Privacy and Security Issues in e-Ticketing

Optimisation of Smart Card-based Attribute-proving

Jaap-Henk Hoepman1,2, Bart Jacobs1, and Pim Vullers1*
1 Institute for Computing and Information Sciences,
Radboud University Nijmegen, The Netherlands.
2 TNO Information and Communication Technology, The Netherlands.
This short note concentrates on an optimisation of the attribute-proving protocol by Batina et al. [1], and provides the improved performance figures. The protocol relies on elliptic curve cryptography with bilinear pairings. These pairings provide signatures that are stable under multiplication with a blinding factor. In this way multiple proofs are unlinkable, and thus provides a privacy-friendly solution. The optimisation involves better exploitation of the (limited) elliptic curve primitives that are available on the current generation of Java Card smart cards. It leads to a reduction of the on-card running times (wrt. [1]) of roughly a factor three. Total running times with this new protocol are below one second. A further reduction with a factor two or three is needed to achieve performance that is acceptable in practice.
anonymous credentials, elliptic curve cryptography, smart card, bilinear pairing, attributes, blinding, protocols, Java Card
* Sponsored by Trans Link Systems/Open Ticketing.

1   Introduction

With e-ticketing, smart cards replace the use of paper tickets to prove the right of the bearer to use the public transportation system.

Smart cards that are currently employed for e-ticketing in public transport are typically memory cards with cryptographically protected access for reading and writing. Cards have unique identifiers and most of the “intelligence” of the whole system lies in the back office. Now that the cryptographic protection of the most widely used smart card for e-ticketing, the MIFARE Classic, is broken [2, 3], this back office plays a crucial role in fraud detection. Fraudulent cards can be recognised using a shadow bookkeeping, and their use can be blocked on thebasis of their card-id.

This back office database with extensive logs of the movements of individual cards within the system, often linkable to individuals, is not only used for fraud detection but also for capacity optimisation, division of revenues between different transport companies, law enforcement and direct marketing. With the growing awareness of the privacy issues involved, the interest in more privacy-friendly alternatives increases.

Anonymous credentials are the obvious privacy-friendly technique to use. They allow travellers to use a smart card for e-ticketing in a way that is fairly similar to paper tickets, namely as a way of proving access rights to public transport, without revealing one's identity. The main problem with anonymous credentials in this context is that they involve computationally intensive protocols. They require processor-based, instead of memory-based, smart cards, which are generally more expensive. But even with the latest generation of processor cards, processing speed is a mayor challenge. Typically in the mass transit sector the transaction times should be below 300-400 milliseconds, in order to prevent queues at entry/exit gates. In contrast, similar processor cards that are currently used in e-passports don't have such tight constraints. These e-passport protocols easily take a few seconds to complete.

4   Conclusions

This short note presents another small step on the way to making anonymous credentials usable in the context of public transport with its tight performance challenges. Further optimisations are still needed to meet the requirements. These improvements could result from (a combination of):

The third step is the most obvious one, but means that one has to give up the high-level card-independent feature of Java Card. Another hindrance is that card producers do not easily give direct access to the card hardware, or only under very severe non-disclosure agreements (NDAs) that make it difficult to publish any results.


  1. Batina, L., Hoepman, J.H., Jacobs, B., Mostowski, W., Vullers, P.: Developing efficient blinded attribute certificates on smart cards via pairings. In: Gollmann, D., Lanet, J.L. (eds.) Smart Card Research and Advanced Applications, 9th IFIP WG 8.8/11.2 International Conference, CARDIS 2010, Passau, Germany, April 13-16, 2010. Proceedings. LNCS, vol. 6035, pp. 209-222. Springer (2010)
  2. Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Wichers Schreur, R., Jacobs, B.: Dismantling MIFARE Classic. In: Jajodia, S., Lopez, J. (eds.) 13th European Symposium on Research in Computer Security (ESORICS 2008). LNCS, vol. 5283, pp. 97-114. Springer (2008)
  3. Garcia, F.D., van Rossum, P., Verdult, R., Wichers Schreur, R.: Wirelessly pickpocketing a Mifare Classic card. In: IEEE Symposium on Security and Privacy (S&P '09). pp. 3-15. IEEE (2009)
  4. Verheul, E.: Self-blindable credential certificates from the Weil pairing. In: Boyd, C. (ed.) Advances in Cryptology - ASIACRYPT 2001. LNCS, vol. 2248, pp. 533-550. Springer (2001)