#### DMCA

## The Phantom Tollbooth: Privacy-Preserving Electronic Toll Collection in the Presence of Driver Collusion

### Cached

### Download Links

- [www.cs.ucsd.edu]
- [cseweb.ucsd.edu]
- [www.usenix.org]
- [cseweb.ucsd.edu]
- [www.usenix.org]
- [www.usenix.org]
- [cseweb.ucsd.edu]
- [static.usenix.org]
- [static.usenix.org]
- [canta.ucsd.edu]
- [cseweb.ucsd.edu]
- [canta.ucsd.edu]
- [cseweb.ucsd.edu]
- [www.cs.ucsd.edu]
- [www.cse.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [www.cs.jhu.edu]
- [www0.cs.ucl.ac.uk]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [www0.cs.ucl.ac.uk]

Citations: | 14 - 0 self |

### Citations

1713 | Identity-based encryption from the Weil pairing,”
- Franklin
- 2001
(Show Context)
Citation Context ...yption Finally, to maintain driver honesty even in the case of possible collusions between drivers (as discussed in Section 2), we use an additional cryptographic primitive: identity-based encryption =-=[10, 42]-=-. Intuitively, identitybased encryption (IBE for short) extends the notion of standard public-key encryption by allowing a user’s public key to be, rather than just a random collection of bits, some m... |

1616 | Random oracles are practical: a paradigm for designing efficient protocols,”
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...ecret value x satisfies the inequality lo ≤ x < hi, where lo and hi are both public. For this we can use Boudot range proofs and their extensions [11, 34], which are secure in the random oracle model =-=[6]-=- and assuming the Strong RSA assumption.3.3 Blind identity-based encryption Finally, to maintain driver honesty even in the case of possible collusions between drivers (as discussed in Section 2), we... |

1237 | The knowledge complexity of interactive proof systems.
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...suit our purposes, we work with FujisakiOkamoto commitments [18, 22], which rely on the Strong RSA assumption for their security. 3.2 Zero-knowledge proofs Our second primitive, zero-knowledge proofs =-=[24, 25]-=-, provides a way for someone to prove to someone else that a certain statement is true without revealing anything beyond the validity of the statement. For example, a user of a protected system might ... |

1203 | Tor: The Second-generation Onion Router,” in
- Dingledine, Mathewson, et al.
- 2004
(Show Context)
Citation Context ...ly, simplyuploading this history in the clear would provide no privacy. The VPriv system sidesteps this by having the driver upload the segments anonymously (using an anonymizing service such as Tor =-=[20]-=-), accompanied by a “tag” that will allow her to claim them as her own. We instead follow PrETP in having the driver upload a commitment of sorts to each of her segments. In addition, the driver commi... |

955 | A digital signature scheme secure against adaptive chosen-message attacks.
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...he PrETP construction [4], we employ the same modern cryptographic primitives as they do: commitment schemes and zeroknowledge proofs, in addition to the more familiar primitive of digital signatures =-=[26]-=-. In addition, to keep the spotcheck camera locations hidden from drivers, we make use of another primitive, blind identity-based encryption, in a manner that is inspired by the oblivious transfer pro... |

422 | Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems.
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...suit our purposes, we work with FujisakiOkamoto commitments [18, 22], which rely on the Strong RSA assumption for their security. 3.2 Zero-knowledge proofs Our second primitive, zero-knowledge proofs =-=[24, 25]-=-, provides a way for someone to prove to someone else that a certain statement is true without revealing anything beyond the validity of the statement. For example, a user of a protected system might ... |

190 | Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme
- Boldyreva
- 2003
(Show Context)
Citation Context ...starting point is the BonehFranklin IBE [10], which is already anonymous [2, Section 4.5]. We then introduce a blind key-extraction protocol for Boneh-Franklin, based on the Boldyreva blind signature =-=[9]-=-. Finally, we “twin” the entire scheme to essentially run two copies in parallel; this is just to facilitate a “Twin Diffie-Hellman” style security proof [15]. We give a full description of our scheme... |

164 | Efficient proofs that a committed number lies in an interval,” in EUROCRYPT’00,
- Boudot
- 2000
(Show Context)
Citation Context ...ent, often called a range proof, which proves that a secret value x satisfies the inequality lo ≤ x < hi, where lo and hi are both public. For this we can use Boudot range proofs and their extensions =-=[11, 34]-=-, which are secure in the random oracle model [6] and assuming the Strong RSA assumption.3.3 Blind identity-based encryption Finally, to maintain driver honesty even in the case of possible collusion... |

153 |
Statistical zero knowledge protocols to prove modular polynomial relations.
- Fujisaki, Okamoto
- 1997
(Show Context)
Citation Context ... and c2 is a commitment to m2, then c1 ⊞ c2 will be a commitment to m1 + m2. This property can be achieved by a variety of schemes; to best suit our purposes, we work with FujisakiOkamoto commitments =-=[18, 22]-=-, which rely on the Strong RSA assumption for their security. 3.2 Zero-knowledge proofs Our second primitive, zero-knowledge proofs [24, 25], provides a way for someone to prove to someone else that a... |

140 | Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions,”
- Abdalla, Bellare, et al.
- 2005
(Show Context)
Citation Context ...tion 4, this property (introduced by Green and Hohenberger [28]) is crucial for guaranteeing that drivers do not learn where the TC has its cameras. Furthermore, we would like our IBE to be anonymous =-=[2]-=-, meaning that given a ciphertext C, a user cannot tell which identity the ciphertext is meant for (so, in particular, they cannot check to see if a guess is correct). Again, as we show in Section 4, ... |

119 | Anonymous Hierarchical Identity-Based Encryption (Without Random Oracles). In: Dwork
- Boyen, Waters
- 2006
(Show Context)
Citation Context ...nd anonymous IBEs in the cryptographic literature: the first due to Camenisch, Kohlweiss, Rial, and Sheedy [13] and the second to Green [27]; both are blind variants on the Boyen-Waters anonymous IBE =-=[12]-=-. While either of these schemes would certainly work for our purposes, we chose to come up with our own scheme in order to maximize efficiency. Our starting point is the BonehFranklin IBE [10], which ... |

93 | An integer commitment scheme based on groups with hidden order.
- Damgard, Fujisaki
- 2001
(Show Context)
Citation Context ... and c2 is a commitment to m2, then c1 ⊞ c2 will be a commitment to m1 + m2. This property can be achieved by a variety of schemes; to best suit our purposes, we work with FujisakiOkamoto commitments =-=[18, 22]-=-, which rely on the Strong RSA assumption for their security. 3.2 Zero-knowledge proofs Our second primitive, zero-knowledge proofs [24, 25], provides a way for someone to prove to someone else that a... |

45 | The twin Diffie-Hellman problem and applications,
- Cash, Kiltz, et al.
- 2008
(Show Context)
Citation Context ...in, based on the Boldyreva blind signature [9]. Finally, we “twin” the entire scheme to essentially run two copies in parallel; this is just to facilitate a “Twin Diffie-Hellman” style security proof =-=[15]-=-. We give a full description of our scheme in the full version of our paper [36], as well as a proof of its security in a variant of the Green-Hohenberger security model. Our IBE is conveniently effic... |

39 | On non-cooperative location privacy: A game-theoretic analysis,”
- Freudiger, Manshaei, et al.
- 2009
(Show Context)
Citation Context ...vehicular applications that require privacy guarantees; see, generally, Hubaux, Cǎpkun, and Luo [31]. One important application is vehicle-to-vehicle ad hoc safety networks [14]; see Freudiger et al. =-=[21]-=- for one approach to location privacy in such networks. Another important application is aggregate traffic data collection. Hoh et al. [30] propose “virtual trip lines” that instruct cars to transmit ... |

21 |
identity-based encryption and simulatable oblivious transfer
- Blind
- 2007
(Show Context)
Citation Context ...number of spot checks of a driver’s road-segment commitments without revealing the locations being checked. To achieve this, we adapt a recent oblivious transfer protocol due to Green and Hohenberger =-=[28]-=- that is based on blind identity-based encryption. We have implemented and benchmarked our modifications to the audit protocol, showing (in Section 5) that they require a small amount of additional wo... |

19 | Blind and Anonymous Identity-Based Encryption and Authorised Private Searches on Public Key Encrypted Data.
- Camenisch, Kohlweiss, et al.
- 2009
(Show Context)
Citation Context ... learn information about her whereabouts. To the best of our knowledge, there are two blind and anonymous IBEs in the cryptographic literature: the first due to Camenisch, Kohlweiss, Rial, and Sheedy =-=[13]-=- and the second to Green [27]; both are blind variants on the Boyen-Waters anonymous IBE [12]. While either of these schemes would certainly work for our purposes, we chose to come up with our own sch... |

15 | B.: Privacy-Friendly electronic traffic pricing via commits
- Jonge, Jacobs
- 2008
(Show Context)
Citation Context ...iver, which is responsible for collecting location information, computing the prices associated with the roads, and forming the final payment information that is sent to the TSP 1 De Jonge and Jacobs =-=[19]-=- appear to have been the first to note that unobservable cameras are crucial for random spot checks. 2 As also noted by Balasch et al. [4], the pricing structure itself may of course reveal driver loc... |

11 |
Vehicle Safety Communications Consortium. Vehicle safety communications project task 3 final report
- CAMP
- 2005
(Show Context)
Citation Context ...s tolling, there are other vehicular applications that require privacy guarantees; see, generally, Hubaux, Cǎpkun, and Luo [31]. One important application is vehicle-to-vehicle ad hoc safety networks =-=[14]-=-; see Freudiger et al. [21] for one approach to location privacy in such networks. Another important application is aggregate traffic data collection. Hoh et al. [30] propose “virtual trip lines” that... |

5 | An embedded platform for privacy-friendly road charging applications
- Balasch, Verbauwhede, et al.
(Show Context)
Citation Context ...r can be audited by the car’s owner. The Troncoso et al. paper also includes a useful survey of pay-as-you-drive systems deployed at the time of its publication. See Balasch, Verbauwhede, and Preneel =-=[5]-=- for a prototype implementation of the Troncoso et al. approach. De Jonge and Jacobs [19] proposed a privacypreserving tolling system in which drivers commit to the path they drove without revealing t... |

2 |
abhi shelat, “Automated traffic enforcement which preserves driver privacy
- Blumberg, Keeler
(Show Context)
Citation Context ...he system is dishonest. These security goals should look fairly similar to those outlined in previous work (e.g., PrETP or VPriv [39], and inspired by the earlier work of Blumberg, Keeler, and shelat =-=[8]-=-), but we note the consideration of possibly colluding drivers as an essential addition. We also note that we do not consider physical attacks (i.e., a malicious party gaining physical access to a dri... |

1 |
PrETP: privacypreserving toll pricing
- Balasch, Rial, et al.
- 2010
(Show Context)
Citation Context ...example, some courts have recognized drivers’ privacy interests by forbidding the police from using a GPS device to record a driver’s movements without a search warrant [1].) The VPriv [39] and PrETP =-=[4]-=- systems for private tolling, proposed at USENIX Security 2009 and 2010 respectively, attempt to use modern cryptographic protocols to resolve the tension between sophisticated road pricing and driver... |

1 |
Congestion pricing that preserves ‘driver privacy
- Blumberg, Chase
- 2006
(Show Context)
Citation Context ...ect against driver collusion. 7 Related work The study of privacy-preserving traffic enforcement and toll collection was initiated in papers by Blumberg, Keeler, and shelat [8] and Blumberg and Chase =-=[7]-=-. The former of these papers gave a system for traffic enforcement (such as red-light violations) and uses a private set-intersection protocol at its core; the latter gave a system for tolling and roa... |

1 |
diego county, california detailed profile. http://www.city-data.com/county/ San_Diego_County-CA.html
- San
(Show Context)
Citation Context ...Milo would cost if deployed in a real population we consider the county of San Diego, which consists of 3 million people possessing approximately 1.8 million vehicles, and almost 2,800 miles of roads =-=[16, 17, 44]-=-. As we just saw, Milo has a computational cost of up to 2 cents per user per month, which means a worst-case expected annual cost of $432,000; in the best case, wherein users cost only one-third of a... |

1 |
Funding approved for survey of San Diego’s road conditions. http: //lajollalight.com/2011/01/11/fundingapproved-for-survey-of-san-diegosroad-conditions
- Service
(Show Context)
Citation Context ...Milo would cost if deployed in a real population we consider the county of San Diego, which consists of 3 million people possessing approximately 1.8 million vehicles, and almost 2,800 miles of roads =-=[16, 17, 44]-=-. As we just saw, Milo has a computational cost of up to 2 cents per user per month, which means a worst-case expected annual cost of $432,000; in the best case, wherein users cost only one-third of a... |

1 |
The GNU MP Bignum library. http:// gmplib.org
- GMP
(Show Context)
Citation Context ...2) within version 5.4.3 of the MIRACL library [41], and for the NIZKs and commitments we used ZKPDL (Zero-Knowledge Proof Description Language) [35], which itself uses the GNU multi-precision library =-=[23]-=- for modular arithmetic. Table 1 shows the time taken for each of the unit operations performed within the IBE scheme. As mentioned in Section 4, in the context of our system the creation of the param... |

1 | Cryptography for secure and private databases: enabling practical database access with15 compromising privacy
- Green
- 2009
(Show Context)
Citation Context ...whereabouts. To the best of our knowledge, there are two blind and anonymous IBEs in the cryptographic literature: the first due to Camenisch, Kohlweiss, Rial, and Sheedy [13] and the second to Green =-=[27]-=-; both are blind variants on the Boyen-Waters anonymous IBE [12]. While either of these schemes would certainly work for our purposes, we chose to come up with our own scheme in order to maximize effi... |

1 |
The GNU MP Bignum library. Online: http: //gmplib.org
- GMP
(Show Context)
Citation Context ...2) within version 5.4.3 of the MIRACL library [41], and for the NIZKs and commitments we used ZKPDL (Zero-Knowledge Proof Description Language) [35], which itself uses the GNU multi-precision library =-=[23]-=- for modular arithmetic. Time (ms) Operation Laptop ARM Creating parameters 75.12 1083.61 Encryption 82.11 1187.82 Blind extraction (user) 13.13 214.06 Blind extraction (authority) 11.21 175.25 Decryp... |