Monetary Agency (MA) using her or his smartphone and an Internet connection. The MA replies by sending a random challenge to the consumer’s smartphone. The RFID chip in the banknote receives the challenge, via the NFC, and calculates an equivalent response to theMA’s challenge. If any of the messages are incorrect, authentication is denied. By the proposed method, consumers can easily and instantly check the originality of currency notes with theMA using their smartphones and an Internet connection.The proposed system is less expensive, computationally, than regular methods and preserves the privacy of people who carry banknotes.


Introduction
Counterfeiting money has become an enormous problem around the world.Traditional security features on banknotes, for example, holograms, are easily prone to counterfeiting.Existing techniques do not provide realistic solutions because of complexity of the sophisticated devices that are used for banknote validation.Recently, RFID chips have been used on banknotes to complement the existing security features printed on the banknotes.The new digital solutions embed the banknote's serial number in the attached RFID chips.Robust solutions require appending cryptographic methods to stop forgery and counterfeiting.RFID devices have been experimentally assessed and tested as a means for confronting the problem of counterfeit currency notes.
RFID systems are comprised of RF tags and RF tag readers.RFID tags are small, wireless microchips that are used to spot their attached targets.RFID tags generally can be classified into two categories; that is, (1) RFID tags with a power source are delivered dynamically to a reader and identified as "active tags" and (2) powerless devices, which are prompted by a reader, are identified as "passive tags" [1][2][3].The reader is a machine that identifies and retrieves the RFID information from the card [4,5].The reader challenges the tag by generating a radio frequency wave, and the tag answers the reader with an equivalent response [6].The reader delivers the tag's answers to a final host (server).The server obtains the tag's record and recovers the tag's complete information from its response.Near-field communication (NFC) is an emerging area of communication for connecting RFID tags; hence NFC standards are based on existing RFID standards, including ISO/IEC 14443.[7].The NFC protocol establishes a radio communication channel with NFC-enabled devices by putting them in close proximity, normally no more than 2 Mathematical Problems in Engineering a few centimeters.With the improvement of computing and digital printing technology, the counterfeit industry recently has grown exponentially.An accepted counterfeiting technique is digital printing using computer scanners and high-resolution printers.Although banknotes already contain security attributes, such as holograms, foil lines, special threads, microprinting, special inks, and watermarks [6], additional protection is required.The aim of this paper is to offer a comprehensive solution against the use of counterfeit banknotes using RFID chips embedded in currency notes.The proposed technique will allow individuals to verify banknotes using a portable token (e.g., their smartphones) without going to a facility or making personal or direct contact with an agency.In the proposed system, the consumer does not need to have specialized RFID readers; rather he or she can use an NFC-enabled smartphone for this purpose.The capability of using smartphones for detecting counterfeit money will, in turn, lead to their widespread use for this purpose by consumers.It will influence wide-ranging consumers to validate their currency by their smartphones extensively without the need for any complicated currency validation tools.The proposed protocol provides a set of required security features, and it guarantees low communication and computational costs in terms of number of communications required between the reader-tag and the mathematical operations, respectively.The analysis shows that the proposed protocol achieved the required performance goal and the security goal.The rest of the paper is organized as follows.Section 2 discusses the related work, Section 3 illustrates the security requirements, Section 4 proposes our currency validation protocol, Section 5 analyzes the security attributes and evaluates performance, and Section 6 presents our conclusions.

Related Work
Several research scientists have attempted to develop secure communication protocols for detecting counterfeit money using lightweight RFIDs.RFIDs facilitate non-line-of-sight and very rapid examining of unique IDs.It allows practical handling of unique identifiers in open-loop supply chains.Generally, identifiers can be symbolized in barcodes or holograms as well, but a line-of-sight communication would be required, and they must be read one by one in a very exhaustive process.RFID chips can obtain a single factory programmed ID that is locked after writing, making it unchangeable.The number of chips is limited and requires trusted chip authorities who do not produce duplicate IDs.They should be made in a random distribution instead of used sequential numbers inside a certain number-space, making it essentially impervious to unauthorized disclosures of the legal ID.Preventing counterfeiting by tracking and tracing possessions across the supply chain utilizes central or connected databases by detecting any abnormal trace patterns of RFID tags.There are two fundamental categories of RFID authentication schemes, that is, the use of digital signature-based protocols and challenge-response protocols.However, in the challenge-response authentication, we could have a mutual authentication with a symmetric scheme as well as a one-sided authentication with an asymmetric scheme.To prevent counterfeiting, the authenticity of the service distributed is verified alongside the delivery chain and possibly at the end-users as well.However, many checkpoints are not online.Also, public key cryptography offers different options between complexity on the tag and complexity in the infrastructure.Therefore public key cryptography is an attractive alternative to symmetric key systems, in particular for open and offline systems.However, cryptographic tags have cost and performance limitations due to their additional hardware and the processing time required.The following subsection illustrates some of the schemes that have been presented and their weaknesses.Hash-based access control (HAC), proposed by Weis et al. [5,8], uses a one-way hashing to latch the RFID tags.A latched tag uses a hash of a random key to be its meta-ID.When latched, a tag reacts to every inquiry by its fixed meta-ID.HAC is vulnerable to location tracking attacks because the meta-ID is stationary at any time when a tag is needed.Randomized access control (RAC) stops this tracking vulnerability, but it is susceptible to tag impersonation attacks since a captured tag's answer can be repeated.In addition, it does not grant backward untraceability since the tag's ID is stationary.Lane et al. disclosed a method and apparatus for authenticating currency wherein the currency contains a foundation, such as paper, and an implanted RFID transponder [9].An implanted RFID transponder or electronic watermark could include several sequencing levels of electronic passwords, which could be used to defend the host currency from any illegal alteration.In addition, such smart RFID tags may, outstandingly, classify an original certificate and its related information.The validating organization can use a public/private electronic product code (EPC) database as a facility to authenticate documents by the authenticating agency.The smart EPC could be used as an anticounterfeit system to facilitate a third party's request in order to offer services, profits, or monetary payments to validate documents and stop the counterfeiting of money.Pareskevakos presented a system and method for currency authentication [10].In Pareskevakos's system, the currency is authenticated by evaluating the classifying information taken from the banknote itself, such as the note's correlated serial number, to identify information in a directory related to invalid currency, such as fake currency.If the extorted classifying information matches information on the directory, the note is considered original.Optical character recognition could be used to extract the classifying information.
Ohkubo et al. presented an inexpensive hash chain method to revise the tag's secret data and grant forward security [11,12].It was intended to classify a communication party while guaranteeing privacy.However, it is susceptible to replay attacks [9], and, consequently, it allows an intruder to masquerade as a tag without any knowledge of the hidden information on the tag.
Henrici and Müller (HM) proposed a one-way hash function to countermeasure tag-tracing violations by enhancing the privacy of the location.The tag answers a reader's inquiry with double hashes and renews its saved values after a legal validation.This proposition still allows an amount of tag tracing because a tag replies with the identical answer before its legitimate validation.In addition, forward security cannot be guaranteed since an intruder can analyze prior sessions' tag identifiers from the tag's present identifier with the random number of the server.
In 2007, a mutual authentication protocol for RFID was researched by Chien and Chen [13].A challenge-response technique was presented to stop replay attacks.The server record contains images of previous and fresh tag keys to prevent denial-of-service attacks.The authentication key and the access-key are renewed cooperatively subsequent to a valid authentication to give backward untraceability.However, the system authorizes backward and forward traceability, since an intruder who exposes a tag could recognize a tag's earlier exchanges from the prior communications and can examine the tag's upcoming dealings.Furthermore, an intruder can impersonate an authorized server to a tag by obtaining the tag's private values.
Duc et al. demonstrated a synchronized connection method for the RFID tag of the EPCGlobal-Class-1-Gen-2 [14].It considers a pseudo-random number producer and a CRC check.It is not able to counter replay attacks prior to the subsequently valid authentication.Critically, a DoS attack can get a server and a tag out of synchronization [15].It cannot present backward intractability if the fixed EPC and the access-key PIN are disclosed [13].
Song and Mitchell presented a scheme by utilizing the challenge-response approach to avoid tag impersonation attacks and replay attacks [5].It uses random challenge values to give unpredictable tag responses.To circumvent denial-of-service attacks in case of a lack of synchronization in the shared private updating, the back-end server saves the updated values with their earlier values for the next validations.If the validation and authentication process is successful, subsequently, the tag and the server will update their common private values using swapped random numbers, thereby achieving untraceability.A main attribute of the algorithm is that a random number produced by a tag acts as a short-term private value for the tag.An alternative attribute is that a tag only requires saving identification, which is a cryptohash function of a bit-string allocated to the tag.The scheme was intended to decrease the use of complicated cryptographic functions and to replace them with straightforward functions, such as bit-wise exclusiveor and left and right shift registers to join data sequences.Security threats to RFID protocols also are discussed in [5,11,[16][17][18], and the use of RFID -chips for detecting counterfeit money is discussed in [18][19][20][21][22][23][24][25].
2.1.RFID -Chip.Improvement of low-cost RFIDs was initiated in 1998 as an authentication enclosure integrated circuit to help avert the counterfeiting of currency [26].Each -chip IC has a 128-bit, exclusive identifier that is configurationally part of the chip.The -chips function at an operating frequency of 2.45 GHz.The normal time for the exchange of messages to and from the reader and the -chip is about 20 ms [15].Maximum reading distance between the reader and the tag is about 30 cm in the free space.With an area of 0.4 mm 2 , -chips can be implanted in the currency and transmit defined information over a low-range space.Also, the fabrication of chips per silicon wafer is roughly twice that of the typical 0.7 mm 2 RFID chips.The smaller chip is called the powder large-scale integrated (LSI) chip, which also saves a 128-bit identification.
Powder LSI chips contain basically the identical constituents as the -chip, but they are cuddled into minor pieces.A main reason for the added efficiency was the use of what is named "90-nanometer silicon-on-insulator" (SOI) expertise.SOI allows processors to execute better and use less power than those formed by traditional methods as it separates transistors with an insulator.The insulator decreases the absorption of electrical energy into the surrounding medium and maintains the transistors separated which stops interference between transistors and lets them be grouped more closely together, making the chip smaller in size [27].

Juels and Pappu's Scheme.
In [25], Juels and Pappu proposed a scheme that allows the verification of banknotes, which allows a law enforcement agency L to legally track interesting banknotes.They identified four entities that are involved in treating banknotes; that is, (1) a central bank that is authorized to produce and issue banknotes is denoted by B, (2) a law enforcement agency that is able to trace the flow of banknotes is denoted by L, (3) the merchant is denoted by M, and (4) the consumer is denoted by C. B creates the banknotes and has a signing key pair (  ,   ) for Sign(⋅).L is the banknote tracing agency, and it has an encryption key pair (  ,   ) for Enc(⋅).M checks the received banknotes in a trade and has the responsibility of notifying L when a forgery is detected.The Juels-Pappu banknote protection scheme (RBPS) uses RFID -chips (tags) to prevent counterfeiting the banknote.They used two data sources on the currency, that is, the visual or ocular data issued on the currency, for example, the PDF417 2D bar code, and the digital data saved on an RFID tag with keyed-reading and keyed-writing abilities.Table 1 presents two data sources on currency (a bill).
The serial number and the value of a banknote are denoted by S and den, respectively.Juels-Pappu RBPS involves the following procedure.
(1) Banknote Creation B calculates ∑  = Sign(  ,   ‖den  ) and prints the serial number   and the signature ∑  on a banknote.
B picks a random value  and puts it in the -cell.
B evaluates the key   = ℎ(∑  ) for a banknote.
B adjusts the reading/writing facilities as below: the -cell ispublicly readable and writable with a   as an access-key; the -cell is readable/writable with an access-key   .
(2) Banknote Verification M examines the optical region to get   and ∑  and then calculates an access-key   = ℎ(∑  ).
M reads   from the -cell and reads  with a key from the -cell.
(3) Banknote Anonymity M selects   in a random way and keyed-writes it into the -cell.
M computes  = Enc(  , ∑  ‖  ,   ) and keyedwrites it into the -cell.L validates a signature (  ‖den  ) t Veri(  ‖ ∑  ) to obtain the serial number   for tracking.Unless all of these steps in currency validation and banknote anonymity are successful, the merchant must inform L. Juels-Pappu RBPS is vulnerable to data recovery, the cookies threat, access-key tracking, denial-of-service attack, and cipher-text tracking, as shown in [7].

Security Requirements
In this section, a number of advantageous security attributes as well as security threats to RFID protocols are discussed [5,11,[16][17][18].
3.1.Nonrepudiation.Typically, "nonrepudiation" refers to the capability of ensuring that a communication party cannot deny the authenticity of the receipt security credentials that have been originated by the main server.Consequently, the RFID tags are not able to deny what they receive from the server.

3.2.
Freshness.Encryption materials must be fresh and different from the reprocessing of previous keying material.

Known-Key Security.
A protocol output should come with an exclusive shared secret.If a shared secret is compromised, it should have no effect on the other shared secrets.

Server
Impersonation.An opponent, with knowledge of a tag internal condition, is able to masquerade as a legitimate server to the tag.

Timeliness.
The process has to be accomplished in a planned amount of time and message exchange should be in a limited session.
3.6.Monitoring.Administration deals with keeping track of banknotes in exchange.

Replay Attack.
In such an attack, the intruder reprocesses exchanged messages from prior communication sessions to perform the replay attack.

Currency Validation Protocol
RFID -chips have had a significant impact on security, especially in the detection of counterfeit currency [18][19][20][21][22][23][24][25].However, those systems do not provide a high confidence level in terms of security and accuracy.The RFID -chip holds a 128-bit storage, including the note's serial number, which cannot be easily duplicated.However, there is concern that success in duplication of a serial number will lead to mass counterfeiting and failure to detect counterfeit notes.In the proposed work, an NFC-enabled smartphone was used to verify the authenticity of a banknote with high confidence in the accuracy.A key element of the present technique is the step of requiring the -chip on the banknote to do a calculation in response to a challenge that includes a random question.
4.1.Notation.We used the coming notation in the illustration of the protocol.

Description of the Protocol.
The aim of the proposed scheme is to use a zero-knowledge proof instead of using public key cryptography.Two dissimilar hashes, ℎ  (⋅) and ℎ  (⋅), were included to satisfy the algorithm's challengeresponse function [24], as depicted in Figure 1.
We integrated two dissimilar one-way hashes, ℎ  (⋅) and ℎ  (⋅), to preset our algorithm challenge-response function [10], as shown in Figure 1.Hence, MA sends refreshed challenge indexes (  ,   ) to U for the tth authentication.Then, U prompts those indexes to her or his token to be transferred to the -chip using RFID communication.The -chip responds with the corresponding response to the user's smartphone over the RFID channel.The smartphone transfers the -chip's response to MA for validation.With the result of the validation, the server confirms the validity of the banknote.Both U and MA have the same initial seed value.2, MA embeds the two RFID -chips (i.e.,  and  chips) [25,28] in the currency that contains a tamperproof primary value (the bill seed)   and issues the serial number on the banknote.

Currency Creation. (1) As shown in Table
(2) The validation counting value for each note is kept in the issuer/authenticator's server MA.
(3) The issuer/authenticator's server MA does not need to indicate the bill's serial number.
(4) The issuer/authenticator's server MA ensures that the -cell is unreadable and self-writable and that the -cell is openly readable and only writable by .

Currency Validation.
(1) When an individual consumer or U receives a banknote and wishes to check its validity, U uses the NFC smartphone to read the information on -chip message number 1 and to automatically send a request to the issuer/authenticator's server message, that is, number 2. The message communication is shown in Figure 2.
(2) Then the issuer/authenticator's server MA verifies the value and serial number and, upon correction of values, it corresponds with a random challenge (  ,   ) for the next authentication round (+1)th message number 3 that requires a calculation by the RFID -chip embedded in the banknote.This calculation is done by hashing (  ()) by ℎ  (⋅)   times to get (  ( + 1)) = (ℎ    (  ())) and define it for the current seed and afterwards hash this current seed by ℎ  (⋅)  times to get ℎ    (ℎ    (  ())) to be transferred to -cell, () → (), which is publicly readable.This challenge is sent to the smartphone and transferred to the banknote's -chip, as shown in Figure 2, message number 4.
(3) The server MA receives and digests the response for the ( + 1)th authentication in step message number 5 and message number 6.If MA receives the correct response, it sends a confirmation or authentication through message number 7.  information about the banknote.In each authentication session, the equivalent reply value must be distorted.
4.6.Currency Tracing.The proposed scheme allows standard and nonspecialist consumers to identify fake banknotes by using their smartphones.Individual consumers can report fake banknotes to the administration MA.Consequentially, the capability of identifying fake currency is fully achieved.

Security, Performance Analysis, and Comparison
The algorithm we presented can obstruct the off-line guessing attack; thus it leads to strong answers, anchored in strong hash functions.The prevention of counterfeiting comes by detecting and eliminating banknote forgeries and the production of fake bills over a random generation of serial numbers.In the following subsections, a security analysis of the proposed scheme is illustrated [29,30].

Nonrepudiation Attack.
To circumvent the nonrepudiation attack, the authentication parties U and MA must update their shared secret value, (  ( + 1)) = (ℎ    (  ())), one time per round.Consequently, the client updating will be used as the host's next verifier, and vice versa, so that any unauthorized modification of the exchanged vectors will be detected by the authentication party.

Freshness.
The authentication credentials should be fresh; that is, material that has been used should not be reused.This is to be done by maintaining the randomization of the generated challenges and, consequently, the equivalent response.

Known-Key Security.
The proposed protocol grants security against the known key.That is why each run of the protocol between authentication parties U and MA should make an exclusive shared key, which relies on random challenges.Even if an adversary has discovered some other earlier keys, he or she cannot guess a future key.Therefore, the protocol attains its goal against the adversary.

Server
Impersonation.An opponent could demand a certain tag to renew its common secrets.The tag and the genuine server could then be unsynchronized with authentication counter   and incapable of successful communication.
5.5.Timeliness.In the proposed protocol, we tried to decrease the number of swapped messages between authentication parties and the direct message exchange in real-time.In addition, the size of the messages was short.

Monitoring and Tracking.
The trusted authority (i.e., issuer/authenticator's server MA) has the full keying resources and sequentially achieves admittance to those associated keys, such that key-escrow is fully achieved.Thus, nonspecialist consumers have the ability to detect counterfeiting easily.Then the tracking capability is implicitly and completely achieved.

Preplay Attack.
To avoid this attack, shared secrets should be revealed only to tags and the server.Also, challengeresponse authentication addresses this threat.

Replay Attack.
Gaining of unauthorized access by replaying reusable passwords is restricted by encoding passwords, which are used only once.5.9.Forgery Attack.The algorithm we used has a high forgery-attack confrontation.The data recovery attack is banned provided that the second hash function ℎ  (⋅) is unbroken, and ℎ  (⋅) will not help a counterfeiter recover any information required to make a counterfeit copy with a certain serial number.However, in case of the failure of ℎ  (⋅) and obtaining the required information by the forger to generate multiple copies of given banknote with a serial number, MA will achieve a lack of synchronization with its counter   .

Recovery Attack.
As has been illustrated previously, the recovery attack cannot be executed in the survival of ℎ  (⋅), which is the blockade for any intruder who is attempting to acquire any hidden information.Also, it is important to note that no access-key is needed for hiding information.Table 3 [5] demonstrates a judgment between the presented algorithm and contemporary algorithms considering the number of operations required by each communication party.

Conclusions
In this paper, the currency counterfeiting problem has been addressed.Schemes for protecting electronic cash must include cryptomethods to deal with forgery and counterfeiting problems.A new banknote validation technique has been presented which is based on the use of an RFID -chip and an NFC-enabled smartphone.A banknote is issued with a value, a serial number, and a secret seed message that is also saved on the MA.A tamperproof RFID -chip is embedded in the currency note and includes the value, serial number, and secret message that is used for validation.The smartphone reads the information on the chip and requests the MA to validate the note.The MA transmits a challenge through an Internet connection and the -chip calculates an equivalent answer that is sent to the MA.An approval or disapproval is then sent to the smartphone.This possibility of using these devices to detect counterfeit money results in the extensive deployment of this technology among regular and nonspecialist end-users.It will encourage the general public to check for counterfeit money using smartphones without the need for any sophisticated and expensive optical devices.The presented validation technique satisfies the security requirements for banknote counterfeit detection.It has been compared with some related schemes with regard to computational efficiency and performance analysis.The comparisons showed that the proposed scheme is more efficient and effective than existing schemes.

Figure 1 : 1 )
Figure 1: Challenge-response internal function based on two different types of hashes.

Figure 2 :
Figure 2: Framework and operations of the proposed scheme.

Table 1 :
Banknote data storage format in Juels and Pappu's scheme.

Table 2 :
Banknote data storage format in the proposed scheme.

Table 3 :
Comparison of the presented scheme and related schemes in terms of computational costs. +   )  = 2|   =  =1  +   )  = 2|   =  =1 : a computationally complex function (such as a CRC or a hash function).