Pass-As-You-Go: A Direct Anonymous Attestation-Based Untraceable Contactless Transit Pass

The secure deployment of NFC-enabled digital services, such as electronic payment, electronic identification (eID), and mobile transit passes in public transportation, is enabled by the trusted execution environment in smartphones, namely the SIM card. A user's authentication and identification credentials are stored in the SIM card, which provides a secure enclave for credential storage and secure authentication operations. The unique identifier assigned to each user leads to important privacy concerns. Indeed, in the case of mobile transit passes, the accountability of users to use a valid and unique transport pass should not undermine the privacy of commuters on the network, notably by disclosing their identities at each pass validation, or by revealing information on their personal mobility patterns.In this paper, we leverage the use of provably secure and privacy-enhancing cryptographic schemes to build a privacy-preserving mobile transit pass protocol. Notably, we introduce a novel and highly efficient Direct Anonymous Attestation (DAA) scheme as the building block of our construction. Direct Anonymous Attestation is a group signature variant, which enables members of a particular group to anonymously sign on behalf of the group. As opposed to group signatures, the anonymity of DAA signatures cannot be revoked. In addition signatures generated by the same signer can be linked with respect to a linkability parameter. Our construction is an instantiation of a DAA variant, namely pre-DAA, which can be implemented in environments as constrained as SIM cards. We prove the security of our pre-DAA scheme in the random oracle model (ROM), under a variant of the non-interactive q-Strong Diffie-Hellman (q-SDH) assumption. Our pre-DAA scheme, which is of independent interest, is used to design Pass-As-You-Go (PAYGO), an efficient and privacy-preserving mobile transit pass protocol.We prove the efficiency of our protocol by implementing the solution on a Global Platform-compliant Java card 2.2.2 SIM card. The performance results notably show that PAYGO complies with the stringent timing requirements put forth by Transport Operators for pass validation at station terminals.