P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems

Transcription

1 P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems ndy Rupp1, Gesine Hinterwälder2, Foteini3 Baldimtsi, Christof Paar2,4 Karlsruhe Institute of Technology University of Massachusetts mherst 3 Brown University 4 Ruhr-University Bochum

2 Outline Motivation ecash Overview Performance Issues P4R Description Evaluation 1

3 Motivation Transportation Payments Large volumes Low cost Have to be executed fast Electronic Payments Throughput and convenience advantages Reduced revenue collection cost Enable dynamic pricing Facilitate maintenance of a system Enable easy collection of meaningful data 2

4 Motivation Hacking the T: MBT sues to keep MIT students from telling how they cracked the CharlieCard Some call T's new Charlie Card an invasion of privacy. But agency insists safeguards in place Hackers Crack London Tube Oyster Card Privacy Concerns Raised Over Clipper Card Passenger Tracking 3

5 Motivation We need payment systems for transportation that are: Secure (unforgeable & secure against doublespending) Private (anonymous) Trusted Efficient Low-cost Usable Reliable 4

6 ecash Bank nk Ba Withdrawal Bank d in en Sp g De po s it ID 5

7 ecash ID Blind signature Bank nk Ba Bank Security Properties of Blind Signatures Blindness: Signer should not be able to view the messages he signs (i.e. Bank cannot link e-coins to specific users) Unforgeability: User should not be able to forge the signer's signatures (i.e. User cannot forge coins) 6

8 ecash Double Spending Double Spending reveals User's ID!!! 7

9 Brands' Untraceable Offline Cash Introduced in 1993 Most efficient scheme during Spending Phase Well-known and implemented (Microsoft U-Prove) [Bra93] S. Brands. Untraceable Off-line Cash in Wallets with Observers (Extended bstract). In Proceedings of the 13th nnual International Cryptology Conference on dvances in Cryptology, CRYPTO 93, pages ,

10 Brands' Untraceable Offline Cash Scheme based on cyclic group G q of prime order Coin size (elements that have to be stored on user device for each coin):, B, z ', a ', b ' G q and Withdrawal r ', s, x 0, x 1 ℤ q 12 exponentiations 2 exponentiations 0 exponentiations 3 exponentiations Spending 9

11 Implementation Results Brands' Base scheme on 160-bit elliptic curve and measure execution time on Moo computational RFID tag Storage space required per coin: 284 bytes Execution time on MSP430F2618, when based on 160-bit curve: Cycle count Brands' withdrawing one coin Brands' spending one coin Execution MHz s s [ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: Batteryless Computational RFID and Sensing Platform

12 Implementation Results Brands' Base scheme on 160-bit elliptic curve and measure execution time on Moo computational RFID tag Storage space required per coin: 284 bytes Execution time on MSP430F2618, when based on 160-bit curve: Users should not have to withdraw Execution time Cycle count coins!!! and store too MHz Brands' withdrawing one coin Brands' spending one coin s s [ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: Batteryless Computational RFID and Sensing Platform

13 Our pproach Build on Brands' due to efficiency reasons (could use any efficient, anonymous 2-show credential scheme) lleviate its disadvantages (large coin size, inefficient withdrawal) Minimize number of coins needed using novel pre-payments with refunds approach: Use Brands' coin as ticket Ticket price = cost of most expensive trip Cost of actual trip determined on exit Pay refund based on overpayment 11

14 P4R: Main Components Vending Machines (online) Exit Turnstiles (offline) Central Database Entry Turnstiles (offline) Subway 12

15 P4R: Main Components Buy ticket Get piggy bank 12

16 P4R: Main Components et tick ow d Sh pe tam t s et Ge tick 12

17 P4R: Main Components 12

18 P4R: Main Components ed mp sta et ow ick Sh t nd k efu n t r ba Ge iggy p in 12

19 P4R: Main Components Cash piggy bank 12

20 Brands-Based TT System Brands' coin: id s =(g 1 g 2 ) B=g 1x g x2 U 1 2, B, sig (, B) Showing coin: r 1 =d (id U s )+x 1 r 2=d s+x 2 13

21 Brands-Based TT System Brands' coin: id s =(g 1 g 2 ) x x B=g 1 g 2 U 1 2, B, sig (, B) Showing coin: r 1 =d (id U s )+x 1 r 2=d s+x 2 Double spending: r 1 r ' 1 (d d ' )id U s id U = = r 2 r ' 2 (d d ' )s r ' 1=d ' (id U s )+x 1 r ' 2 =d ' s+x 2 13

22 Brands-Based TT System Brands' coin: id s =(g 1 g 2 ) x x B=g 1 g 2 U 1 2 P4R' coin: id s =(g 1 g 2 ) x x B=g 1 g 2 C= g 1x' g 2x ' U 1 1, B, sig (, B) Showing coin: r 1 =d (id U s )+x 1 r 2=d s+x 2 Double spending: r ' 1=d ' (id U s )+x 1 r ' 2 =d ' s+x 2 2 2, B, C, sig (, B, C ) First spending: r 1 =d (id U s )+x 1 r 2=d s+x 2 Second spending: r ' 1=d ' (id U s )+x ' 1 r ' 2 =d ' s+x ' 2 13

23 P4R: BuyTT and GetRT ID ID E-TICKET Ownership (1) Ownership (2) Buy ticket Get piggy bank 14

24 P4R: BuyTT and GetRT ID ID E-TICKET Ownership (1) Ownership (2) T 0 Buy ticket Get piggy bank 14

25 P4R: BuyTT and GetRT ID ID E-TICKET Ownership (1) Ownership (2) TE-TICKET 0 T (2) TOwnership (1) TOwnership 0 T 0 Buy ticket Get piggy bank 14

26 P4R: ShowTT and GetRCT TE-TICKET (2) TOwnership (1) TOwnership (1) TOwnership TE-TICKET Show ticket Get stamped ticket 15

27 P4R: ShowTT and GetRCT (2) TOwnership (1) TOwnership T Ownership (1) TE-TICKET TE-TICKET (1) TOwnership TE-TICKET Show ticket Get stamped ticket 15

28 P4R: ShowTT and GetRCT er (2) TOwnership e ad R TE-TICKET r ade e R E-TICKET TOrigin: S Bay Time: 8/1/ Re TOE-TICKET rigin: S Bay Time: 8/1/ (2) TOwnership r ad e (1) TOwnership TE-TICKET (1) TOwnership T Ownership (1) TE-TICKET TE-TICKET (1) TOwnership TE-TICKET Origin: S Bay Time: 8/1/ Show ticket Get stamped ticket 15

29 P4R: ShowRCT and GetRefund er ea d R E-TICKET TOrigin: S Bay Time: 8/1/ er (2) TOwnership e ad R TE-TICKET T Ownership (2) 1.31 Origin: S Bay Time: 8/1/ Show stamped ticket Get refund in piggy bank 16

30 P4R: ShowRCT and GetRefund er ea d R E-TICKET TOrigin: S Bay Time: 8/1/ (2) TOwnership er e ad R TE-TICKET Origin: S Bay Time: 8/1/ T Ownership (2) T d er esabay E-TICKET TOrigin: R Time: 8/1/ Ownership (2) 1.31 Show stamped ticket Get refund in piggy bank 16

31 P4R: ShowRCT and GetRefund er ea d R E-TICKET TOrigin: S Bay Time: 8/1/ (2) TOwnership er Origin: S Bay Time: 8/1/ (2) TOwnership e ad R TE-TICKET Origin: S Bay Time: 8/1/ er R TE-TICKET e ad T Ownership (2) T d er esabay E-TICKET TOrigin: R Time: 8/1/ Ownership (2) ,25 Show stamped ticket Get refund in piggy bank 16

32 P4R: RedeemRT Cashing RT 17

33 P4R: RedeemRT valid? In DB & not cashed before? valid! Cashing RT 17

34 P4R: RedeemRT valid? In DB & not cashed before? valid! cashed Cashing RT 17

35 BLS-Signature Based RT System pairing is a bilinear map: e (a u, b v )=e (a,b)uv for all u, v, ℤ p, a, b, G p BLS-signatures requires an efficiently computable, non-degenerate pairing! Boneh-Lynn-Shacham Signatures: Keys: sk=x ℤ p, v=g x Signature on m G: σ :=H (m)x? Verification of (m, σ) : e( g, σ)=e(v, H (m)) 18

36 BLS-Signature Based RT System Refund token: RT = G, R=1, v=0 dding refund w user: r ℤ p, RT ' =RT r, v=v+w, R=R r mod p dding refund w T: RT ' =RT ' d w R dv? Verify claim for refund v : e (, h )=e ( RT ', h) w w 19

37 BLS-Signature Based RT System Refund token: RT = G, R=1, v=0 dding refund w user: r ℤ p, RT ' =RT r, v=v+w, R=R r mod p dding refund w T: RT ' =RT ' d w wi R dv? Verify claim for refund v : e (, h )=e ( RT ', h) w w 19

38 Security of P4R T Security: T does not lose any money User cannot forge tickets User cannot receive reimbursement that exceeds the overall deposit for tickets minus overall fare of trips User Security: passive adversary cannot steal tickets or refunds from a user User Privacy: dversary cannot differentiate between all possible trip sequences leading to the same total refund amount 20

39 User's Side Implementation on Moo Storage space to make 20 trips is at most 7.62 KB! Cycle count BuyTT & GetRT Execution MHz in s 84,585, , ShoeRCT & GetRefund 5,466, RedeemRT* 5,549, ShowTT & GetRCT * Excludes authenticating to the vending machine. 21

40 Thank you for your attention!!!