Jump to ContentJump to Main Navigation
Show Summary Details

Proceedings on Privacy Enhancing Technologies

2 Issues per year

Open Access
See all formats and pricing

A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing

Ghada Arfaoui
  • Orange Labs, F-14066 Caen, INSA Centre Val de Loire, F-18020 Bourges, France
  • :
/ Jean-François Lalande
  • INSA Centre Val de Loire - Inria, F-18020 Bourges
  • :
/ Jacques Traoré
  • Orange Labs, F-14066 Caen, France
  • :
/ Nicolas Desmoulins
  • Orange Labs, F-14066 Caen, France
  • :
/ Pascal Berthomé
  • INSA Centre Val de Loire, F-18020 Bourges, France
  • :
/ Saïd Gharout
  • Orange Labs, F-92130 Issy-les-moulineaux, France
  • :
Published Online: 2015-06-22 | DOI: https://doi.org/10.1515/popets-2015-0019


To ensure the privacy of users in transport systems, researchers are working on new protocols providing the best security guarantees while respecting functional requirements of transport operators. In this paper1, we design a secure NFC m-ticketing protocol for public transport that preserves users’ anonymity and prevents transport operators from tracing their customers’ trips. To this end, we introduce a new practical set-membership proof that does not require provers nor verifiers (but in a specific scenario for verifiers) to perform pairing computations. It is therefore particularly suitable for our (ticketing) setting where provers hold SIM/UICC cards that do not support such costly computations. We also propose several optimizations of Boneh-Boyen type signature schemes, which are of independent interest, increasing their performance and efficiency during NFC transactions. Our m-ticketing protocol offers greater flexibility compared to previous solutions as it enables the post-payment and the off-line validation of m-tickets. By implementing a prototype using a standard NFC SIM card, we show that it fulfils the stringent functional requirement imposed by transport operators whilst using strong security parameters. In particular, a validation can be completed in 184.25ms when the mobile is switched on, and in 266.52ms when the mobile is switched off or its battery is flat.

Keywords: Set membership proof; zero-knowledge proof; m-ticketing; privacy; anonymity; unlinkability; post-payment


  • 1The work has been supported by the ANR-11-INS-0013 LYRICS Project.


  • [1] P. S. Barreto and M. Naehrig. Pairing-Friendly Elliptic Curves of Prime Order. In B. Preneel and S. Tavares, editors, Selected Areas in Cryptography, volume 3897 of LNCS, pages 319–331. Springer Berlin Heidelberg, Kingston, ON, Canada, 2006.

  • [2] Bellare, Namprempre, Pointcheval, and Semanko. The one-more-RSA-inversion problems and the security of chaum’s blind signature scheme. Journal of Cryptology, 16(3):185–215, 2003. DOI: 10.1007/s00145-002-0120-1. [Crossref]

  • [3] M. Bellare and P. Rogaway. Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. In 1st ACM Conference on Computer and Communications Security, CCS ’93, pages 62–73, Fairfax, Virginia, USA, 1993. ACM.

  • [4] Berlin.de. Tickets, fares and route maps. http://www.berlin.de/en/public-transportation/1772016-2913840-tickets-faresand-route-maps.en.html.

  • [5] E.-O. Blass, A. Kurmus, R. Molva, and T. Strufe. PSP: Private and secure payment with RFID. Computer Communications, 36(4):468–480, 2013. DOI: 10.1016/j.comcom.2012.10.012. [Crossref]

  • [6] D. Boneh and X. Boyen. Short Signatures Without Random Oracles. In C. Cachin and J. L. Camenisch, editors, Advances in Cryptology - EUROCRYPT 2004, volume 3027 of LNCS, pages 56–73. Springer Berlin Heidelberg, Interlaken, Switzerland, 2004.

  • [7] D. Boneh and X. Boyen. Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. Journal of Cryptology, 21(2):149–177, 2008. DOI: 10.1007/s00145-007-9005-7. [Crossref]

  • [8] D. Boneh, X. Boyen, and H. Shacham. Short Group Signatures. In M. Franklin, editor, Advances in Cryptology - CRYPTO ’04, volume 3152 of LNCS, pages 41–55. Springer Berlin Heidelberg, Santa Barbara, California, USA, 2004.

  • [9] J. Camenisch, R. Chaabouni, and A. Shelat. Efficient Protocols for Set Membership and Range Proofs. In J. Pieprzyk, editor, Advances in Cryptology - ASIACRYPT 2008, volume 5350 of LNCS, pages 234–252. Springer Berlin Heidelberg, Melbourne, Australia, 2008.

  • [10] J. Camenisch and A. Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. In M. Franklin, editor, Advances in Cryptology - CRYPTO ’04, volume 3152 of LNCS, pages 56–72. Springer Berlin Heidelberg, Santa Barbara, California, USA, 2004.

  • [11] J. Camenisch, J.-M. Piveteau, and M. Stadler. An Efficient Fair Payment System. In 3rd ACM Conference on Computer and Communications Security, CCS ’96, pages 88–94, New Delhi, India, 1996. ACM.

  • [12] S. Canard, I. Coisel, A. Jambert, and J. Traoré. New Results for the Practical Use of Range Proofs. In S. Katsikas and I. Agudo, editors, Public Key Infrastructures, Services and Applications, volume 8341 of LNCS, pages 47–64. Springer Berlin Heidelberg, Egham, UK, 2014.

  • [13] R. Chaabouni, H. Lipmaa, and B. Zhang. A Non-interactive Range Proof with Constant Communication. In A. Keromytis, editor, Financial Cryptography and Data Security, volume 7397 of LNCS, pages 179–199. Springer Berlin Heidelberg, Kralendijk, Bonaire, 2012.

  • [14] D. Chaum and T. P. Pedersen. Wallet Databases with Observers. In E. F. Brickell, editor, Advances in Cryptology - CRYPTO ’92, volume 740 of LNCS, pages 89–105, Santa Barbara, California, USA, 1993. Springer Berlin Heidelberg.

  • [15] S. Chaumette, D. Dubernet, and J. Ouoba. Architecture and comparison of two different user-centric NFC-enabled event ticketing approaches. In S. Balandin, Y. Koucheryavy, and H. Hu, editors, The 11th international conference on next generation wired/wireless networking, volume 6869 of LNCS, pages 165–177, St. Petersburg, Russia, 2011. Springer Berlin Heidelberg.

  • [16] D. Derler, K. Potzmader, J. Winter, and K. Dietrich. Anonymous Ticketing for NFC-Enabled Mobile Phones. In L. Chen, M. Yung, and L. Zhu, editors, Trusted Systems, volume 7222 of LNCS, pages 66–83, Beijing, China, 2012. Springer Berlin Heidelberg.

  • [17] Y. G. Desmedt and Y. Frankel. Threshold cryptosystems. In G. Brassard, editor, Advances in Cryptology - CRYPTO ’89, volume 435 of LNCS, pages 307–315, Santa Barbara, California, USA, 1989. Springer Berlin Heidelberg.

  • [18] A. Devegili, M. Scott, and R. Dahab. Implementing Cryptographic Pairings over Barreto-Naehrig Curves. In T. Takagi, T. Okamoto, E. Okamoto, and T. Okamoto, editors, Pairing-Based Cryptography - Pairing 2007, volume 4575 of LNCS, pages 197–207. Springer Berlin Heidelberg, Tokyo, Japan, July 2007.

  • [19] A. Dmitrienko, A.-R. Sadeghi, S. Tamrakar, and C. Wachsmann. SmartTokens: Delegable Access Control with NFC-Enabled Smartphones. In S. Katzenbeisser, E. Weippl, L. Camp, M. Volkamer, M. Reiter, and X. Zhang, editors, Trust and Trustworthy Computing, volume 7344 of LNCS, pages 219–238. Springer Berlin Heidelberg, Vienna, Austria, 2012.

  • [20] Y. Dodis. Efficient Construction of (Distributed) Verifiable Random Functions. In Y. Desmedt, editor, Public Key Cryptography - PKC 2003, volume 2567 of LNCS, pages 1–17. Springer Berlin Heidelberg, Miami, FL, USA, 2003.

  • [21] Y. Dodis and A. Yampolskiy. A Verifiable Random Function with Short Proofs and Keys. In S. Vaudenay, editor, Public Key Cryptography - PKC 2005, volume 3386 of LNCS, pages 416–431. Springer Berlin Heidelberg, Diablerets, Switzerland, 2005.

  • [22] J.-E. Ekberg and S. Tamrakar. Mass Transit Ticketing with NFC Mobile Phones. In L. Chen, M. Yung, and L. Zhu, editors, Third International Conference on Trusted Systems, volume 7222 of LNCS, pages 48–65, Beijing, China, 2012. Springer Berlin Heidelberg.

  • [23] T. El Gamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In G. R. Blakley and D. Chaum, editors, Advances in Cryptology - CRYPTO ’84, volume 196 of LNCS, pages 10–18, Santa Barbara, California, USA, 1985. Springer Berlin Heidelberg.

  • [24] M. Eznack, J.-P. Warry, C. Loiseaux, G. Dufay, R. Atoui, N. Herbreteau, J. Pieniazek, and F. Thabaret. (U)SIM Java Card Platform Protection Profile Basic and SCWS Configurations-Evolutive Certification Scheme for (U)SIM cards, Version 2.0.2. http://www.ssi.gouv.fr/IMG/certificat/ANSSI-CC-cible_PP-2010-04en.pdf, June 2010.

  • [25] A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In A. M. Odlyzko, editor, Advances in Cryptology - CRYPTO ’86, volume 263 of LNCS, pages 186–194, Santa Barbara, California, USA, 1987. Springer Berlin Heidelberg.

  • [26] P. Fouque and J. Stern. Fully distributed threshold RSA under standard assumptions. In C. Boyd, editor, Advances in Cryptology - ASIACRYPT 2001, volume 2248 of LNCS, pages 310–330, Gold Coast, Australia, 2001. Springer Berlin Heidelberg.

  • [27] FROST & SULLIVAN. NFC: When will be the real start? http://www.frost.com/sublib/display-report.do?id=9843-00-13-00-00, January 2011.

  • [28] G. Fuchsbauer, D. Pointcheval, and D. Vergnaud. Transferable Constant-Size Fair E-Cash. In J. Garay, A. Miyaji, and A. Otsuka, editors, Cryptology and Network Security, volume 5888 of LNCS, pages 226–247. Springer Berlin Heidelberg, Kanazawa, Japan, 2009.

  • [29] S. D. Galbraith, K. G. Paterson, and N. P. Smart. Pairings for cryptographers. Discrete Applied Mathematics, 156(16):3113–3121, 2008. DOI: 10.1016/j.dam.2007.12.010. [Crossref]

  • [30] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure Applications of Pedersen Distributed Key Generation Protocol. In M. Joye, editor, Topics in Cryptology - CT-RSA 2003, volume 2612 of LNCS, pages 373–390. Springer Berlin Heidelberg, San Francisco, CA, USA, 2003.

  • [31] C. P. L. Gouvêa, L. B. Oliveira, and J. López. Efficient software implementation of public-key cryptography on sensor networks using the MSP430X microcontroller. J. Cryptographic Engineering, 2(1):19–29, 2012. DOI: 10.1007/s13389-012-0029-z. [Crossref]

  • [32] GSMA Mobile NFC. White Paper: Mobile NFC in Transport. http://www.uitp.org/public-transport/technology/Mobile-NFC-in-Transport.pdf, September 2012.

  • [33] T. S. Heydt-Benjamin, H.-J. Chae, B. Defend, and K. Fu. Privacy for Public Transportation. In G. Danezis and P. Golle, editors, 6th International Conference on Privacy Enhancing Technologies - PET’06, volume 4258 of LNCS, pages 1–19, Cambridge, UK, 2006. Springer Berlin Heidelberg.

  • [34] E. Hufschmitt and J. Traoré. Fair Blind Signatures Revisited. In T. Takagi, T. Okamoto, E. Okamoto, and T. Okamoto, editors, Pairing-Based Cryptography - Pairing 2007, volume 4575 of LNCS, pages 268–292, Tokyo, Japan, July 2007.

  • [35] A. P. Isern-Deya, A. Vives-Guasch, M. Mut-Puigserver, M. Payeras-Capella, and J. Castella-Roca. A Secure Automatic Fare Collection System for Time-Based or Distance-Based Services with Revocable Anonymity for Users. The Computer Journal, 56(10):1198–1215, Apr. 2012. DOI: 10.1093/comjnl/bxs033. [Crossref]

  • [36] ISO 14443-3:2011. Identification cards – Contactless integrated circuit cards – Proximity cards.

  • [37] A. Menezes, S. Vanstone, and T. Okamoto. Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. In 23rd Annual ACM Symposium on Theory of Computing - STOC ’91, pages 80–89, New Orleans, Louisiana, USA, 1991. ACM.

  • [38] Moscow. http://moscow.ru/fr/guide/trip_planning/inner_transport/transport/metro/.

  • [39] NFC Forum. NFC in Public Transport. http://nfc-forum.org/wp-content/uploads/2013/12/NFC-in-Public-Transport.pdf, 2011.

  • [40] P. Paillier. Low-Cost Double-Size Modular Exponentiation or How to Stretch Your Cryptoprocessor. In Second International Workshop on Practice and Theory in Public Key Cryptography, PKC ’99, volume 1560 of LNCS, pages 223–234, Kamakura, Japan, Mar. 1999. Springer Berlin Heidelberg.

  • [41] T. Pedersen. . In J. Feigenbaum, editor, Advances in Cryptology - CRYPTO ’91, volume 576 of LNCS, pages 129–140. Springer Berlin Heidelberg, 1992.

  • [42] D. Pointcheval and J. Stern. Security Proofs for Signature Schemes. In U. Maurer, editor, Advances in Cryptology - EUROCRYPT ’96, volume 1070 of LNCS, pages 387–398. Springer Berlin Heidelberg, Saragossa, Spain, 1996.

  • [43] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. J. Cryptology, 13(3):361–396, 2000. DOI: 10.1007/s001450010003. [Crossref]

  • [44] A. Rupp, G. Hinterwälder, F. Baldimtsi, and C. Paar. P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems. In A.-R. Sadeghi, editor, Financial Cryptography and Data Security, volume 7859 of LNCS, pages 205–212. Springer Berlin Heidelberg, Okinawa, Japan, 2013.

  • [45] A. Sadeghi, I. Visconti, and C. Wachsmann. User Privacy in Transport Systems Based on RFID E-Tickets. In C. Bettini, S. Jajodia, P. Samarati, and X. S. Wang, editors, International Workshop on Privacy in Location-Based Applications - PilBA 2008, volume 397, Malaga, Spain, Oct. 2008. CEUR.

  • [46] C. Schnorr. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 4(3):161–174, 1991. DOI: 10.1007/BF00196725. [Crossref]

  • [47] Smart Card Alliance. Proximity mobile payments: Leveraging NFC and the contactless financial payments infrastructure. http://www.smartcardalliance.org/resources/lib/Proximity_Mobile_Payments_200709.pdf, 2007.

  • [48] P. Szczechowiak, L. Oliveira, M. Scott, M. Collier, and R. Dahab. NanoECC: Testing the Limits of Elliptic Curve Cryptography in Sensor Networks. In R. Verdone, editor, Wireless Sensor Networks, volume 4913 of LNCS, pages 305–320. Springer Berlin Heidelberg, Bologna, Italy, 2008.

  • [49] S. Tamrakar and J.-E. Ekberg. Tapping and Tripping with NFC. In 6th International Conference on Trust & Trustworthy Computing, volume 7904 of LNCS, pages 115–132, London, United Kingdom, 2013. Springer Berlin Heidelberg.

  • [50] The Paris Convention and Visitors Bureau. Public transport in paris. http://en.parisinfo.com/practical-paris/how-to-getto-and-around-paris/public-transport-paris.

  • [51] G. Arfaoui, J.-F. Lalande, J. Traoré, N. Desmoulins, P. Berthomé, and S. Gharout. arXiv: 1505.03048.

Received: 2014-11-15

Revised: 2015-05-15

Accepted: 2015-05-15

Published Online: 2015-06-22

Published in Print: 2015-06-01

Citation Information: Proceedings on Privacy Enhancing Technologies. Volume 2015, Issue 2, Pages 25–45, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0019, June 2015

© Ghada Arfaoui et al.. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. (CC BY-NC-ND 3.0)

Comments (0)

Please log in or register to comment.