Anonymous and Transferable Electronic Ticketing Scheme Data - PowerPoint PPT Presentation

Anonymous and Transferable Electronic Ticketing Scheme – Data Privacy Management, 8th International Workshop – Arnau Vives-Guasch 1 a 2 M. Magdalena Payeras-Capell` a Mut-Puigserver 2 a-Roca 1 Maci` Jordi Castell` ıs Ferrer-Gomila 2 Josep-Llu´ 1 Universitat Rovira i Virgili. Tarragona (Spain) 2 Universitat de les Illes Balears. Mallorca (Spain) Egham, UK. September 12-13, 2013. A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 1 / 27

Introduction Table of Contents 1 Introduction Contribution 2 Background 3 Description of the system 4 Conclusions & future work A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 2 / 27

Introduction Introduction IT industry: smartphones revolution Computation power Storage capacity Communication technologies (NFC, Wi-Fi, 4G, etc.) Mobility+flexibility: payment and ticketing schemes Ticket: representation of the owner’s rights to receive a determined service At least, the same security requirements have to be fulfilled as in paper format Requirements mainly depend on the service A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 3 / 27

Introduction Contribution Contribution E-ticketing system Group signatures Security requirements: Anonymity (revocable) Short-term linkability (adaptation from BBS scheme) Transferability Easily deployable to real scenarios A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 4 / 27

Background Table of Contents 1 Introduction 2 Background Security assumptions Procedures 3 Description of the system 4 Conclusions & future work A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 5 / 27

Background Security assumptions Security assumptions Definition (The q -Strong Diffie-Hellman problem, SDH) Given two cyclic groups G 1 and G 2 of prime order p , two randomly chosen generators g 1 ∈ G 1 and g 2 ∈ G 2 of their respective groups, with an isomorphism ψ : G 2 → G 1 where g 1 = ψ ( g 2 ), the q -SDH problem is a hard computational problem where the ( q +2)-tuple 2 , g γ 2 2 , ..., g γ q ( g 1 , g 2 , g γ 2 ) ∈ G 1 × G q +1 is the input and the pair 2 1 x + γ , x ) ∈ G 1 × Z p is the output, for some x ∈ Z ∗ ( g p such that x + γ � = 0. 1 Definition (The Decision Linear Diffie-Hellman problem, DLIN) Given a cyclic group G 1 of order p , and taking u , v , h , u a , v b , h c ∈ G 1 as input, where u , v , h ∈ G 1 randomly chosen generators, and random a , b , c ∈ Z p , and output yes if a + b = c and no otherwise. A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 6 / 27

Background Procedures Procedures BBS scheme: KeyGen G Sign G Verify G Open G ZKP of the BBS scheme: ZKP G Commit ZKP G Response ZKP G Verify Own adaptation for short-term linkability: SignLinkable G VerifyLinkable G A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 7 / 27

Background Procedures Procedures: KeyGen G (n) Generate group of n users and their respective set of keys. 1 select h R ← G 1 \{ 1 G 1 } R ← Z ∗ 2 generate gmsk = ( ξ 1 , ξ 2 ) where ξ 1 , ξ 2 p 3 set u , v ∈ G 1 such that u ξ 1 = v ξ 2 = h 4 select γ R ← Z ∗ p 5 set w = g γ 2 6 generate ∀U i , 1 ≤ i ≤ n , an SDH tuple ( A i , x i ) by: R ← Z ∗ select x i p set A i ← g 1 / ( γ + x i ) 1 γ is the private master key of the group key issuer A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 8 / 27

Background Procedures Procedures: Sign G (gpk , gsk[i] , M) I Given gpk = ( g 1 , g 2 , h , u , v , w ), gsk [ i ] = ( A i , x i ) and a message M ∈ { 0 , 1 } ∗ , output a signature of knowledge σ = ( T 1 , T 2 , T 3 , c , s α , s β , s x , s δ 1 , s δ 2 ). 1 select α, β R ← Z p 2 compute the linear encryption of A : ( T 1 , T 2 , T 3 ) ← ( u α , v β , Ah α + β ) 3 compute δ 1 ← x α and δ 2 ← x β ; R 4 select r α , r β , r x , r δ 1 , r δ 2 ← Z p 5 compute: R 1 ← u r α R 2 ← v r β R 3 ← e ( T 3 , g 2 ) r x · e ( h , w ) − r α − r β · e ( h , g 2 ) − r δ 1 − r δ 2 R 4 ← T r x 1 · u − r δ 1 R 5 ← T r x 2 · v − r δ 2 6 compute: c ← H ( M , T 1 , T 2 , T 3 , R 1 , R 2 , R 3 , R 4 , R 5 ) A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 9 / 27

Background Procedures Procedures: Sign G (gpk , gsk[i] , M) II 7 generate: s α ← r α + c α s β ← r β + c β s x ← r x + cx s δ 1 ← r δ 1 + c δ 1 s δ 2 ← r δ 2 + c δ 2 8 output σ ← ( T 1 , T 2 , T 3 , c , s α , s β , s x , s δ 1 , s δ 2 ). A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 10 / 27

Background Procedures Procedures: Verify G (gpk , M , σ ) Given gpk = ( g 1 , g 2 , h , u , v , w ), a message M and σ = ( T 1 , T 2 , T 3 , c , s α , s β , s x , s δ 1 , s δ 2 ), verify that σ is a valid signature of the message 1 re-derive R 1 , R 2 , R 3 , R 4 , R 5 : ˜ R 1 ← u s α / T c 1 ˜ R 2 ← v s β / T c 2 R 3 ← e ( T 3 , g 2 ) s x · e ( h , w ) − s α − s β · e ( h , g 2 ) − s δ 1 − s δ 2 · ( e ( T 3 , w ) / e ( g 1 , g 2 )) c ˜ R 4 ← T s x ˜ 1 / u s δ 1 R 5 ← T s x ˜ 2 / v s δ 2 2 verify c ? = H ( M , T 1 , T 2 , T 3 , ˜ R 1 , ˜ R 2 , ˜ R 3 , ˜ R 4 , ˜ R 5 ) A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 11 / 27

Background Procedures Procedures: Open G (gpk , gmsk , M , σ ) Trace a signature to a concrete signer inside the group M G holds gmsk master key and knows all ( A i , x i ) pairs Given gpk = ( g 1 , g 2 , h , u , v , w ), gmsk = ( ξ 1 , ξ 2 ), a message M and σ = ( T 1 , T 2 , T 3 , c , s α , s β , s x , s δ 1 , s δ 2 ): 1 Recover user’s identity: A ← T 3 / ( T ξ 1 1 · T ξ 2 2 ) 2 If elements { A i } of the gsk [ i ] are given to M G , look up the user index for A recovered from the signature A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 12 / 27

Background Procedures Procedures: SignLinkable G (gpk , gsk[i] , M) Given gpk , gsk [ i ], a new message M ′ , a previous signature σ , and the values α, β used for that signature, compute and output a signature σ ′ First use: standard Sign G ( gpk , gsk [ i ] , M ). Obtains σ with ( α, β ) Further uses: SignLinkable G ( gpk , gsk [ i ] , M ′ , σ, α, β ): 1 use the same pair ( α, β ) producing the same linear encryption of A : ( T 1 , T 2 , T 3 ) = ( u α , v β , Ah α + β ) 2 given a message M ′ , sign the message: σ ′ ← ( T 1 , T 2 , T 3 , c ′ , s ′ α , s ′ β , s ′ x , s ′ δ 1 , s ′ δ 2 ) where c ′ ← H ( M ′ , T 1 , T 2 , T 3 , R ′ 1 , R ′ 2 , R ′ 3 , R ′ 4 , R ′ 5 ) ∈ Z p A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 13 / 27

Background Procedures Procedures: VerifyLinkable G ( σ, σ ′ ) This algorithm takes two signatures σ and σ ′ as input and outputs true or false depending on whether the signatures have been produced by the same signer’s pseudonym: ? = T 1 ′ T 1 ? = T 2 ′ T 2 ? = T 3 ′ T 3 A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 14 / 27

Description of the system Table of Contents 1 Introduction 2 Background 3 Description of the system Requirements Participants Phases 4 Conclusions & future work A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 15 / 27

Description of the system Requirements Requirements Authenticity Non-repudiation Integrity Revocable anonymity Short-term linkability Non-overspending Transferability A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 16 / 27

Description of the system Participants Participants User ( U ) Issuer ( I ) Service provider ( P ) Group Manager ( M G ) A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 17 / 27

Description of the system Phases Phases Ticket issue Ticket transfer 1st time (from original) Further times (from already transferred) Ticket verification Standard (original) Transferred Revocation of anonymity ( M G ) A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 18 / 27

Description of the system Phases Phases: Ticket issue User ( U ) Issuer ( I ) R n α ← Z p n α ← − − − − − − selects Sv V = Sign G (Sv , n α , flag issue) V − − − − − − → Verify G (V) T = Sign I (Sn , Sv , Tc , V , ... ) T ← − − − − − − Verify I (T) A. Vives-Guasch et al. (URV-UIB) Anonymous & Transferable e-Ticketing DPM 2013 19 / 27