P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems

Similar documents
Cryptographic Theory Meets Practice: Efficient and Privacy-Preserving Payments for Public Transport

ECash and Anonymous Credentials

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Uncloneable Quantum Money

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

Introduction to Cryptography Lecture 13

George Danezis Microsoft Research, Cambridge, UK

Dr George Danezis University College London, UK

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Fairness realized with Observer

Essam Ghadafi CT-RSA 2016

Accumulators and U-Prove Revocation

Intermediate Math Circles March 7, 2012 Problem Set: Linear Diophantine Equations II Solutions

Anonymous Credentials Light

Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials

Unlinkable Divisible Electronic Cash

Divisible E-cash Made Practical

Efficient Identity-Based Encryption Without Random Oracles

Efficient Identity-based Encryption Without Random Oracles

Anonymous Proxy Signature with Restricted Traceability

Research Article On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman Problem and Its Extension

A New RSA-Based Signature Scheme

Blind Collective Signature Protocol

Anonymous Credentials Light

is caused by the urgent need to protect against account-holders who doublespend their electronic cash, since hardly anything is easier to copy than di

Lecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008

1 Number Theory Basics

An Overview of Homomorphic Encryption

A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES

ID-Based Blind Signature and Ring Signature from Pairings

Katz, Lindell Introduction to Modern Cryptrography

Abstract of Efficient Cryptography for Information Privacy by Foteini Baldimtsi, Ph.D., Brown

Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes

Short Signatures Without Random Oracles

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

Notes for Lecture 17

Cryptology. Vilius Stakėnas autumn

Practical Compact E-Cash

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

Lecture Notes 15 : Voting, Homomorphic Encryption

A Anonymous Split E-Cash Towards Mobile Anonymous Payments

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Security Arguments for Digital Signatures and Blind Signatures

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

Security Analysis of Some Batch Verifying Signatures from Pairings

Digital Signatures. Adam O Neill based on

Elliptic Curve Cryptography and Security of Embedded Devices

A Pairing-Based DAA Scheme Further Reducing TPM Resources

Practical Round-Optimal Blind Signatures in the Standard Model

Anonymous Credential Schemes with Encrypted Attributes

Risk Management for E-Cash Systems with Partial Real-Time Audit

PARTIALLY BLIND SIGNATURE SCHEME BASED ON CHAOTIC MAPS AND FACTORING PROBLEMS

A handy multi-coupon system

Group Blind Digital Signatures: A Scalable Solution to Electronic Cash

Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014

Security Protocols and Application Final Exam

Introduction to Modern Cryptography Lecture 11

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Accountability. User Guide

Short Signature Scheme From Bilinear Pairings

A Direct Anonymous Attestation Scheme for Embedded Devices

Privacy of Numeric Queries Via Simple Value Perturbation. The Laplace Mechanism

An ID-based Server-aided Verification Short Signature Scheme Avoid Key Escrow

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Systèmes de preuve Groth-Sahai et applications

On the (Im)possibility of Projecting Property in Prime-Order Setting

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

A Novel Strong Designated Verifier Signature Scheme without Random Oracles

Pairing-Based Identification Schemes

Balancing Accountability and Privacy Using E-Cash (Extended Abstract)

Verifier-Local Revocation Group Signature Schemes with Backward Unlinkability from Bilinear Maps

An Introduction to Pairings in Cryptography

Security of Blind Signatures Revisited

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Public Key Cryptography

[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

ISeCure. The ISC Int'l Journal of Information Security. An Efficient Blind Signature Scheme Based on the Elliptic Curve Discrete Logarithm Problem

Cryptography from Pairings

PAIRING-BASED IDENTIFICATION SCHEMES

A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing

Mathematics of Public Key Cryptography

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Identity-based encryption

A New Approach to Practical Active-Secure Two-Party Computation

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Identity-Based Online/Offline Encryption

Anonymous Transferable E-Cash

A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing

Synchronized Aggregate Signatures from the RSA Assumption

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

Transcription:

P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems ndy Rupp1, Gesine Hinterwälder2, Foteini3 Baldimtsi, Christof Paar2,4 Karlsruhe Institute of Technology University of Massachusetts mherst 3 Brown University 4 Ruhr-University Bochum 1 2 0964641

Outline Motivation ecash Overview Performance Issues P4R Description Evaluation 1

Motivation Transportation Payments Large volumes Low cost Have to be executed fast Electronic Payments Throughput and convenience advantages Reduced revenue collection cost Enable dynamic pricing Facilitate maintenance of a system Enable easy collection of meaningful data 2

Motivation Hacking the T: MBT sues to keep MIT students from telling how they cracked the CharlieCard Some call T's new Charlie Card an invasion of privacy. But agency insists safeguards in place Hackers Crack London Tube Oyster Card Privacy Concerns Raised Over Clipper Card Passenger Tracking 3

Motivation We need payment systems for transportation that are: Secure (unforgeable & secure against doublespending) Private (anonymous) Trusted Efficient Low-cost Usable Reliable 4

ecash Bank nk Ba Withdrawal Bank d in en Sp g De po s it ID 5

ecash ID Blind signature Bank nk Ba Bank Security Properties of Blind Signatures Blindness: Signer should not be able to view the messages he signs (i.e. Bank cannot link e-coins to specific users) Unforgeability: User should not be able to forge the signer's signatures (i.e. User cannot forge coins) 6

ecash Double Spending Double Spending reveals User's ID!!! 7

Brands' Untraceable Offline Cash Introduced in 1993 Most efficient scheme during Spending Phase Well-known and implemented (Microsoft U-Prove) [Bra93] S. Brands. Untraceable Off-line Cash in Wallets with Observers (Extended bstract). In Proceedings of the 13th nnual International Cryptology Conference on dvances in Cryptology, CRYPTO 93, pages 302 318, 1994. 8

Brands' Untraceable Offline Cash Scheme based on cyclic group G q of prime order Coin size (elements that have to be stored on user device for each coin):, B, z ', a ', b ' G q and Withdrawal r ', s, x 0, x 1 ℤ q 12 exponentiations 2 exponentiations 0 exponentiations 3 exponentiations Spending 9

Implementation Results Brands' Base scheme on 160-bit elliptic curve and measure execution time on Moo computational RFID tag Storage space required per coin: 284 bytes Execution time on MSP430F2618, when based on 160-bit curve: Cycle count Brands' withdrawing one coin Brands' spending one coin Execution time @16 MHz 69 120 181 4.32 s 35 052 0.0022 s [ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: Batteryless Computational RFID and Sensing Platform. https://web.cs.umass.edu/publication/docs/2011/um-cs-2011-020.pdf. 2011. 10

Implementation Results Brands' Base scheme on 160-bit elliptic curve and measure execution time on Moo computational RFID tag Storage space required per coin: 284 bytes Execution time on MSP430F2618, when based on 160-bit curve: Users should not have to withdraw Execution time Cycle count coins!!! and store too many @16 MHz Brands' withdrawing one coin Brands' spending one coin 69 120 181 4.32 s 35 052 0.0022 s [ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: Batteryless Computational RFID and Sensing Platform. https://web.cs.umass.edu/publication/docs/2011/um-cs-2011-020.pdf. 2011. 10

Our pproach Build on Brands' due to efficiency reasons (could use any efficient, anonymous 2-show credential scheme) lleviate its disadvantages (large coin size, inefficient withdrawal) Minimize number of coins needed using novel pre-payments with refunds approach: Use Brands' coin as ticket Ticket price = cost of most expensive trip Cost of actual trip determined on exit Pay refund based on overpayment 11

P4R: Main Components Vending Machines (online) Exit Turnstiles (offline) Central Database Entry Turnstiles (offline) Subway 12

P4R: Main Components Buy ticket Get piggy bank 12

P4R: Main Components et tick ow d Sh pe tam t s et Ge tick 12

P4R: Main Components 12

P4R: Main Components ed mp sta et ow ick Sh t nd k efu n t r ba Ge iggy p in 12

P4R: Main Components Cash piggy bank 12

Brands-Based TT System Brands' coin: id s =(g 1 g 2 ) B=g 1x g x2 U 1 2, B, sig (, B) Showing coin: r 1 =d (id U s )+x 1 r 2=d s+x 2 13

Brands-Based TT System Brands' coin: id s =(g 1 g 2 ) x x B=g 1 g 2 U 1 2, B, sig (, B) Showing coin: r 1 =d (id U s )+x 1 r 2=d s+x 2 Double spending: r 1 r ' 1 (d d ' )id U s id U = = r 2 r ' 2 (d d ' )s r ' 1=d ' (id U s )+x 1 r ' 2 =d ' s+x 2 13

Brands-Based TT System Brands' coin: id s =(g 1 g 2 ) x x B=g 1 g 2 U 1 2 P4R' coin: id s =(g 1 g 2 ) x x B=g 1 g 2 C= g 1x' g 2x ' U 1 1, B, sig (, B) Showing coin: r 1 =d (id U s )+x 1 r 2=d s+x 2 Double spending: r ' 1=d ' (id U s )+x 1 r ' 2 =d ' s+x 2 2 2, B, C, sig (, B, C ) First spending: r 1 =d (id U s )+x 1 r 2=d s+x 2 Second spending: r ' 1=d ' (id U s )+x ' 1 r ' 2 =d ' s+x ' 2 13

P4R: BuyTT and GetRT ID ID E-TICKET Ownership (1) Ownership (2) Buy ticket Get piggy bank 14

P4R: BuyTT and GetRT ID ID E-TICKET Ownership (1) Ownership (2) T 0 Buy ticket Get piggy bank 14

P4R: BuyTT and GetRT ID ID E-TICKET Ownership (1) Ownership (2) TE-TICKET 0 T (2) TOwnership (1) TOwnership 0 T 0 Buy ticket Get piggy bank 14

P4R: ShowTT and GetRCT TE-TICKET (2) TOwnership (1) TOwnership (1) TOwnership TE-TICKET Show ticket Get stamped ticket 15

P4R: ShowTT and GetRCT (2) TOwnership (1) TOwnership T Ownership (1) TE-TICKET TE-TICKET (1) TOwnership TE-TICKET Show ticket Get stamped ticket 15

P4R: ShowTT and GetRCT er (2) TOwnership e ad R TE-TICKET r ade e R E-TICKET TOrigin: S Bay Time: 8/1/11 9.35 Re TOE-TICKET rigin: S Bay Time: 8/1/11 9.35 (2) TOwnership r ad e (1) TOwnership TE-TICKET (1) TOwnership T Ownership (1) TE-TICKET TE-TICKET (1) TOwnership TE-TICKET Origin: S Bay Time: 8/1/11 9.35 Show ticket Get stamped ticket 15

P4R: ShowRCT and GetRefund er ea d R E-TICKET TOrigin: S Bay Time: 8/1/11 9.35 er (2) TOwnership e ad R TE-TICKET T Ownership (2) 1.31 Origin: S Bay Time: 8/1/11 9.35 Show stamped ticket Get refund in piggy bank 16

P4R: ShowRCT and GetRefund er ea d R E-TICKET TOrigin: S Bay Time: 8/1/11 9.35 (2) TOwnership er e ad R TE-TICKET Origin: S Bay Time: 8/1/11 9.35 T Ownership (2) T d er esabay E-TICKET TOrigin: R Time: 8/1/11 9.35 Ownership (2) 1.31 Show stamped ticket Get refund in piggy bank 16

P4R: ShowRCT and GetRefund er ea d R E-TICKET TOrigin: S Bay Time: 8/1/11 9.35 (2) TOwnership er Origin: S Bay Time: 8/1/11 9.35 (2) TOwnership e ad R TE-TICKET Origin: S Bay Time: 8/1/11 9.35 er R TE-TICKET e ad T Ownership (2) T d er esabay E-TICKET TOrigin: R Time: 8/1/11 9.35 Ownership (2) 1.31 1.31 1,25 Show stamped ticket Get refund in piggy bank 16

P4R: RedeemRT 80.45 80.45 Cashing RT 17

P4R: RedeemRT 80.45 80.45 80.45 valid? In DB & not cashed before? valid! Cashing RT 17

P4R: RedeemRT 80.45 80.45 80.45 valid? In DB & not cashed before? valid! cashed Cashing RT 17

BLS-Signature Based RT System pairing is a bilinear map: e (a u, b v )=e (a,b)uv for all u, v, ℤ p, a, b, G p BLS-signatures requires an efficiently computable, non-degenerate pairing! Boneh-Lynn-Shacham Signatures: Keys: sk=x ℤ p, v=g x Signature on m G: σ :=H (m)x? Verification of (m, σ) : e( g, σ)=e(v, H (m)) 18

BLS-Signature Based RT System Refund token: RT = G, R=1, v=0 dding refund w user: r ℤ p, RT ' =RT r, v=v+w, R=R r mod p dding refund w T: RT ' =RT ' d w R dv? Verify claim for refund v : e (, h )=e ( RT ', h) w w 19

BLS-Signature Based RT System Refund token: RT = G, R=1, v=0 dding refund w user: r ℤ p, RT ' =RT r, v=v+w, R=R r mod p dding refund w T: RT ' =RT ' d w wi R dv? Verify claim for refund v : e (, h )=e ( RT ', h) w w 19

Security of P4R T Security: T does not lose any money User cannot forge tickets User cannot receive reimbursement that exceeds the overall deposit for tickets minus overall fare of trips User Security: passive adversary cannot steal tickets or refunds from a user User Privacy: dversary cannot differentiate between all possible trip sequences leading to the same total refund amount 20

User's Side Implementation on Moo Storage space to make 20 trips is at most 7.62 KB! Cycle count BuyTT & GetRT Execution time @16 MHz in s 84,585,590 5.29 35,264 0.002 ShoeRCT & GetRefund 5,466,485 0.34 RedeemRT* 5,549,538 0.35 ShowTT & GetRCT * Excludes authenticating to the vending machine. 21

Thank you for your attention!!!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback