Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
See all formats and pricing
More options …

A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing

Ghada Arfaoui / Jean-François Lalande / Jacques Traoré / Nicolas Desmoulins / Pascal Berthomé / Saïd Gharout
Published Online: 2015-06-22 | DOI: https://doi.org/10.1515/popets-2015-0019


To ensure the privacy of users in transport systems, researchers are working on new protocols providing the best security guarantees while respecting functional requirements of transport operators. In this paper1, we design a secure NFC m-ticketing protocol for public transport that preserves users’ anonymity and prevents transport operators from tracing their customers’ trips. To this end, we introduce a new practical set-membership proof that does not require provers nor verifiers (but in a specific scenario for verifiers) to perform pairing computations. It is therefore particularly suitable for our (ticketing) setting where provers hold SIM/UICC cards that do not support such costly computations. We also propose several optimizations of Boneh-Boyen type signature schemes, which are of independent interest, increasing their performance and efficiency during NFC transactions. Our m-ticketing protocol offers greater flexibility compared to previous solutions as it enables the post-payment and the off-line validation of m-tickets. By implementing a prototype using a standard NFC SIM card, we show that it fulfils the stringent functional requirement imposed by transport operators whilst using strong security parameters. In particular, a validation can be completed in 184.25ms when the mobile is switched on, and in 266.52ms when the mobile is switched off or its battery is flat.

Keywords: Set membership proof; zero-knowledge proof; m-ticketing; privacy; anonymity; unlinkability; post-payment


  • 1The work has been supported by the ANR-11-INS-0013 LYRICS Project.


  • [1] P. S. Barreto and M. Naehrig. Pairing-Friendly Elliptic Curves of Prime Order. In B. Preneel and S. Tavares, editors, Selected Areas in Cryptography, volume 3897 of LNCS, pages 319–331. Springer Berlin Heidelberg, Kingston, ON, Canada, 2006.Google Scholar

  • [2] Bellare, Namprempre, Pointcheval, and Semanko. The one-more-RSA-inversion problems and the security of chaum’s blind signature scheme. Journal of Cryptology, 16(3):185–215, 2003. DOI: 10.1007/s00145-002-0120-1.CrossrefGoogle Scholar

  • [3] M. Bellare and P. Rogaway. Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. In 1st ACM Conference on Computer and Communications Security, CCS ’93, pages 62–73, Fairfax, Virginia, USA, 1993. ACM.Google Scholar

  • [4] Berlin.de. Tickets, fares and route maps. http://www.berlin.de/en/public-transportation/1772016-2913840-tickets-faresand-route-maps.en.html.

  • [5] E.-O. Blass, A. Kurmus, R. Molva, and T. Strufe. PSP: Private and secure payment with RFID. Computer Communications, 36(4):468–480, 2013. DOI: 10.1016/j.comcom.2012.10.012.CrossrefGoogle Scholar

  • [6] D. Boneh and X. Boyen. Short Signatures Without Random Oracles. In C. Cachin and J. L. Camenisch, editors, Advances in Cryptology - EUROCRYPT 2004, volume 3027 of LNCS, pages 56–73. Springer Berlin Heidelberg, Interlaken, Switzerland, 2004.Google Scholar

  • [7] D. Boneh and X. Boyen. Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. Journal of Cryptology, 21(2):149–177, 2008. DOI: 10.1007/s00145-007-9005-7.CrossrefGoogle Scholar

  • [8] D. Boneh, X. Boyen, and H. Shacham. Short Group Signatures. In M. Franklin, editor, Advances in Cryptology - CRYPTO ’04, volume 3152 of LNCS, pages 41–55. Springer Berlin Heidelberg, Santa Barbara, California, USA, 2004.Google Scholar

  • [9] J. Camenisch, R. Chaabouni, and A. Shelat. Efficient Protocols for Set Membership and Range Proofs. In J. Pieprzyk, editor, Advances in Cryptology - ASIACRYPT 2008, volume 5350 of LNCS, pages 234–252. Springer Berlin Heidelberg, Melbourne, Australia, 2008.Google Scholar

  • [10] J. Camenisch and A. Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. In M. Franklin, editor, Advances in Cryptology - CRYPTO ’04, volume 3152 of LNCS, pages 56–72. Springer Berlin Heidelberg, Santa Barbara, California, USA, 2004.Google Scholar

  • [11] J. Camenisch, J.-M. Piveteau, and M. Stadler. An Efficient Fair Payment System. In 3rd ACM Conference on Computer and Communications Security, CCS ’96, pages 88–94, New Delhi, India, 1996. ACM.Google Scholar

  • [12] S. Canard, I. Coisel, A. Jambert, and J. Traoré. New Results for the Practical Use of Range Proofs. In S. Katsikas and I. Agudo, editors, Public Key Infrastructures, Services and Applications, volume 8341 of LNCS, pages 47–64. Springer Berlin Heidelberg, Egham, UK, 2014.Google Scholar

  • [13] R. Chaabouni, H. Lipmaa, and B. Zhang. A Non-interactive Range Proof with Constant Communication. In A. Keromytis, editor, Financial Cryptography and Data Security, volume 7397 of LNCS, pages 179–199. Springer Berlin Heidelberg, Kralendijk, Bonaire, 2012.Google Scholar

  • [14] D. Chaum and T. P. Pedersen. Wallet Databases with Observers. In E. F. Brickell, editor, Advances in Cryptology - CRYPTO ’92, volume 740 of LNCS, pages 89–105, Santa Barbara, California, USA, 1993. Springer Berlin Heidelberg.Google Scholar

  • [15] S. Chaumette, D. Dubernet, and J. Ouoba. Architecture and comparison of two different user-centric NFC-enabled event ticketing approaches. In S. Balandin, Y. Koucheryavy, and H. Hu, editors, The 11th international conference on next generation wired/wireless networking, volume 6869 of LNCS, pages 165–177, St. Petersburg, Russia, 2011. Springer Berlin Heidelberg.Google Scholar

  • [16] D. Derler, K. Potzmader, J. Winter, and K. Dietrich. Anonymous Ticketing for NFC-Enabled Mobile Phones. In L. Chen, M. Yung, and L. Zhu, editors, Trusted Systems, volume 7222 of LNCS, pages 66–83, Beijing, China, 2012. Springer Berlin Heidelberg.Google Scholar

  • [17] Y. G. Desmedt and Y. Frankel. Threshold cryptosystems. In G. Brassard, editor, Advances in Cryptology - CRYPTO ’89, volume 435 of LNCS, pages 307–315, Santa Barbara, California, USA, 1989. Springer Berlin Heidelberg.Google Scholar

  • [18] A. Devegili, M. Scott, and R. Dahab. Implementing Cryptographic Pairings over Barreto-Naehrig Curves. In T. Takagi, T. Okamoto, E. Okamoto, and T. Okamoto, editors, Pairing-Based Cryptography - Pairing 2007, volume 4575 of LNCS, pages 197–207. Springer Berlin Heidelberg, Tokyo, Japan, July 2007.Google Scholar

  • [19] A. Dmitrienko, A.-R. Sadeghi, S. Tamrakar, and C. Wachsmann. SmartTokens: Delegable Access Control with NFC-Enabled Smartphones. In S. Katzenbeisser, E. Weippl, L. Camp, M. Volkamer, M. Reiter, and X. Zhang, editors, Trust and Trustworthy Computing, volume 7344 of LNCS, pages 219–238. Springer Berlin Heidelberg, Vienna, Austria, 2012.Google Scholar

  • [20] Y. Dodis. Efficient Construction of (Distributed) Verifiable Random Functions. In Y. Desmedt, editor, Public Key Cryptography - PKC 2003, volume 2567 of LNCS, pages 1–17. Springer Berlin Heidelberg, Miami, FL, USA, 2003.Google Scholar

  • [21] Y. Dodis and A. Yampolskiy. A Verifiable Random Function with Short Proofs and Keys. In S. Vaudenay, editor, Public Key Cryptography - PKC 2005, volume 3386 of LNCS, pages 416–431. Springer Berlin Heidelberg, Diablerets, Switzerland, 2005.Google Scholar

  • [22] J.-E. Ekberg and S. Tamrakar. Mass Transit Ticketing with NFC Mobile Phones. In L. Chen, M. Yung, and L. Zhu, editors, Third International Conference on Trusted Systems, volume 7222 of LNCS, pages 48–65, Beijing, China, 2012. Springer Berlin Heidelberg.Google Scholar

  • [23] T. El Gamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In G. R. Blakley and D. Chaum, editors, Advances in Cryptology - CRYPTO ’84, volume 196 of LNCS, pages 10–18, Santa Barbara, California, USA, 1985. Springer Berlin Heidelberg.Google Scholar

  • [24] M. Eznack, J.-P. Warry, C. Loiseaux, G. Dufay, R. Atoui, N. Herbreteau, J. Pieniazek, and F. Thabaret. (U)SIM Java Card Platform Protection Profile Basic and SCWS Configurations-Evolutive Certification Scheme for (U)SIM cards, Version 2.0.2. http://www.ssi.gouv.fr/IMG/certificat/ANSSI-CC-cible_PP-2010-04en.pdf, June 2010.

  • [25] A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In A. M. Odlyzko, editor, Advances in Cryptology - CRYPTO ’86, volume 263 of LNCS, pages 186–194, Santa Barbara, California, USA, 1987. Springer Berlin Heidelberg.Google Scholar

  • [26] P. Fouque and J. Stern. Fully distributed threshold RSA under standard assumptions. In C. Boyd, editor, Advances in Cryptology - ASIACRYPT 2001, volume 2248 of LNCS, pages 310–330, Gold Coast, Australia, 2001. Springer Berlin Heidelberg.Google Scholar

  • [27] FROST & SULLIVAN. NFC: When will be the real start? http://www.frost.com/sublib/display-report.do?id=9843-00-13-00-00, January 2011.

  • [28] G. Fuchsbauer, D. Pointcheval, and D. Vergnaud. Transferable Constant-Size Fair E-Cash. In J. Garay, A. Miyaji, and A. Otsuka, editors, Cryptology and Network Security, volume 5888 of LNCS, pages 226–247. Springer Berlin Heidelberg, Kanazawa, Japan, 2009.Google Scholar

  • [29] S. D. Galbraith, K. G. Paterson, and N. P. Smart. Pairings for cryptographers. Discrete Applied Mathematics, 156(16):3113–3121, 2008. DOI: 10.1016/j.dam.2007.12.010.CrossrefGoogle Scholar

  • [30] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure Applications of Pedersen Distributed Key Generation Protocol. In M. Joye, editor, Topics in Cryptology - CT-RSA 2003, volume 2612 of LNCS, pages 373–390. Springer Berlin Heidelberg, San Francisco, CA, USA, 2003.Google Scholar

  • [31] C. P. L. Gouvêa, L. B. Oliveira, and J. López. Efficient software implementation of public-key cryptography on sensor networks using the MSP430X microcontroller. J. Cryptographic Engineering, 2(1):19–29, 2012. DOI: 10.1007/s13389-012-0029-z.CrossrefGoogle Scholar

  • [32] GSMA Mobile NFC. White Paper: Mobile NFC in Transport. http://www.uitp.org/public-transport/technology/Mobile-NFC-in-Transport.pdf, September 2012.

  • [33] T. S. Heydt-Benjamin, H.-J. Chae, B. Defend, and K. Fu. Privacy for Public Transportation. In G. Danezis and P. Golle, editors, 6th International Conference on Privacy Enhancing Technologies - PET’06, volume 4258 of LNCS, pages 1–19, Cambridge, UK, 2006. Springer Berlin Heidelberg.Google Scholar

  • [34] E. Hufschmitt and J. Traoré. Fair Blind Signatures Revisited. In T. Takagi, T. Okamoto, E. Okamoto, and T. Okamoto, editors, Pairing-Based Cryptography - Pairing 2007, volume 4575 of LNCS, pages 268–292, Tokyo, Japan, July 2007.Google Scholar

  • [35] A. P. Isern-Deya, A. Vives-Guasch, M. Mut-Puigserver, M. Payeras-Capella, and J. Castella-Roca. A Secure Automatic Fare Collection System for Time-Based or Distance-Based Services with Revocable Anonymity for Users. The Computer Journal, 56(10):1198–1215, Apr. 2012. DOI: 10.1093/comjnl/bxs033.CrossrefGoogle Scholar

  • [36] ISO 14443-3:2011. Identification cards – Contactless integrated circuit cards – Proximity cards.Google Scholar

  • [37] A. Menezes, S. Vanstone, and T. Okamoto. Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. In 23rd Annual ACM Symposium on Theory of Computing - STOC ’91, pages 80–89, New Orleans, Louisiana, USA, 1991. ACM.Google Scholar

  • [38] Moscow. http://moscow.ru/fr/guide/trip_planning/inner_transport/transport/metro/.

  • [39] NFC Forum. NFC in Public Transport. http://nfc-forum.org/wp-content/uploads/2013/12/NFC-in-Public-Transport.pdf, 2011.

  • [40] P. Paillier. Low-Cost Double-Size Modular Exponentiation or How to Stretch Your Cryptoprocessor. In Second International Workshop on Practice and Theory in Public Key Cryptography, PKC ’99, volume 1560 of LNCS, pages 223–234, Kamakura, Japan, Mar. 1999. Springer Berlin Heidelberg.Google Scholar

  • [41] T. Pedersen. . In J. Feigenbaum, editor, Advances in Cryptology - CRYPTO ’91, volume 576 of LNCS, pages 129–140. Springer Berlin Heidelberg, 1992.Google Scholar

  • [42] D. Pointcheval and J. Stern. Security Proofs for Signature Schemes. In U. Maurer, editor, Advances in Cryptology - EUROCRYPT ’96, volume 1070 of LNCS, pages 387–398. Springer Berlin Heidelberg, Saragossa, Spain, 1996.Google Scholar

  • [43] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. J. Cryptology, 13(3):361–396, 2000. DOI: 10.1007/s001450010003.CrossrefGoogle Scholar

  • [44] A. Rupp, G. Hinterwälder, F. Baldimtsi, and C. Paar. P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems. In A.-R. Sadeghi, editor, Financial Cryptography and Data Security, volume 7859 of LNCS, pages 205–212. Springer Berlin Heidelberg, Okinawa, Japan, 2013.Google Scholar

  • [45] A. Sadeghi, I. Visconti, and C. Wachsmann. User Privacy in Transport Systems Based on RFID E-Tickets. In C. Bettini, S. Jajodia, P. Samarati, and X. S. Wang, editors, International Workshop on Privacy in Location-Based Applications - PilBA 2008, volume 397, Malaga, Spain, Oct. 2008. CEUR.Google Scholar

  • [46] C. Schnorr. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 4(3):161–174, 1991. DOI: 10.1007/BF00196725.CrossrefGoogle Scholar

  • [47] Smart Card Alliance. Proximity mobile payments: Leveraging NFC and the contactless financial payments infrastructure. http://www.smartcardalliance.org/resources/lib/Proximity_Mobile_Payments_200709.pdf, 2007.

  • [48] P. Szczechowiak, L. Oliveira, M. Scott, M. Collier, and R. Dahab. NanoECC: Testing the Limits of Elliptic Curve Cryptography in Sensor Networks. In R. Verdone, editor, Wireless Sensor Networks, volume 4913 of LNCS, pages 305–320. Springer Berlin Heidelberg, Bologna, Italy, 2008.Google Scholar

  • [49] S. Tamrakar and J.-E. Ekberg. Tapping and Tripping with NFC. In 6th International Conference on Trust & Trustworthy Computing, volume 7904 of LNCS, pages 115–132, London, United Kingdom, 2013. Springer Berlin Heidelberg.Google Scholar

  • [50] The Paris Convention and Visitors Bureau. Public transport in paris. http://en.parisinfo.com/practical-paris/how-to-getto-and-around-paris/public-transport-paris.

  • [51] G. Arfaoui, J.-F. Lalande, J. Traoré, N. Desmoulins, P. Berthomé, and S. Gharout. arXiv: 1505.03048.Google Scholar

About the article

Received: 2014-11-15

Revised: 2015-05-15

Accepted: 2015-05-15

Published Online: 2015-06-22

Published in Print: 2015-06-01

Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2015, Issue 2, Pages 25–45, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0019.

Export Citation

© Ghada Arfaoui et al.. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Citing Articles

Here you can find all Crossref-listed publications in which this article is cited. If you would like to receive automatic email messages as soon as this article is cited in other publications, simply activate the “Citation Alert” on the top of this page.

Hao Hu, Rongxing Lu, Cheng Huang, and Zonghua Zhang
Sensors, 2016, Volume 16, Number 6, Page 803

Comments (0)

Please log in or register to comment.
Log in