Cryptographic Theory Meets Practice: Efficient and Privacy-Preserving Payments for Public Transport

We propose a new lightweight cryptographic payment scheme for transit systems, called P4R (Privacy-Preserving Pre-Payments with Refunds), which is suitable for low-cost user devices with limited capabilities. Using P4R, users deposit money to obtain one-show credentials, where each credential allows the user to make an arbitrary ride on the system. The trip fare is determined on-the-fly at the end of the trip. If the deposit for the credential exceeds this fare, the user obtains a refund. Refund values collected over several trips are aggregated in a single token, thereby saving memory and increasing privacy. Our solution builds on Brands’s e-cash scheme to realize the prepayment system and on Boneh-Lynn-Shacham (BLS) signatures to implement the refund capabilities. Compared to a Brands-only solution for transportation payment systems, P4R allows us to minimize the number of coins a user needs to pay for his rides and thus minimizes the number of expensive withdrawal transactions, as well as storage requirements for the fairly large coins. Moreover, P4R enables flexible pricing because it allows for exact payments of arbitrary amounts (within a certain range) using a single fast paying (and refund) transaction. Fortunately, the mechanisms enabling these features require very little computational overhead. Choosing contemporary security parameters, we implemented P4R on a prototyping payment device and show its suitability for future transit payment systems. Estimation results demonstrate that the data required for 20 rides consume less than 10KB of memory, and the payment and refund transactions during a ride take less than half a second. We show that malicious users are not able to cheat the system by receiving a refund that exceeds the overall deposit minus the overall fare and can be identified during double-spending checks. At the same time, the system protects the privacy of honest users in that transactions are anonymous (except for deposits) and trips are unlinkable.

[1]  Patrick Riley,et al.  The tolls of privacy: An underestimated roadblock for electronic toll collection usage , 2008, Comput. Law Secur. Rev..

[2]  Jan Camenisch,et al.  An Efficient Electronic Payment System Protecting Privacy , 1994, ESORICS.

[3]  Tibor Jager,et al.  The Semi-Generic Group Model and Applications to Pairing-Based Cryptography , 2010, ASIACRYPT.

[4]  Anna Lysyanskaya,et al.  On the Security of One-Witness Blind Signature Schemes , 2013, ASIACRYPT.

[5]  Anna Lysyanskaya,et al.  Anonymous credentials light , 2013, IACR Cryptol. ePrint Arch..

[6]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[7]  Refik Molva,et al.  PSP: private and secure payment with RFID , 2009, WPES '09.

[8]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[9]  Young-Chul Kim,et al.  FPGA and ASIC Implementation of ECC processor for security on medical embedded system , 2005, Third International Conference on Information Technology and Applications (ICITA'05).

[10]  Ian Goldberg,et al.  SPEcTRe: spot-checked private ecash tolling at roadside , 2011, WPES.

[11]  Nicolas Meloni,et al.  New Point Addition Formulae for ECC Applications , 2007, WAIFI.

[12]  Yiannis Tsiounis,et al.  Mis-representation of Identities in E-cash Schemes and how to Prevent it , 1996, ASIACRYPT.

[13]  Christof Paar,et al.  P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems , 2013, Financial Cryptography.

[14]  Marc Fischlin,et al.  A Privacy-Friendly Loyalty System Based on Discrete Logarithms over Elliptic Curves , 2004, Financial Cryptography.

[15]  R. Gregory Taylor,et al.  Modern computer algebra , 2002, SIGA.

[16]  Andrew J. Blumberg,et al.  VPriv: Protecting Privacy in Location-Based Vehicular Services , 2009, USENIX Security Symposium.

[17]  Christof Paar,et al.  Privacy Preserving Payments on Computational RFID Devices with Application in Intelligent Transportation Systems , 2012, RFIDSec.

[18]  Oded Goldreich Foundations of Cryptography: Volume 1 , 2006 .

[19]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[20]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[21]  Hugo Krawczyk,et al.  Design, implementation, and deployment of the iKP secure electronic payment system , 2000, IEEE Journal on Selected Areas in Communications.

[22]  Marc Fischlin,et al.  History-Free Sequential Aggregate Signatures , 2012, SCN.

[23]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[24]  Joachim von zur Gathen,et al.  Modern Computer Algebra , 1998 .

[25]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[26]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[27]  Hovav Shacham,et al.  The Phantom Tollbooth: Privacy-Preserving Electronic Toll Collection in the Presence of Driver Collusion , 2011, USENIX Security Symposium.

[28]  Carmela Troncoso,et al.  PrETP: Privacy-Preserving Electronic Toll Pricing , 2010, USENIX Security Symposium.

[29]  Christof Paar,et al.  Efficient E-Cash in Practice: NFC-Based Payments for Public Transportation Systems , 2013, Privacy Enhancing Technologies.

[30]  Ueli Maurer,et al.  Abstract Models of Computation in Cryptography , 2005, IMACC.

[31]  Benjamin Ransford,et al.  Moo : A Batteryless Computational RFID and Sensing Platform , 2011 .

[32]  Stefan A. Brands,et al.  An Efficient Off-line Electronic Cash System Based On The Representation Problem. , 1993 .

[33]  Hans Eberle,et al.  Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs , 2004, CHES.

[34]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[35]  Gnter Meinardus,et al.  Zur additiven Zahlentheorie in mehreren Dimensionen , 1956 .

[36]  Florian Kerschbaum,et al.  Privacy-preserving billing for e-ticketing systems in public transportation , 2013, IACR Cryptol. ePrint Arch..

[37]  Jan Camenisch,et al.  Endorsed E-Cash , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[38]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[39]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[40]  Stefan A. Brands,et al.  Untraceable Off-line Cash in Wallet with Observers , 2002 .

[41]  Kevin Fu,et al.  Privacy for Public Transportation , 2006, Privacy Enhancing Technologies.

[42]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 1: Basic Techniques , 2001 .

[43]  Sébastien Canard,et al.  Divisible E-Cash Systems Can Be Truly Anonymous , 2007, EUROCRYPT.

[44]  Ahmad-Reza Sadeghi,et al.  User Privacy in Transport Systems Based on RFID E-Tickets , 2008, PiLBA.

[45]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[46]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[47]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .