{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,26]],"date-time":"2025-09-26T00:07:06Z","timestamp":1758845226712,"version":"3.41.0"},"reference-count":44,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2015,3,27]],"date-time":"2015-03-27T00:00:00Z","timestamp":1427414400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2015,3,27]]},"abstract":"<jats:p>\n            We propose a new lightweight cryptographic payment scheme for transit systems, called P4R (Privacy-Preserving Pre-Payments with Refunds), which is suitable for low-cost user devices with limited capabilities. Using P4R, users deposit money to obtain one-show credentials, where each credential allows the user to make an\n            <jats:italic>arbitrary<\/jats:italic>\n            ride on the system. The trip fare is determined on-the-fly at the end of the trip. If the deposit for the credential exceeds this fare, the user obtains a refund. Refund values collected over several trips are aggregated in a single token, thereby saving memory and increasing privacy. Our solution builds on Brands\u2019s e-cash scheme to realize the prepayment system and on Boneh-Lynn-Shacham (BLS) signatures to implement the refund capabilities. Compared to a Brands-only solution for transportation payment systems, P4R allows us to minimize the number of coins a user needs to pay for his rides and thus minimizes the number of expensive withdrawal transactions, as well as storage requirements for the fairly large coins. Moreover, P4R enables flexible pricing because it allows for exact payments of arbitrary amounts (within a certain range) using a\n            <jats:italic>single<\/jats:italic>\n            fast paying (and refund) transaction. Fortunately, the mechanisms enabling these features require very little computational overhead. Choosing contemporary security parameters, we implemented P4R on a prototyping payment device and show its suitability for future transit payment systems. Estimation results demonstrate that the data required for 20 rides consume less than 10KB of memory, and the payment and refund transactions during a ride take less than half a second. We show that malicious users are not able to cheat the system by receiving a refund that exceeds the overall deposit minus the overall fare and can be identified during double-spending checks. At the same time, the system protects the privacy of honest users in that transactions are anonymous (except for deposits) and trips are unlinkable.\n          <\/jats:p>","DOI":"10.1145\/2699904","type":"journal-article","created":{"date-parts":[[2015,4,1]],"date-time":"2015-04-01T14:59:12Z","timestamp":1427900352000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["Cryptographic Theory Meets Practice"],"prefix":"10.1145","volume":"17","author":[{"given":"Andy","family":"Rupp","sequence":"first","affiliation":[{"name":"Karlsruhe Institute of Technology, Am Fasanengarten, Karlsruhe, Germany"}]},{"given":"Foteini","family":"Baldimtsi","sequence":"additional","affiliation":[{"name":"Boston University, Cummington Mall, Boston, MA, USA"}]},{"given":"Gesine","family":"Hinterw\u00e4lder","sequence":"additional","affiliation":[{"name":"Horst G\u00f6rtz Institute for IT-Security, Ruhr-University Bochum, Universit\u00e4tsstr, Bochum, Germany"}]},{"given":"Christof","family":"Paar","sequence":"additional","affiliation":[{"name":"Horst G\u00f6rtz Institute for IT-Security, Ruhr-University Bochum, Universit\u00e4tsstr, Bochum, Germany"}]}],"member":"320","published-online":{"date-parts":[[2015,3,27]]},"reference":[{"key":"e_1_2_2_1_1","unstructured":"Massachusetts Bay Transportation Authority. 2013. MBTA ScoreCard. Retrieved from http:\/\/www.mbta.com\/about_the_mbta\/scorecard\/.  Massachusetts Bay Transportation Authority. 2013. MBTA ScoreCard. Retrieved from http:\/\/www.mbta.com\/about_the_mbta\/scorecard\/."},{"key":"e_1_2_2_2_1","volume-title":"USENIX Security Symposium. USENIX Association, 63--78","author":"Balasch Josep","year":"2010","unstructured":"Josep Balasch , Alfredo Rial , Carmela Troncoso , Bart Preneel , Ingrid Verbauwhede , and Christophe Geuens . 2010 . PrETP: Privacy-preserving electronic toll pricing . In USENIX Security Symposium. USENIX Association, 63--78 . Josep Balasch, Alfredo Rial, Carmela Troncoso, Bart Preneel, Ingrid Verbauwhede, and Christophe Geuens. 2010. PrETP: Privacy-preserving electronic toll pricing. In USENIX Security Symposium. USENIX Association, 63--78."},{"key":"e_1_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516687"},{"volume-title":"ASIACRYPT (2)","author":"Baldimtsi Foteini","key":"e_1_2_2_4_1","unstructured":"Foteini Baldimtsi and Anna Lysyanskaya . 2013b. On the security of one-witness blind signature schemes . In ASIACRYPT (2) , Kazue Sako and Palash Sarkar (Eds.), Vol. 8270 . Springer , 82--99. Foteini Baldimtsi and Anna Lysyanskaya. 2013b. On the security of one-witness blind signature schemes. In ASIACRYPT (2), Kazue Sako and Palash Sarkar (Eds.), Vol. 8270. Springer, 82--99."},{"key":"e_1_2_2_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/49.839936"},{"key":"e_1_2_2_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1655188.1655196"},{"volume-title":"Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme","author":"Boldyreva Alexandra","key":"e_1_2_2_7_1","unstructured":"Alexandra Boldyreva . 2003. Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme . In Public Key Cryptography, Yvo Desmedt (Ed.), Vol. 2567 . Springer , 31--46. Alexandra Boldyreva. 2003. Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In Public Key Cryptography, Yvo Desmedt (Ed.), Vol. 2567. Springer, 31--46."},{"key":"e_1_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00145-004-0314-9"},{"volume-title":"Untraceable off-line cash in wallets with observers (extended abstract)","author":"Brands Stefan","key":"e_1_2_2_10_1","unstructured":"Stefan Brands . 1993b. Untraceable off-line cash in wallets with observers (extended abstract) . In CRYPTO, Douglas R. Stinson (Ed.), Vol. 773 . Springer , 302--318. Stefan Brands. 1993b. Untraceable off-line cash in wallets with observers (extended abstract). In CRYPTO, Douglas R. Stinson (Ed.), Vol. 773. Springer, 302--318."},{"key":"e_1_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1007\/11426639_18"},{"key":"e_1_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.15"},{"volume-title":"An efficient electronic payment system protecting privacy","author":"Camenisch Jan","key":"e_1_2_2_13_1","unstructured":"Jan Camenisch , Jean-Marc Piveteau , and Markus Stadler . 1994. An efficient electronic payment system protecting privacy . In ESORICS, Dieter Gollmann (Ed.), Vol. 875 . Springer , 207--215. Jan Camenisch, Jean-Marc Piveteau, and Markus Stadler. 1994. An efficient electronic payment system protecting privacy. In ESORICS, Dieter Gollmann (Ed.), Vol. 875. Springer, 207--215."},{"key":"e_1_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-72540-4_28"},{"volume-title":"Mis-representation of identities in E-cash schemes and how to prevent it","author":"Chan Agnes Hui","key":"e_1_2_2_15_1","unstructured":"Agnes Hui Chan , Yair Frankel , Philip D. MacKenzie , and Yiannis Tsiounis . 1996. Mis-representation of identities in E-cash schemes and how to prevent it . In ASIACRYPT, Kwangjo Kim and Tsutomu Matsumoto (Eds.), Vol. 1163 . Springer , 276--285. Agnes Hui Chan, Yair Frankel, Philip D. MacKenzie, and Yiannis Tsiounis. 1996. Mis-representation of identities in E-cash schemes and how to prevent it. In ASIACRYPT, Kwangjo Kim and Tsutomu Matsumoto (Eds.), Vol. 1163. Springer, 276--285."},{"volume-title":"Blind signatures for untraceable payments","author":"Chaum David","key":"e_1_2_2_16_1","unstructured":"David Chaum . 1982. Blind signatures for untraceable payments . In CRYPTO, David Chaum, Ronald L. Rivest, and Alan T. Sherman (Eds.). Plenum Press , New York , 199--203. David Chaum. 1982. Blind signatures for untraceable payments. In CRYPTO, David Chaum, Ronald L. Rivest, and Alan T. Sherman (Eds.). Plenum Press, New York, 199--203."},{"key":"e_1_2_2_17_1","unstructured":"Bram Cohen. 2001. AES-hash. Retrieved from http:\/\/csrc.nist.gov\/groups\/ST\/toolkit\/BCM\/documents\/proposedmodes\/aes-hash\/aeshash.pdf.  Bram Cohen. 2001. AES-hash. Retrieved from http:\/\/csrc.nist.gov\/groups\/ST\/toolkit\/BCM\/documents\/proposedmodes\/aes-hash\/aeshash.pdf."},{"key":"e_1_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046556.2046565"},{"key":"e_1_2_2_19_1","doi-asserted-by":"crossref","DOI":"10.6028\/NIST.SP.800-38b-2005","volume-title":"Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. (May","author":"Dworkin Morris","year":"2005","unstructured":"Morris Dworkin . 2005. Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. (May 2005 ). http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-38B\/SP_800-38B.pdf. Morris Dworkin. 2005. Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. (May 2005). http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-38B\/SP_800-38B.pdf."},{"key":"e_1_2_2_20_1","unstructured":"E-ZPass. 2013. E-ZPass. Retrieved from http:\/\/www.e-zpassiag.com\/.  E-ZPass. 2013. E-ZPass. Retrieved from http:\/\/www.e-zpassiag.com\/."},{"volume-title":"A privacy-friendly loyalty system based on discrete logarithms over elliptic curves","author":"Enzmann Matthias","key":"e_1_2_2_21_1","unstructured":"Matthias Enzmann , Marc Fischlin , and Markus Schneider . 2004. A privacy-friendly loyalty system based on discrete logarithms over elliptic curves . In Financial Cryptography, Ari Juels (Ed.), Vol. 3110 . Springer , 24--38. Matthias Enzmann, Marc Fischlin, and Markus Schneider. 2004. A privacy-friendly loyalty system based on discrete logarithms over elliptic curves. In Financial Cryptography, Ari Juels (Ed.), Vol. 3110. Springer, 24--38."},{"key":"e_1_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-32928-9_7"},{"volume-title":"The Foundations of Cryptography -","author":"Goldreich Oded","key":"e_1_2_2_23_1","unstructured":"Oded Goldreich . 2001. The Foundations of Cryptography - Volume 1 , Basic Techniques. Cambridge University Press . Oded Goldreich. 2001. The Foundations of Cryptography - Volume 1, Basic Techniques. Cambridge University Press."},{"volume-title":"Comparing elliptic curve cryptography and RSA on 8-bit CPUs","author":"Gura Nils","key":"e_1_2_2_24_1","unstructured":"Nils Gura , Arun Patel , Arvinderpal Wander , Hans Eberle , and Sheueling Chang Shantz . 2004. Comparing elliptic curve cryptography and RSA on 8-bit CPUs . In CHES, Marc Joye and Jean-Jacques Quisquater (Eds.), Vol. 3156 . Springer , 119--132. Nils Gura, Arun Patel, Arvinderpal Wander, Hans Eberle, and Sheueling Chang Shantz. 2004. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In CHES, Marc Joye and Jean-Jacques Quisquater (Eds.), Vol. 3156. Springer, 119--132."},{"key":"e_1_2_2_25_1","unstructured":"Christina Hager. 2007. Divorce Lawyers Using Fast Lane to Track Cheaters. Retrieved from http:\/\/msl1.mit.edu\/furdlog\/docs\/2007-08-10_wbz_fastlane_tracking.pdf.  Christina Hager. 2007. Divorce Lawyers Using Fast Lane to Track Cheaters. Retrieved from http:\/\/msl1.mit.edu\/furdlog\/docs\/2007-08-10_wbz_fastlane_tracking.pdf."},{"key":"e_1_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/11957454_1"},{"key":"e_1_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-36140-1_8"},{"key":"e_1_2_2_28_1","volume-title":"Burleson","author":"Hinterw\u00e4lder Gesine","year":"2013","unstructured":"Gesine Hinterw\u00e4lder , Christian T. Zenger , Foteini Baldimtsi , Anna Lysyanskaya , Christof Paar , and Wayne P . Burleson . 2013 . Efficient E-cash in practice: NFC-based payments for public transportation systems. In Privacy Enhancing Technologies, Emiliano De Cristofaro and Matthew Wright (Eds.), Vol. 7981 . Springer , 40--59. Gesine Hinterw\u00e4lder, Christian T. Zenger, Foteini Baldimtsi, Anna Lysyanskaya, Christof Paar, and Wayne P. Burleson. 2013. Efficient E-cash in practice: NFC-based payments for public transportation systems. In Privacy Enhancing Technologies, Emiliano De Cristofaro and Matthew Wright (Eds.), Vol. 7981. Springer, 40--59."},{"key":"e_1_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-17373-8_31"},{"key":"e_1_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2517840.2517848"},{"key":"e_1_2_2_31_1","unstructured":"Massachusetts Bay Transportation Authority. 2013. MBTA Charlie Card. Retrieved from http:\/\/www.mbta.com\/fares_and_passes\/charlie\/.  Massachusetts Bay Transportation Authority. 2013. MBTA Charlie Card. Retrieved from http:\/\/www.mbta.com\/fares_and_passes\/charlie\/."},{"key":"e_1_2_2_32_1","volume-title":"USENIX Security Symposium. USENIX Association.","author":"Meiklejohn Sarah","year":"2011","unstructured":"Sarah Meiklejohn , Keaton Mowery , Stephen Checkoway , and Hovav Shacham . 2011 . The phantom tollbooth: Privacy-preserving electronic toll collection in the presence of driver collusion . In USENIX Security Symposium. USENIX Association. Sarah Meiklejohn, Keaton Mowery, Stephen Checkoway, and Hovav Shacham. 2011. The phantom tollbooth: Privacy-preserving electronic toll collection in the presence of driver collusion. In USENIX Security Symposium. USENIX Association."},{"key":"e_1_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-73074-3_15"},{"key":"e_1_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1090\/S0025-5718-1987-0866113-7"},{"key":"e_1_2_2_35_1","volume-title":"17th USENIX Security Symposium. USENIX Association, 185--194","author":"Nohl Karsten","year":"2008","unstructured":"Karsten Nohl , David Evans , Starbug, and Henryk Plotz . 2008 . Reverse-engineering a cryptographic RFID tag . In 17th USENIX Security Symposium. USENIX Association, 185--194 . Karsten Nohl, David Evans, Starbug, and Henryk Plotz. 2008. Reverse-engineering a cryptographic RFID tag. In 17th USENIX Security Symposium. USENIX Association, 185--194."},{"key":"e_1_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICITA.2005.149"},{"key":"e_1_2_2_38_1","volume-title":"Blumberg","author":"Popa Raluca A.","year":"2009","unstructured":"Raluca A. Popa , Hari Balakrishnan , and Andrew J . Blumberg . 2009 . VPriv: Protecting privacy in location-based vehicular services. In USENIX Security Symposium. USENIX Association , 335--350. Raluca A. Popa, Hari Balakrishnan, and Andrew J. Blumberg. 2009. VPriv: Protecting privacy in location-based vehicular services. In USENIX Security Symposium. USENIX Association, 335--350."},{"key":"e_1_2_2_39_1","unstructured":"Certicom Research. 2000. Standards for Efficient Cryptography -- SEC 2: Recommended Elliptic Curve Domain Parameters. Retrieved from http:\/\/www.secg.org\/collateral\/sec2_final.pdf.  Certicom Research. 2000. Standards for Efficient Cryptography -- SEC 2: Recommended Elliptic Curve Domain Parameters. Retrieved from http:\/\/www.secg.org\/collateral\/sec2_final.pdf."},{"volume-title":"P4R: Privacy-preserving pre-payments with refunds for transportation systems","author":"Rupp Andy","key":"e_1_2_2_41_1","unstructured":"Andy Rupp , Gesine Hinterw\u00e4lder , Foteini Baldimtsi , and Christof Paar . 2013. P4R: Privacy-preserving pre-payments with refunds for transportation systems . In Financial Cryptography, Ahmad-Reza Sadeghi (Ed.), Vol. 7859 . Springer , 205--212. Andy Rupp, Gesine Hinterw\u00e4lder, Foteini Baldimtsi, and Christof Paar. 2013. P4R: Privacy-preserving pre-payments with refunds for transportation systems. In Financial Cryptography, Ahmad-Reza Sadeghi (Ed.), Vol. 7859. Springer, 205--212."},{"key":"e_1_2_2_42_1","volume-title":"PiLBA (CEUR Workshop Proceedings), Claudio Bettini, Sushil Jajodia, Pierangela Samarati, and Xiaoyang Sean Wang (Eds.)","volume":"397","author":"Sadeghi Ahmad-Reza","year":"2008","unstructured":"Ahmad-Reza Sadeghi , Ivan Visconti , and Christian Wachsmann . 2008 . User privacy in transport systems based on RFID E-tickets . In PiLBA (CEUR Workshop Proceedings), Claudio Bettini, Sushil Jajodia, Pierangela Samarati, and Xiaoyang Sean Wang (Eds.) , Vol. 397 . CEUR-WS.org. Ahmad-Reza Sadeghi, Ivan Visconti, and Christian Wachsmann. 2008. User privacy in transport systems based on RFID E-tickets. In PiLBA (CEUR Workshop Proceedings), Claudio Bettini, Sushil Jajodia, Pierangela Samarati, and Xiaoyang Sean Wang (Eds.), Vol. 397. CEUR-WS.org."},{"volume-title":"Efficient identification and signatures for smart cards","author":"Schnorr Claus-Peter","key":"e_1_2_2_43_1","unstructured":"Claus-Peter Schnorr . 1989. Efficient identification and signatures for smart cards . In CRYPTO, Gilles Brassard (Ed.), Vol. 435 . Springer , 239--252. Claus-Peter Schnorr. 1989. Efficient identification and signatures for smart cards. In CRYPTO, Gilles Brassard (Ed.), Vol. 435. Springer, 239--252."},{"key":"e_1_2_2_44_1","unstructured":"Issai J. Schur. 1926. Zur additiven Zahlentheorie. Sitzungsberichte Preussische Akad. Wiss. (1926) 488--495.  Issai J. Schur. 1926. Zur additiven Zahlentheorie. Sitzungsberichte Preussische Akad. Wiss. (1926) 488--495."},{"volume-title":"Lower bounds for discrete logarithms and related problems","author":"Shoup Victor","key":"e_1_2_2_45_1","unstructured":"Victor Shoup . 1997. Lower bounds for discrete logarithms and related problems . In EUROCRYPT, Walter Fumy (Ed.), Vol. 1233 . Springer , 256--266. Victor Shoup. 1997. Lower bounds for discrete logarithms and related problems. In EUROCRYPT, Walter Fumy (Ed.), Vol. 1233. Springer, 256--266."},{"key":"e_1_2_2_46_1","unstructured":"Trans Link Systems. 2014. OV-Chipkaart. Retrieved from https:\/\/www.ov-chipkaart.nl\/.  Trans Link Systems. 2014. OV-Chipkaart. Retrieved from https:\/\/www.ov-chipkaart.nl\/."},{"key":"e_1_2_2_47_1","volume-title":"Moo: A Batteryless Computational RFID and Sensing Platform.","author":"Zhang Hong","year":"2011","unstructured":"Hong Zhang , Jeremy Gummeson , Benjamin Ransford , and Kevin Fu . 2011 . Moo: A Batteryless Computational RFID and Sensing Platform. Retrieved from https:\/\/web.cs.umass.edu\/publication\/docs\/2011\/UM-CS-2011-020.pdf. Hong Zhang, Jeremy Gummeson, Benjamin Ransford, and Kevin Fu. 2011. Moo: A Batteryless Computational RFID and Sensing Platform. Retrieved from https:\/\/web.cs.umass.edu\/publication\/docs\/2011\/UM-CS-2011-020.pdf."}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2699904","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2699904","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T06:16:59Z","timestamp":1750227419000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2699904"}},"subtitle":["Efficient and Privacy-Preserving Payments for Public Transport"],"short-title":[],"issued":{"date-parts":[[2015,3,27]]},"references-count":44,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2015,3,27]]}},"alternative-id":["10.1145\/2699904"],"URL":"https:\/\/doi.org\/10.1145\/2699904","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2015,3,27]]},"assertion":[{"value":"2014-01-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2014-10-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2015-03-27","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}