Cryptology ePrint Archive: Report 2020/382

Privacy-Preserving Incentive Systems with Highly Efficient Point-Collection

Jan Bobolz and Fabian Eidens and Stephan Krenn and Daniel Slamanig and Christoph Striecks

Abstract: Incentive systems (such as customer loyalty systems) are omnipresent nowadays and deployed in several areas such as retail, travel, and financial services. Despite the benefits for customers and companies, this involves large amounts of sensitive data being transferred and analyzed. These concerns initiated research on privacy-preserving incentive systems, where users register with a provider and are then able to privately earn and spend incentive points.

In this paper we construct an incentive system that improves upon the state-of-the-art in several ways: We improve efficiency of the Earn protocol by replacing costly zero-knowledge proofs with a short structure-preserving signature on equivalence classes. We enable tracing of remainder tokens from double-spending transactions without losing backward unlinkability. We allow for secure recovery of failed Spend protocol runs (where usually, any retries would be counted as double-spending attempts). We guarantee that corrupt users cannot falsely blame other corrupt users for their double-spending.

We propose an extended formal model of incentive systems and a concrete instantiation using homomorphic Pedersen commitments, ElGamal encryption, structure-preserving signatures on equivalence classes (SPS-EQ), and zero-knowledge proofs of knowledge. We formally prove our construction secure and present benchmarks showing its practical efficiency.

Category / Keywords: cryptographic protocols / Incentive systems, Privacy, Provable security

Original Publication (in the same form): ASIA CCS 2020

Date: received 2 Apr 2020

Contact author: jan bobolz at uni-paderborn de, fabian eidens@uni-paderborn de, stephan krenn@ait ac at, daniel slamanig@ait ac at, christoph striecks@ait ac at

Available format(s): PDF | BibTeX Citation

Version: 20200403:125917 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]