The blocker tag devised by Ron Rivest, Michael Szydlo, and myself is itself meant to be a simple, passive RFID device, similar in cost and form to an ordinary RFID tag. However, a blocker tag performs a special function. When a reader attempts to scan RFID tags that are marked as "private" (in a manner to be discussed below), a blocker tag jams the reader. More precisely, the blocker tag cheats the tag-to-reader communications protocol in such a way that the reader sees many billions of nonexistent tags and, therefore, stalls!
One of the chief design challenges in RFID systems is the prevention of radio collisions among messages transmitted by tags. If all tags were to broadcast their serial numbers simultaneously, the result would effectively be noise. That is, it would be hard for the reader to disentangle the many overlapping signals. To resolve this problem, reader-to-tag RFID communication protocols impose a careful scheduling on tag messages.
One such protocol is tree walking. In this protocol, the space of n-bit tag serial numbers is viewed in terms of a binary tree of depth n. If you imagine each left branch as being labeled "0" and each right branch labeled "1," then a path from the root to a given node at depth k specifies a k-bit serial-number prefix. Hence, each leaf of the tree corresponds to a unique tag serial number. Tags generally carry identifiers of at least 96 bits in length. The tree representing serial numbers, therefore, has a depth of at least 96.
To determine which tags are present, a reader performs a kind of depth-first search on the tree. It starts at the root of the tree, asking all tags to broadcast the first bit in their serial numbers. If the reader receives only a "0" transmission, it knows that all tag serial numbers begin with a "0," and recurses on the left subtree; likewise, if the reader receives only a "1," it recurses on the right subtree. If the reader detects a broadcast collision (that is, both a 0 and a 1), it recurses on both subtrees for the node (see Figure 1). At any given internal node of the tree, the reader performs this same operation; first, though, it transmits a command that causes only tags in the corresponding subtree to respond to its query. Once the reader has completed the process of traversing the tree and determined which tags are present, the process can communicate individually with tags by addressing them using their serial numbers. (This process of identifying individual tags is often called "singulation.")
In brief, then, to determine tag identities, the reader repeatedly asks subsets of tags to broadcast the bit value of their serial numbers in a particular position. The way that the blocker jams the reader is simple: When the reader asks a subset of tags to transmit their next bit, the blocker transmits both a 0 and a 1, simulating a broadcast collision. The result is that the reader believes that all possible tags are present. Since serial numbers are generally at least 96 bits in length, this means that a blocker can cause a reader to perceive more than an octillion (1027) tags—in other words, far too many to count!
For a blocking system to work productively, the blocking process must be selective. A blocker tag should only jam a reader if the reader tries to scan tags marked "private." To achieve this, you can employ a system of zoning, in which half of the serial-number tree is regarded as "public" and the other is marked as "private." For example, the left half of the tree, consisting of all serial numbers starting with a 0, might be treated as a private zone, while the other half is treated as a public zone. The first bit of any serial number in this case would indicate the public or private status of a tag. A blocker would naturally simulate collisions only in the "private" portion of the tree. In other words, a blocker tag would never prevent scanning of "public" tags in the left half of the tree, but would always do so in the right half of the tree. To change the zone of a tag from public to private in, say, a supermarket, it would suffice to flip the first bit of the serial number. (Like the "kill" command, this operation would require PIN protection to defend against malicious re-zoning.) Many variant ideas are possible here. For instance, it is possible to introduce multiple zones with different privacy policies.
DDJ
Back to Article