Contributions to the security and privacy of electronic ticketing systems

Un bitllet electrònic és un contracte en format digital entre dues parts, l'usuari i el proveïdor de serveis, on hi queda reflectit l'acord entre ambdós per tal que l'usuari rebi el servei que desitja per part del proveïdor. Els bitllets són emprats en diferents tipus de serveis, com esdeveniments lúdics o esportius, i especialment en l'àmbit del transport. En aquest cas permet reduir costos donat l'alt volum d'usuaris, a més de facilitar la identificació del flux de viatges. Aquesta informació permet preveure i planificar els sistemes de transport de forma més dinàmica. La seguretat dels bitllets electrònics és clau perquè es despleguin a l'entorn real, com també ho és la privadesa dels seus usuaris. La privadesa inclou tant l'anonimitat dels usuaris, és a dir, una acció no s'ha de poder atribuir fàcilment a un determinat usuari, com també la no enllaçabilitat dels diferents moviments d'un determinat usuari. En aquesta tesi proposem protocols de bitllets electrònics que mantinguin les propietats dels bitllets en paper juntament amb els avantatges dels bitllets digitals. Primerament fem un estat de l'art amb les propostes relacionades, analitzant-ne els requisits de seguretat que compleixen. Presentem un protocol de bitllets electrònics que incorpora els nous requisits de seguretat d'exculpabilitat i reutilització, diferents dels que haviem analitzat, tot complint també la privadesa pels usuaris. Posteriorment, presentem una proposta de bitllets electrònics adaptada als sistemes de pagament depenent de l'ús, bàsicament enfocat al transport, que incorpora tant l'anonimat pels usuaris, com també la enllaçabilitat a curt termini, és a dir, complint la no enllaçabilitat dels diferents moviments del mateix usuari, però permetent la enllaçabilitat de les accions relacionades amb el mateix trajecte (p.ex. entrada i sortida). Finalment, mitjançant una evolució de la mateixa tècnica criptogràfica utilitzada en el sistema de pagament per ús, millorant-ne el temps de verificació per a múltiples bitllets alhora (verificació en ``batch''), presentem una proposta que pot ser útil per a varis sistemes de verificació massiva de missatges, posant com a cas d'ús l'aplicació a sistemes de xarxes vehiculars.An electronic ticket is a digital contract between two parties, that is, the user and the service provider. An agreement between them is established in order that the user can receive the desired service. These tickets are used in different types of services, such as sports or entertainment events, especially in the field of transport. In the case of transport, costs can be reduced due to the high volume of users, and the identification of the travel flow is facilitated. This information allows the forecast and planification of transport systems more dynamically. The security of electronic tickets is very important to be deployed in the real scenarios, as well as the privacy for their users. Privacy includes both the anonymity of users, which implies that an action cannot be easily attributed to a particular user, and also the unlinkability of the different movements of that user. This thesis presents protocols which keep the same security requirements of paper tickets while offering the advantages of digital tickets. Firstly, we perform a state of the art with the related proposals, by analysing the security requirements considered. We then present an electronic ticketing system that includes the security requirements of exculpability and reusability, thus guaranteeing the privacy for users. We later present a proposal of electronic ticketing systems adapted to use-dependant payment systems, especially focused on transport, which includes both the anonymity of users and the short-term linkability of their movements. The related actions of a journey of a determined user can be linkable between them (i.e. entrance and exit of the system) but not with other movements that the user performs. Finally, as an extension of the previous use-dependant payment system solution, we introduce the case of mass-verification systems, where many messages have to be verified in short time, and we present a proposal as a vehicular network use case that guarantees privacy for users with short-term linkability and can verify these messages efficiently

Studies in authentication

This thesis presents advances in several areas of authentication. First, we consider cryptographic accumulators, which are compact digital objects representing arbitrarily large sets. They support efficient proofs of membership (or, alternatively, of non-membership). We give the first definition of cryptographic accumulators in the UC framework, and construct two new accumulators: one uniquely suited for use in a revokable anonymous credential scheme, and one uniquely suited for use in a distributed system such as a blockchain-based PKI. Next, we consider multi-designated verifier signatures (MDVS). An MDVS is a special kind of signature that can only be verified by parties explicitly specified by the signer; more than that, even if those designated verifiers wanted to prove to an external party (e.g. an adversary) that a certain message was signed by the signer, they should be unable to do so. This is crucial in contexts where off-the-record communication is desirable; the sender may not want to be provably linked to a possibly sensitive message, but still want the intended recipients to be able to verify the authenticity of the message. Existing literature defines and builds limited notions of MDVS, where the off-the-record property only holds when it is conceivable that all verifiers collude. We strengthen this property to support any subset of colluding verifiers, and give two constructions of our stronger notion of MDVS: one from functional encryption, and one from standard primitives (but with a slightly larger signature size). Finally, we consider fuzzy password authenticated key exchange (Fuzzy PAKE). PAKEs are protocols which enable two parties holding the same password (that is, the same potentially low-entropy, non-uniform string) to agree on a (high-entropy, uniform) secret key in a way that resists man-in-the-middle attacks and offline dictionary attacks on the password. We define Fuzzy PAKE, a special kind of PAKE where the passwords used for authentication may contain some errors. We provide the first efficient and general solutions to this problem that enable, for example, key agreement based on commonly used biometrics such as iris scans