Anonymous Ticketing for NFC-Enabled Mobile Phones

  • David Derler
  • Klaus Potzmader
  • Johannes Winter
  • Kurt Dietrich
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7222)


Modern smart-phones are equipped with various interfaces such as NFC, allowing a versatile use of the device for many different applications. However, every transaction of the phone especially via its NFC interface can be recorded and stored for further analysis, bearing a threat to the privacy of the device and its user. In this paper, we propose and analyze the efficiency of a mobile ticketing system that is designed for privacy protection. In our investigation, we lay focus on the specific algorithms which are based on selective disclosure protocols and Brands’ one-time show credential system. Our proof-of-concept prototype includes client- and terminal side implementations for detailed analysis. Moreover, we propose algorithm improvements to increase the performance and efficiency of the NFC transactions on the client side in our system.


Mobile Device Smart Card Elliptic Curve Cryptography Secure Element Direct Anonymous Attestation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ARM, Ltd. TrustZone Security Foundation by ARM (2011),
  2. 2.
    Bichsel, P.: Theft and misuse protection for anonymous credentials. Master’s thesis, ETH Zurich (June 2007)Google Scholar
  3. 3.
    Bichsel, P., Camenisch, J., Groß, T., Shoup, V.: Anonymous credentials on a standard java card. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 600–610. ACM, New York (2009)CrossRefGoogle Scholar
  4. 4.
    Brands, S.A.: Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Cambridge (2000)Google Scholar
  5. 5.
    Brickell, E., Camenisch, J., Chen, L.: Direct Anonymous Attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 132–145. ACM, New York (2004)CrossRefGoogle Scholar
  6. 6.
    Camenisch, J., Hohenberger, S., Kohlweiss, M., Lysyanskaya, A., Meyerovich, M.: How to win the clonewars: efficient periodic n-times anonymous authentication. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 201–210. ACM, New York (2006)CrossRefGoogle Scholar
  7. 7.
    Camenisch, J., Lysyanskaya, A.: An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Commun. ACM 28, 1030–1044 (1985)CrossRefGoogle Scholar
  9. 9.
    Dietrich, K.: Anonymous RFID Authentication Using Trusted Computing Technologies. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 91–102. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Federal Information Processing Standards. FIPS: 186-3 Digital Signature Standard, DSS (2009)Google Scholar
  11. 11.
    Glenn, A., Goldberg, I., Légaré, F., Stiglic, A.: A description of protocols for private credentials (2001),
  12. 12.
    Hars, L.: Modular inverse algorithms without multiplications for cryptographic applications. EURASIP J. Embedded Syst., 2 (January 2006)Google Scholar
  13. 13.
    International Organization for Standardization. ISO/IEC 14443 Identification cards - Contactless integrated circuit(s) cards - Proximity cards (2000)Google Scholar
  14. 14.
    International Organization for Standardization. ISO/IEC 18092 - Information technology – Telecommunications and information exchange between systems – Near Field Communication – Interface and Protocol, NFCIP-1 (2004)Google Scholar
  15. 15.
    International Organization for Standardization. ISO/IEC 7816-4 Identification cards - Integrated circuit cards - Cryptographic information application (2005)Google Scholar
  16. 16.
    Java Community Process. Contactless Communication API (JSR 257) (October 17, 2006),
  17. 17.
    Java Community Process. Java Smart Card I/O API (JSR 268) (December 11, 2006),
  18. 18.
    Madlmayr, G., Kleebauer, P., Langer, J., Scharinger, J.: Secure Communication between Web Browsers and NFC Targets by the Example of an e-Ticketing System. In: Psaila, G., Wagner, R. (eds.) EC-Web 2008. LNCS, vol. 5183, pp. 1–10. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Paar, C., Pelzl, J.: Understanding Cryptography: A Textbook for Students and Practitioners. Springer (2010)Google Scholar
  20. 20.
    Sterckx, M., Gierlichs, B., Preneel, B., Verbauwhede, I.: Efficient implementation of anonymous credentials on java card smart cards. In: 1st IEEE International Workshop on Information Forensics and Security (WIFS 2009), pp. 106–110. IEEE, London (2009)CrossRefGoogle Scholar
  21. 21.
    Sun Microsystems Inc. J2ME Building Blocks for Mobile Devices (May 19, 2000),
  22. 22.
    Tews, H., Jacobs, B.: Performance Issues of Selective Disclosure and Blinded Issuing Protocols on Java Card. In: Markowitch, O., Bilas, A., Hoepman, J.-H., Mitchell, C.J., Quisquater, J.-J. (eds.) WISTP 2009. LNCS, vol. 5746, pp. 95–111. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Wilson, P., Frey, A., Mihm, T., Kershaw, D., Alves, T.: Implementing Embedded Security on Dual-Virtual-CPU Systems. IEEE Design and Test of Computers 24(6), 582–591 (2007)CrossRefGoogle Scholar
  24. 24.
    Winter, J., Wiegele, P., Lipp, M., Niederl, A., et al.: Experimental version of QEMU with basic support for ARM TrustZone (source code repository) (July 28, 2011), Public GIT repository at:

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • David Derler
    • 1
  • Klaus Potzmader
    • 1
  • Johannes Winter
    • 1
  • Kurt Dietrich
    • 1
  1. 1.Institute for Applied Information Processing and CommunicationsGraz University of TechnologyGrazAustria

Personalised recommendations