P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time...
Transcript of P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time...
P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems
Andy Rupp1, Gesine Hinterwälder2, Foteini3 Baldimtsi, Christof Paar2,4
1 Karlsruhe Institute of Technology2 University of Massachusetts Amherst
3 Brown University4 Ruhr-University Bochum
0964641
Outline
Motivation eCash
Overview Performance Issues
P4R Description Evaluation
1
Motivation
Transportation Payments Large volumes Low cost Have to be executed fast
Electronic Payments Throughput and convenience advantages Reduced revenue collection cost Enable dynamic pricing Facilitate maintenance of a system Enable easy collection of meaningful data
2
Motivation
“Some call T's new Charlie Card an invasion of privacy. But agency insists safeguards in place”
“Hacking the T: MBTA sues to keep MIT students from telling how they cracked the CharlieCard”
“Hackers Crack London Tube Oyster Card”
“Privacy Concerns Raised Over Clipper Card Passenger Tracking”
3
Motivation
We need payment systems for transportation that are: Secure (unforgeable & secure against doublespending) Private (anonymous) Trusted Efficient Low-cost Usable Reliable
4
eCash
Spending Depos
it
WithdrawalID
BankBankBan
k
5
eCash
Blind signature
Security Properties of Blind Signatures
Blindness: Signer should not be able to view the messages he signs (i.e. Bank cannot link e-coins to specific users)
Unforgeability: User should not be able to forge the signer's signatures (i.e. User cannot forge coins)
ID
Bank
Bank Bank
6
eCash
Double Spending
Double Spending reveals User's ID!!!
7
Brands' Untraceable Offline Cash
Introduced in 1993
Most efficient scheme during Spending Phase
Well-known and implemented (Microsoft U-Prove)
[Bra93] S. Brands. Untraceable Off-line Cash in Wallets with Observers (Extended Abstract). In Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’93, pages 302–318, 1994. 8
Brands' Untraceable Offline Cash
Scheme based on cyclic group of prime order
Coin size (elements that have to be stored on user device
for each coin): and
Withdrawal
Spending
12 exponentiations
0 exponentiations
2 exponentiations
3 exponentiations
Gq
A , B , z ' , a ' , b '∈Gq r ' , s , x0, x1∈ℤq
9
Implementation Results Brands'
Base scheme on 160-bit elliptic curve
and measure execution time on Moo computational RFID tag
Storage space required per coin: 284 bytes
Execution time on MSP430F2618, when based on 160-bit curve:
[ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: A Batteryless Computational RFID and Sensing Platform. https://web.cs.umass.edu/publication/docs/2011/UM-CS-2011-020.pdf. 2011.
10
Cycle count Execution time @16 MHz
Brands' withdrawing one coin 69 120 181 4.32 s
Brands' spending one coin 35 052 0.0022 s
Cycle count Execution time @16 MHz
Brands' withdrawing one coin 69 120 181 4.32 s
Brands' spending one coin 35 052 0.0022 s
Implementation Results Brands'
Base scheme on 160-bit elliptic curve
and measure execution time on Moo computational RFID tag
Storage space required per coin: 284 bytes
Execution time on MSP430F2618, when based on 160-bit curve:
10
[ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: A Batteryless Computational RFID and Sensing Platform. https://web.cs.umass.edu/publication/docs/2011/UM-CS-2011-020.pdf. 2011.
Users should not have to withdrawand store too many coins!!!
Our Approach
Build on Brands' due to efficiency reasons (could use any
efficient, anonymous 2-show credential scheme)
Alleviate its disadvantages (large coin size, inefficient
withdrawal)
Minimize number of coins needed using novel
pre-payments with refunds approach:
Use Brands' coin as ticket
Ticket price = cost of most expensive trip
Cost of actual trip determined on exit
Pay refund based on overpayment11
P4R: Main Components
Vending Machines (online)
Entry Turnstiles (offline)Exit Turnstiles (offline)Central Database
Subway
12
P4R: Main Components
Buy ticket
Get piggy bank
12
P4R: Main Components
Show
ticket
Get stam
ped
ticket
12
P4R: Main Components
12
P4R: Main Components
Show stam
ped
ticket
Get refund
in piggy bank
12
P4R: Main Components
Cash piggy bank
12
Brands-Based TAT System
A=(g 1idU g2)
s
B=g1x1g 2
x2
A , B , sig (A , B)
r1=d (id U s )+x1r 2=d∗s+x2
Brands' coin:
Showing coin:
13
idU=r1−r ' 1r2−r ' 2
=(d−d ' )idU s
(d−d ' )s
Brands-Based TAT System
A=(g 1idU g2)
s
B=g1x1g 2
x2
A , B , sig (A , B)
r1=d (id U s )+x1r 2=d∗s+x2
r ' 1=d ' (id U s )+x1r ' 2=d '∗s+x2
Brands' coin:
Showing coin:
Double spending:
13
r1=d (id U s )+x1r 2=d∗s+x2
r ' 1=d ' (id U s )+x ' 1r ' 2=d '∗s+x ' 2
P4R' coin:
First spending:
Second spending:
A=(g 1idU g2)
s
B=g1x1g 2
x2
A , B ,C , sig (A , B ,C )
C=g1x' 1 g2
x ' 2
Brands-Based TAT System
A=(g 1idU g2)
s
B=g1x1g 2
x2
A , B , sig (A , B)
r1=d (id U s )+x1r 2=d∗s+x2
r ' 1=d ' (id U s )+x1r ' 2=d '∗s+x2
Brands' coin:
Showing coin:
Double spending:
13
IDID
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)
Buy ticket
Get piggy bank
P4R: BuyTAT and GetRT
14
IDID
TA
Harry€ 0“Harry”
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)
Buy ticket
Get piggy bank
P4R: BuyTAT and GetRT
14
IDID
TA
Harry€ 0
TA Harry€ 0“Harry”
Harry€ 0
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)TA
TA
TA
Buy ticket
Get piggy bank
P4R: BuyTAT and GetRT
14
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)TA
TA
TA
112537
E-TICKET
112537
Ownership (1)
112537TA
TA
Show ticket
Get stamped ticket
P4R: ShowTAT and GetRCT
15
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)TA
TA
TAE-TICKET
112537
TA
112537
Ownership (1)TA
112537
E-TICKET
112537
Ownership (1)
112537TA
TA
Show ticket
Get stamped ticket
P4R: ShowTAT and GetRCT
15
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)TA
TA
TA
E-TICKET
112537
TAOrigin: S BayTime: 8/1/11 9.35
Reader E-TICKET
112537
Ownership (2)
112537
TA
TAReader
Origin: S BayTime: 8/1/11 9.35
E-TICKET
112537
TA
112537
Ownership (1)TA
E-TICKET
112537
TAOrigin: S BayTime: 8/1/11 9.35
Reader
112537
112537
E-TICKET
112537
Ownership (1)
112537TA
TA
Show ticket
Get stamped ticket
P4R: ShowTAT and GetRCT
112537
E-TICKET
112537
Ownership (1)
112537TA
TA
15
E-TICKET
112537
Ownership (2)TA
TAReader
Origin: S BayTime: 8/1/11 9.35
E-TICKET
112537
Ownership (2)
112537
TA
TAOrigin: S BayTime: 8/1/11 9.35
Harry
€ 1.31
112537
Show stamped ticket
Get refund in piggy bank
P4R: ShowRCT and GetRefund
16
Reader
E-TICKET
112537
TAReaderOrigin: S BayTime: 8/1/11 9.35
112537
Ownership (2)TA
E-TICKET
112537
Ownership (2)TA
TAReader
Origin: S BayTime: 8/1/11 9.35
E-TICKET
112537
Ownership (2)
112537
TA
TAOrigin: S BayTime: 8/1/11 9.35
Harry
€ 1.31
112537
Show stamped ticket
Get refund in piggy bank
P4R: ShowRCT and GetRefund
16
Reader
Harry
€ 1,25
Harry
€ 1.31
E-TICKET
112537
TAReaderOrigin: S BayTime: 8/1/11 9.35
112537
Ownership (2)TA
Harry
112537
E-TICKET
112537
Ownership (2)TA
TAReader
Origin: S BayTime: 8/1/11 9.35
E-TICKET
112537
Ownership (2)
112537
TA
TAOrigin: S BayTime: 8/1/11 9.35
Harry
€ 1.31
112537
Show stamped ticket
Get refund in piggy bank
P4R: ShowRCT and GetRefund
E-TICKET
112537
Ownership (2)
112537
TA
TAOrigin: S BayTime: 8/1/11 9.35
16
Reader
Reader
Cashing RT
Harry
€ 80.45
Harry
€ 80.45
P4R: RedeemRT
17
Cashing RT
Harry
€ 80.45
Harry
€ 80.45
Harry
€ 80.45
“Harry valid?”In DB & notcashed before?
“Harry valid!”
P4R: RedeemRT
17
Cashing RT
Harry
€ 80.45
Harry
€ 80.45
Harry
€ 80.45
“Harry valid?”In DB & notcashed before?
“Harry valid!”
“Harry cashed”
P4R: RedeemRT
17
BLS-Signature Based RT System
A pairing is a bilinear map:
BLS-signatures requires an efficiently computable, non-degenerate pairing!
e (au , bv)=e (a ,b)uv for all u , v ,∈ℤ p , a , b ,∈G p
Boneh-Lynn-Shacham Signatures:
Keys:
Signature on :
Verification of :
sk=x∈ℤp , v=gx
m∈G σ :=H (m)x
(m ,σ) e(g ,σ)=e(v ,H (m))?
18
BLS-Signature Based RT System
Harry€ w
Harry
Harry€ w
RT=Harry∈G , R=1, v=0
r∈ℤ p , RT '=RTr ,
Refund token:
Adding refund user:v=v+w , R=R∗r mod p
w
RT '=RT ' dAdding refund TA:
e (HarryR , hd )=e (RT ' ,h)
ww
Verify claim for refund :vv ?
19
BLS-Signature Based RT System
Harry€ w
Harry
Harry€ w
RT=Harry∈G , R=1, v=0
r∈ℤ p , RT '=RTr ,
Refund token:
Adding refund user:v=v+w , R=R∗r mod p
w
Adding refund TA:
e (HarryR , hd )=e (RT ' ,h)
ww
Verify claim for refund :vv ?
19
∑ wiRT '=RT ' d
Security of P4R
TA Security: TA does not lose any money User cannot forge tickets User cannot receive reimbursement that exceeds the overall
deposit for tickets minus overall fare of trips
User Security: A passive adversary cannot steal tickets or refunds from a user
User Privacy: Adversary cannot differentiate between all possible trip
sequences leading to the same total refund amount
20
User's Side Implementation on Moo
Storage space to make 20 trips is at most 7.62 KB!
21
Cycle count Execution time @16 MHz in s
BuyTAT & GetRT 84,585,590 5.29
ShowTAT & GetRCT 35,264 0.002
ShoeRCT & GetRefund 5,466,485 0.34
RedeemRT* 5,549,538 0.35
* Excludes authenticating to the vending machine.
Thank you for your attention!!!