P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time...
Transcript of P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time...
![Page 1: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/1.jpg)
P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems
Andy Rupp1, Gesine Hinterwälder2, Foteini3 Baldimtsi, Christof Paar2,4
1 Karlsruhe Institute of Technology2 University of Massachusetts Amherst
3 Brown University4 Ruhr-University Bochum
0964641
![Page 2: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/2.jpg)
Outline
Motivation eCash
Overview Performance Issues
P4R Description Evaluation
1
![Page 3: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/3.jpg)
Motivation
Transportation Payments Large volumes Low cost Have to be executed fast
Electronic Payments Throughput and convenience advantages Reduced revenue collection cost Enable dynamic pricing Facilitate maintenance of a system Enable easy collection of meaningful data
2
![Page 4: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/4.jpg)
Motivation
“Some call T's new Charlie Card an invasion of privacy. But agency insists safeguards in place”
“Hacking the T: MBTA sues to keep MIT students from telling how they cracked the CharlieCard”
“Hackers Crack London Tube Oyster Card”
“Privacy Concerns Raised Over Clipper Card Passenger Tracking”
3
![Page 5: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/5.jpg)
Motivation
We need payment systems for transportation that are: Secure (unforgeable & secure against doublespending) Private (anonymous) Trusted Efficient Low-cost Usable Reliable
4
![Page 6: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/6.jpg)
eCash
Spending Depos
it
WithdrawalID
BankBankBan
k
5
![Page 7: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/7.jpg)
eCash
Blind signature
Security Properties of Blind Signatures
Blindness: Signer should not be able to view the messages he signs (i.e. Bank cannot link e-coins to specific users)
Unforgeability: User should not be able to forge the signer's signatures (i.e. User cannot forge coins)
ID
Bank
Bank Bank
6
![Page 8: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/8.jpg)
eCash
Double Spending
Double Spending reveals User's ID!!!
7
![Page 9: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/9.jpg)
Brands' Untraceable Offline Cash
Introduced in 1993
Most efficient scheme during Spending Phase
Well-known and implemented (Microsoft U-Prove)
[Bra93] S. Brands. Untraceable Off-line Cash in Wallets with Observers (Extended Abstract). In Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’93, pages 302–318, 1994. 8
![Page 10: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/10.jpg)
Brands' Untraceable Offline Cash
Scheme based on cyclic group of prime order
Coin size (elements that have to be stored on user device
for each coin): and
Withdrawal
Spending
12 exponentiations
0 exponentiations
2 exponentiations
3 exponentiations
Gq
A , B , z ' , a ' , b '∈Gq r ' , s , x0, x1∈ℤq
9
![Page 11: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/11.jpg)
Implementation Results Brands'
Base scheme on 160-bit elliptic curve
and measure execution time on Moo computational RFID tag
Storage space required per coin: 284 bytes
Execution time on MSP430F2618, when based on 160-bit curve:
[ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: A Batteryless Computational RFID and Sensing Platform. https://web.cs.umass.edu/publication/docs/2011/UM-CS-2011-020.pdf. 2011.
10
Cycle count Execution time @16 MHz
Brands' withdrawing one coin 69 120 181 4.32 s
Brands' spending one coin 35 052 0.0022 s
![Page 12: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/12.jpg)
Cycle count Execution time @16 MHz
Brands' withdrawing one coin 69 120 181 4.32 s
Brands' spending one coin 35 052 0.0022 s
Implementation Results Brands'
Base scheme on 160-bit elliptic curve
and measure execution time on Moo computational RFID tag
Storage space required per coin: 284 bytes
Execution time on MSP430F2618, when based on 160-bit curve:
10
[ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: A Batteryless Computational RFID and Sensing Platform. https://web.cs.umass.edu/publication/docs/2011/UM-CS-2011-020.pdf. 2011.
Users should not have to withdrawand store too many coins!!!
![Page 13: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/13.jpg)
Our Approach
Build on Brands' due to efficiency reasons (could use any
efficient, anonymous 2-show credential scheme)
Alleviate its disadvantages (large coin size, inefficient
withdrawal)
Minimize number of coins needed using novel
pre-payments with refunds approach:
Use Brands' coin as ticket
Ticket price = cost of most expensive trip
Cost of actual trip determined on exit
Pay refund based on overpayment11
![Page 14: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/14.jpg)
P4R: Main Components
Vending Machines (online)
Entry Turnstiles (offline)Exit Turnstiles (offline)Central Database
Subway
12
![Page 15: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/15.jpg)
P4R: Main Components
Buy ticket
Get piggy bank
12
![Page 16: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/16.jpg)
P4R: Main Components
Show
ticket
Get stam
ped
ticket
12
![Page 17: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/17.jpg)
P4R: Main Components
12
![Page 18: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/18.jpg)
P4R: Main Components
Show stam
ped
ticket
Get refund
in piggy bank
12
![Page 19: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/19.jpg)
P4R: Main Components
Cash piggy bank
12
![Page 20: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/20.jpg)
Brands-Based TAT System
A=(g 1idU g2)
s
B=g1x1g 2
x2
A , B , sig (A , B)
r1=d (id U s )+x1r 2=d∗s+x2
Brands' coin:
Showing coin:
13
![Page 21: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/21.jpg)
idU=r1−r ' 1r2−r ' 2
=(d−d ' )idU s
(d−d ' )s
Brands-Based TAT System
A=(g 1idU g2)
s
B=g1x1g 2
x2
A , B , sig (A , B)
r1=d (id U s )+x1r 2=d∗s+x2
r ' 1=d ' (id U s )+x1r ' 2=d '∗s+x2
Brands' coin:
Showing coin:
Double spending:
13
![Page 22: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/22.jpg)
r1=d (id U s )+x1r 2=d∗s+x2
r ' 1=d ' (id U s )+x ' 1r ' 2=d '∗s+x ' 2
P4R' coin:
First spending:
Second spending:
A=(g 1idU g2)
s
B=g1x1g 2
x2
A , B ,C , sig (A , B ,C )
C=g1x' 1 g2
x ' 2
Brands-Based TAT System
A=(g 1idU g2)
s
B=g1x1g 2
x2
A , B , sig (A , B)
r1=d (id U s )+x1r 2=d∗s+x2
r ' 1=d ' (id U s )+x1r ' 2=d '∗s+x2
Brands' coin:
Showing coin:
Double spending:
13
![Page 23: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/23.jpg)
IDID
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)
Buy ticket
Get piggy bank
P4R: BuyTAT and GetRT
14
![Page 24: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/24.jpg)
IDID
TA
Harry€ 0“Harry”
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)
Buy ticket
Get piggy bank
P4R: BuyTAT and GetRT
14
![Page 25: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/25.jpg)
IDID
TA
Harry€ 0
TA Harry€ 0“Harry”
Harry€ 0
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)TA
TA
TA
Buy ticket
Get piggy bank
P4R: BuyTAT and GetRT
14
![Page 26: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/26.jpg)
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)TA
TA
TA
112537
E-TICKET
112537
Ownership (1)
112537TA
TA
Show ticket
Get stamped ticket
P4R: ShowTAT and GetRCT
15
![Page 27: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/27.jpg)
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)TA
TA
TAE-TICKET
112537
TA
112537
Ownership (1)TA
112537
E-TICKET
112537
Ownership (1)
112537TA
TA
Show ticket
Get stamped ticket
P4R: ShowTAT and GetRCT
15
![Page 28: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/28.jpg)
E-TICKET
112537
Ownership (1)
112537112537
Ownership (2)TA
TA
TA
E-TICKET
112537
TAOrigin: S BayTime: 8/1/11 9.35
Reader E-TICKET
112537
Ownership (2)
112537
TA
TAReader
Origin: S BayTime: 8/1/11 9.35
E-TICKET
112537
TA
112537
Ownership (1)TA
E-TICKET
112537
TAOrigin: S BayTime: 8/1/11 9.35
Reader
112537
112537
E-TICKET
112537
Ownership (1)
112537TA
TA
Show ticket
Get stamped ticket
P4R: ShowTAT and GetRCT
112537
E-TICKET
112537
Ownership (1)
112537TA
TA
15
![Page 29: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/29.jpg)
E-TICKET
112537
Ownership (2)TA
TAReader
Origin: S BayTime: 8/1/11 9.35
E-TICKET
112537
Ownership (2)
112537
TA
TAOrigin: S BayTime: 8/1/11 9.35
Harry
€ 1.31
112537
Show stamped ticket
Get refund in piggy bank
P4R: ShowRCT and GetRefund
16
Reader
![Page 30: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/30.jpg)
E-TICKET
112537
TAReaderOrigin: S BayTime: 8/1/11 9.35
112537
Ownership (2)TA
E-TICKET
112537
Ownership (2)TA
TAReader
Origin: S BayTime: 8/1/11 9.35
E-TICKET
112537
Ownership (2)
112537
TA
TAOrigin: S BayTime: 8/1/11 9.35
Harry
€ 1.31
112537
Show stamped ticket
Get refund in piggy bank
P4R: ShowRCT and GetRefund
16
Reader
![Page 31: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/31.jpg)
Harry
€ 1,25
Harry
€ 1.31
E-TICKET
112537
TAReaderOrigin: S BayTime: 8/1/11 9.35
112537
Ownership (2)TA
Harry
112537
E-TICKET
112537
Ownership (2)TA
TAReader
Origin: S BayTime: 8/1/11 9.35
E-TICKET
112537
Ownership (2)
112537
TA
TAOrigin: S BayTime: 8/1/11 9.35
Harry
€ 1.31
112537
Show stamped ticket
Get refund in piggy bank
P4R: ShowRCT and GetRefund
E-TICKET
112537
Ownership (2)
112537
TA
TAOrigin: S BayTime: 8/1/11 9.35
16
Reader
Reader
![Page 32: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/32.jpg)
Cashing RT
Harry
€ 80.45
Harry
€ 80.45
P4R: RedeemRT
17
![Page 33: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/33.jpg)
Cashing RT
Harry
€ 80.45
Harry
€ 80.45
Harry
€ 80.45
“Harry valid?”In DB & notcashed before?
“Harry valid!”
P4R: RedeemRT
17
![Page 34: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/34.jpg)
Cashing RT
Harry
€ 80.45
Harry
€ 80.45
Harry
€ 80.45
“Harry valid?”In DB & notcashed before?
“Harry valid!”
“Harry cashed”
P4R: RedeemRT
17
![Page 35: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/35.jpg)
BLS-Signature Based RT System
A pairing is a bilinear map:
BLS-signatures requires an efficiently computable, non-degenerate pairing!
e (au , bv)=e (a ,b)uv for all u , v ,∈ℤ p , a , b ,∈G p
Boneh-Lynn-Shacham Signatures:
Keys:
Signature on :
Verification of :
sk=x∈ℤp , v=gx
m∈G σ :=H (m)x
(m ,σ) e(g ,σ)=e(v ,H (m))?
18
![Page 36: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/36.jpg)
BLS-Signature Based RT System
Harry€ w
Harry
Harry€ w
RT=Harry∈G , R=1, v=0
r∈ℤ p , RT '=RTr ,
Refund token:
Adding refund user:v=v+w , R=R∗r mod p
w
RT '=RT ' dAdding refund TA:
e (HarryR , hd )=e (RT ' ,h)
ww
Verify claim for refund :vv ?
19
![Page 37: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/37.jpg)
BLS-Signature Based RT System
Harry€ w
Harry
Harry€ w
RT=Harry∈G , R=1, v=0
r∈ℤ p , RT '=RTr ,
Refund token:
Adding refund user:v=v+w , R=R∗r mod p
w
Adding refund TA:
e (HarryR , hd )=e (RT ' ,h)
ww
Verify claim for refund :vv ?
19
∑ wiRT '=RT ' d
![Page 38: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/38.jpg)
Security of P4R
TA Security: TA does not lose any money User cannot forge tickets User cannot receive reimbursement that exceeds the overall
deposit for tickets minus overall fare of trips
User Security: A passive adversary cannot steal tickets or refunds from a user
User Privacy: Adversary cannot differentiate between all possible trip
sequences leading to the same total refund amount
20
![Page 39: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/39.jpg)
User's Side Implementation on Moo
Storage space to make 20 trips is at most 7.62 KB!
21
Cycle count Execution time @16 MHz in s
BuyTAT & GetRT 84,585,590 5.29
ShowTAT & GetRCT 35,264 0.002
ShoeRCT & GetRefund 5,466,485 0.34
RedeemRT* 5,549,538 0.35
* Excludes authenticating to the vending machine.
![Page 40: P4R: Privacy-Preserving Pre-Payments with …fc13.ifca.ai/slide/6-2.pdfCycle count Execution time @16 MHz Brands' withdrawing one coin 69 120 181 4.32 s Brands' spending one coin 35](https://reader033.fdocuments.net/reader033/viewer/2022050422/5f91c015dd34f414f351bbe4/html5/thumbnails/40.jpg)
Thank you for your attention!!!