A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing

Open access


To ensure the privacy of users in transport systems, researchers are working on new protocols providing the best security guarantees while respecting functional requirements of transport operators. In this paper1, we design a secure NFC m-ticketing protocol for public transport that preserves users’ anonymity and prevents transport operators from tracing their customers’ trips. To this end, we introduce a new practical set-membership proof that does not require provers nor verifiers (but in a specific scenario for verifiers) to perform pairing computations. It is therefore particularly suitable for our (ticketing) setting where provers hold SIM/UICC cards that do not support such costly computations. We also propose several optimizations of Boneh-Boyen type signature schemes, which are of independent interest, increasing their performance and efficiency during NFC transactions. Our m-ticketing protocol offers greater flexibility compared to previous solutions as it enables the post-payment and the off-line validation of m-tickets. By implementing a prototype using a standard NFC SIM card, we show that it fulfils the stringent functional requirement imposed by transport operators whilst using strong security parameters. In particular, a validation can be completed in 184.25ms when the mobile is switched on, and in 266.52ms when the mobile is switched off or its battery is flat.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] P. S. Barreto and M. Naehrig. Pairing-Friendly Elliptic Curves of Prime Order. In B. Preneel and S. Tavares editors Selected Areas in Cryptography volume 3897 of LNCS pages 319–331. Springer Berlin Heidelberg Kingston ON Canada 2006.

  • [2] Bellare Namprempre Pointcheval and Semanko. The one-more-RSA-inversion problems and the security of chaum’s blind signature scheme. Journal of Cryptology 16(3):185–215 2003. DOI: 10.1007/s00145-002-0120-1.

  • [3] M. Bellare and P. Rogaway. Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. In 1st ACM Conference on Computer and Communications Security CCS ’93 pages 62–73 Fairfax Virginia USA 1993. ACM.

  • [4] Berlin.de. Tickets fares and route maps. http://www.berlin.de/en/public-transportation/1772016-2913840-tickets-faresand-route-maps.en.html.

  • [5] E.-O. Blass A. Kurmus R. Molva and T. Strufe. PSP: Private and secure payment with RFID. Computer Communications 36(4):468–480 2013. DOI: 10.1016/j.comcom.2012.10.012.

  • [6] D. Boneh and X. Boyen. Short Signatures Without Random Oracles. In C. Cachin and J. L. Camenisch editors Advances in Cryptology - EUROCRYPT 2004 volume 3027 of LNCS pages 56–73. Springer Berlin Heidelberg Interlaken Switzerland 2004.

  • [7] D. Boneh and X. Boyen. Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. Journal of Cryptology 21(2):149–177 2008. DOI: 10.1007/s00145-007-9005-7.

  • [8] D. Boneh X. Boyen and H. Shacham. Short Group Signatures. In M. Franklin editor Advances in Cryptology - CRYPTO ’04 volume 3152 of LNCS pages 41–55. Springer Berlin Heidelberg Santa Barbara California USA 2004.

  • [9] J. Camenisch R. Chaabouni and A. Shelat. Efficient Protocols for Set Membership and Range Proofs. In J. Pieprzyk editor Advances in Cryptology - ASIACRYPT 2008 volume 5350 of LNCS pages 234–252. Springer Berlin Heidelberg Melbourne Australia 2008.

  • [10] J. Camenisch and A. Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. In M. Franklin editor Advances in Cryptology - CRYPTO ’04 volume 3152 of LNCS pages 56–72. Springer Berlin Heidelberg Santa Barbara California USA 2004.

  • [11] J. Camenisch J.-M. Piveteau and M. Stadler. An Efficient Fair Payment System. In 3rd ACM Conference on Computer and Communications Security CCS ’96 pages 88–94 New Delhi India 1996. ACM.

  • [12] S. Canard I. Coisel A. Jambert and J. Traoré. New Results for the Practical Use of Range Proofs. In S. Katsikas and I. Agudo editors Public Key Infrastructures Services and Applications volume 8341 of LNCS pages 47–64. Springer Berlin Heidelberg Egham UK 2014.

  • [13] R. Chaabouni H. Lipmaa and B. Zhang. A Non-interactive Range Proof with Constant Communication. In A. Keromytis editor Financial Cryptography and Data Security volume 7397 of LNCS pages 179–199. Springer Berlin Heidelberg Kralendijk Bonaire 2012.

  • [14] D. Chaum and T. P. Pedersen. Wallet Databases with Observers. In E. F. Brickell editor Advances in Cryptology - CRYPTO ’92 volume 740 of LNCS pages 89–105 Santa Barbara California USA 1993. Springer Berlin Heidelberg.

  • [15] S. Chaumette D. Dubernet and J. Ouoba. Architecture and comparison of two different user-centric NFC-enabled event ticketing approaches. In S. Balandin Y. Koucheryavy and H. Hu editors The 11th international conference on next generation wired/wireless networking volume 6869 of LNCS pages 165–177 St. Petersburg Russia 2011. Springer Berlin Heidelberg.

  • [16] D. Derler K. Potzmader J. Winter and K. Dietrich. Anonymous Ticketing for NFC-Enabled Mobile Phones. In L. Chen M. Yung and L. Zhu editors Trusted Systems volume 7222 of LNCS pages 66–83 Beijing China 2012. Springer Berlin Heidelberg.

  • [17] Y. G. Desmedt and Y. Frankel. Threshold cryptosystems. In G. Brassard editor Advances in Cryptology - CRYPTO ’89 volume 435 of LNCS pages 307–315 Santa Barbara California USA 1989. Springer Berlin Heidelberg.

  • [18] A. Devegili M. Scott and R. Dahab. Implementing Cryptographic Pairings over Barreto-Naehrig Curves. In T. Takagi T. Okamoto E. Okamoto and T. Okamoto editors Pairing-Based Cryptography - Pairing 2007 volume 4575 of LNCS pages 197–207. Springer Berlin Heidelberg Tokyo Japan July 2007.

  • [19] A. Dmitrienko A.-R. Sadeghi S. Tamrakar and C. Wachsmann. SmartTokens: Delegable Access Control with NFC-Enabled Smartphones. In S. Katzenbeisser E. Weippl L. Camp M. Volkamer M. Reiter and X. Zhang editors Trust and Trustworthy Computing volume 7344 of LNCS pages 219–238. Springer Berlin Heidelberg Vienna Austria 2012.

  • [20] Y. Dodis. Efficient Construction of (Distributed) Verifiable Random Functions. In Y. Desmedt editor Public Key Cryptography - PKC 2003 volume 2567 of LNCS pages 1–17. Springer Berlin Heidelberg Miami FL USA 2003.

  • [21] Y. Dodis and A. Yampolskiy. A Verifiable Random Function with Short Proofs and Keys. In S. Vaudenay editor Public Key Cryptography - PKC 2005 volume 3386 of LNCS pages 416–431. Springer Berlin Heidelberg Diablerets Switzerland 2005.

  • [22] J.-E. Ekberg and S. Tamrakar. Mass Transit Ticketing with NFC Mobile Phones. In L. Chen M. Yung and L. Zhu editors Third International Conference on Trusted Systems volume 7222 of LNCS pages 48–65 Beijing China 2012. Springer Berlin Heidelberg.

  • [23] T. El Gamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In G. R. Blakley and D. Chaum editors Advances in Cryptology - CRYPTO ’84 volume 196 of LNCS pages 10–18 Santa Barbara California USA 1985. Springer Berlin Heidelberg.

  • [24] M. Eznack J.-P. Warry C. Loiseaux G. Dufay R. Atoui N. Herbreteau J. Pieniazek and F. Thabaret. (U)SIM Java Card Platform Protection Profile Basic and SCWS Configurations-Evolutive Certification Scheme for (U)SIM cards Version 2.0.2. http://www.ssi.gouv.fr/IMG/certificat/ANSSI-CC-cible_PP-2010-04en.pdf June 2010.

  • [25] A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In A. M. Odlyzko editor Advances in Cryptology - CRYPTO ’86 volume 263 of LNCS pages 186–194 Santa Barbara California USA 1987. Springer Berlin Heidelberg.

  • [26] P. Fouque and J. Stern. Fully distributed threshold RSA under standard assumptions. In C. Boyd editor Advances in Cryptology - ASIACRYPT 2001 volume 2248 of LNCS pages 310–330 Gold Coast Australia 2001. Springer Berlin Heidelberg.

  • [27] FROST & SULLIVAN. NFC: When will be the real start? http://www.frost.com/sublib/display-report.do?id=9843-00-13-00-00 January 2011.

  • [28] G. Fuchsbauer D. Pointcheval and D. Vergnaud. Transferable Constant-Size Fair E-Cash. In J. Garay A. Miyaji and A. Otsuka editors Cryptology and Network Security volume 5888 of LNCS pages 226–247. Springer Berlin Heidelberg Kanazawa Japan 2009.

  • [29] S. D. Galbraith K. G. Paterson and N. P. Smart. Pairings for cryptographers. Discrete Applied Mathematics 156(16):3113–3121 2008. DOI: 10.1016/j.dam.2007.12.010.

  • [30] R. Gennaro S. Jarecki H. Krawczyk and T. Rabin. Secure Applications of Pedersen Distributed Key Generation Protocol. In M. Joye editor Topics in Cryptology - CT-RSA 2003 volume 2612 of LNCS pages 373–390. Springer Berlin Heidelberg San Francisco CA USA 2003.

  • [31] C. P. L. Gouvêa L. B. Oliveira and J. López. Efficient software implementation of public-key cryptography on sensor networks using the MSP430X microcontroller. J. Cryptographic Engineering 2(1):19–29 2012. DOI: 10.1007/s13389-012-0029-z.

  • [32] GSMA Mobile NFC. White Paper: Mobile NFC in Transport. http://www.uitp.org/public-transport/technology/Mobile-NFC-in-Transport.pdf September 2012.

  • [33] T. S. Heydt-Benjamin H.-J. Chae B. Defend and K. Fu. Privacy for Public Transportation. In G. Danezis and P. Golle editors 6th International Conference on Privacy Enhancing Technologies - PET’06 volume 4258 of LNCS pages 1–19 Cambridge UK 2006. Springer Berlin Heidelberg.

  • [34] E. Hufschmitt and J. Traoré. Fair Blind Signatures Revisited. In T. Takagi T. Okamoto E. Okamoto and T. Okamoto editors Pairing-Based Cryptography - Pairing 2007 volume 4575 of LNCS pages 268–292 Tokyo Japan July 2007.

  • [35] A. P. Isern-Deya A. Vives-Guasch M. Mut-Puigserver M. Payeras-Capella and J. Castella-Roca. A Secure Automatic Fare Collection System for Time-Based or Distance-Based Services with Revocable Anonymity for Users. The Computer Journal 56(10):1198–1215 Apr. 2012. DOI: 10.1093/comjnl/bxs033.

  • [36] ISO 14443-3:2011. Identification cards – Contactless integrated circuit cards – Proximity cards.

  • [37] A. Menezes S. Vanstone and T. Okamoto. Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. In 23rd Annual ACM Symposium on Theory of Computing - STOC ’91 pages 80–89 New Orleans Louisiana USA 1991. ACM.

  • [38] Moscow. http://moscow.ru/fr/guide/trip_planning/inner_transport/transport/metro/.

  • [39] NFC Forum. NFC in Public Transport. http://nfc-forum.org/wp-content/uploads/2013/12/NFC-in-Public-Transport.pdf 2011.

  • [40] P. Paillier. Low-Cost Double-Size Modular Exponentiation or How to Stretch Your Cryptoprocessor. In Second International Workshop on Practice and Theory in Public Key Cryptography PKC ’99 volume 1560 of LNCS pages 223–234 Kamakura Japan Mar. 1999. Springer Berlin Heidelberg.

  • [41] T. Pedersen. . In J. Feigenbaum editor Advances in Cryptology - CRYPTO ’91 volume 576 of LNCS pages 129–140. Springer Berlin Heidelberg 1992.

  • [42] D. Pointcheval and J. Stern. Security Proofs for Signature Schemes. In U. Maurer editor Advances in Cryptology - EUROCRYPT ’96 volume 1070 of LNCS pages 387–398. Springer Berlin Heidelberg Saragossa Spain 1996.

  • [43] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. J. Cryptology 13(3):361–396 2000. DOI: 10.1007/s001450010003.

  • [44] A. Rupp G. Hinterwälder F. Baldimtsi and C. Paar. P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems. In A.-R. Sadeghi editor Financial Cryptography and Data Security volume 7859 of LNCS pages 205–212. Springer Berlin Heidelberg Okinawa Japan 2013.

  • [45] A. Sadeghi I. Visconti and C. Wachsmann. User Privacy in Transport Systems Based on RFID E-Tickets. In C. Bettini S. Jajodia P. Samarati and X. S. Wang editors International Workshop on Privacy in Location-Based Applications - PilBA 2008 volume 397 Malaga Spain Oct. 2008. CEUR.

  • [46] C. Schnorr. Efficient Signature Generation by Smart Cards. Journal of Cryptology 4(3):161–174 1991. DOI: 10.1007/BF00196725.

  • [47] Smart Card Alliance. Proximity mobile payments: Leveraging NFC and the contactless financial payments infrastructure. http://www.smartcardalliance.org/resources/lib/Proximity_Mobile_Payments_200709.pdf 2007.

  • [48] P. Szczechowiak L. Oliveira M. Scott M. Collier and R. Dahab. NanoECC: Testing the Limits of Elliptic Curve Cryptography in Sensor Networks. In R. Verdone editor Wireless Sensor Networks volume 4913 of LNCS pages 305–320. Springer Berlin Heidelberg Bologna Italy 2008.

  • [49] S. Tamrakar and J.-E. Ekberg. Tapping and Tripping with NFC. In 6th International Conference on Trust & Trustworthy Computing volume 7904 of LNCS pages 115–132 London United Kingdom 2013. Springer Berlin Heidelberg.

  • [50] The Paris Convention and Visitors Bureau. Public transport in paris. http://en.parisinfo.com/practical-paris/how-to-getto-and-around-paris/public-transport-paris.

  • [51] G. Arfaoui J.-F. Lalande J. Traoré N. Desmoulins P. Berthomé and S. Gharout. arXiv: 1505.03048.

Journal information
Cited By
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 332 119 1
PDF Downloads 197 78 1