Privacy Enhanced Electronic Cheque System

CEC2005,July2005

Privacy EnhancedElectronic Cheque System

(PEEC)

Vijayakrishnan. P

with

Prof. Josef Pieprzyk and Dr. Hua Xiong Wang

[email protected]

Centre for Advanced Computing - Algorithms and Cryptography

Department of Computing,

Macquarie University, Australia

Privacy Enhanced Electronic Cheque System – p.1/19

CEC2005,July2005

ContentsElectronic cheques

Related Work

FSTC’s eCheck

Issues in FSTC’s eCheck

Privacy Enhanced E-cheque(PEEC)

Characteristics of PEEC


CEC2005,July2005

Electronic Cheques -An overview

- Typically, E-cheques mirror Paper cheques- A payment type for high value transactions- Post-pay method of payment


CEC2005,July2005

Electronic Cheques -An overview

- Typically, E-cheques mirror Paper cheques- A payment type for high value transactions- Post-pay method of paymentAdvantages- Extra Services anonymity, unlinkability- Multiple account draws and deposits- Supports multiple signatures


CEC2005,July2005

Related WorkBased on traditional paper cheques [FSTC,NetCheque, MANDATE]


CEC2005,July2005


Server based [NetBill, PayNow]


CEC2005,July2005



Modified version of e-Cash [Brands, Chaum]


CEC2005,July2005



Modified version of e-Cash [Brands, Chaum]

Need to revisit

- Introduction of Check 21 US federal law, Oct2004.

- Development of FSTC’s eCheck system.Privacy Enhanced Electronic Cheque System – p.4/19

CEC2005,July2005

E-Cheque Working

Issuer

PayeePayer

Acquirer

(Substitute eCheck)

1. Invoice

2. Signed eCheck

3. EndorsedeCheck

4. eCheck presentment

(Interbank settlement)

5. Account Statment


CEC2005,July2005

FSTC eCheck Project

Backing from major financial institutions andgoverment agencies. (Around 100 members)

Electronic payment instrument for Internet.Compatable with interactive web transactionsor e-mail.

Same legal framework as paper cheques.

Savings in transactional and processing cost.


CEC2005,July2005

FSTC eCheckStructure

Two core components - FSML and SDML(XML block structures)<fsml-doc docname="C" type="check">

<action> <blkname>C1 ... </action>

<check> <blkname>C2 ... </check>

<signature> <blkname>C3 ... </signature>

<account> <blkname>C4 ... </account>

<cert> <blkname>C5 ... </cert>

<attachment> <blkname>C6 ... </attachment> (optional)



</fsml-doc>


CEC2005,July2005

FSTC eCheckStructure

Two core components - FSML and SDML(XML block structures)<fsml-doc docname="C" type="check">

<action> <blkname>C1 ... </action>

<check> <blkname>C2 ... </check>


<account> <blkname>C4 ... </account>


<attachment> <blkname>C6 ... </attachment> (optional)



</fsml-doc>

Documents attached when endorsed.


CEC2005,July2005

Issues with FSTCeCheck

No data confidentiality of payer information.


CEC2005,July2005



No privacy for payer account details in aneCheck.


CEC2005,July2005




Smart card security and non-repudiation oftransactional proof.


CEC2005,July2005





Traceablility of transactional information. w.r.tTTP.


CEC2005,July2005





Traceablility of transactional information. w.r.tTTP.

Smart card logging problem. [FSTC](http://www.echeck.org/)


CEC2005,July2005

PEECA post pay method.


CEC2005,July2005


Works with exisiting legal and financeinfrastrucutre


CEC2005,July2005



Provide better privacy features.


CEC2005,July2005



Provide better privacy features.

Protocols:

Setup phase

Registration - payer and payee

Payment

DepositPrivacy Enhanced Electronic Cheque System – p.9/19

CEC2005,July2005

PEEC - SetupBank B setup

Bank B chooses primes p and q such that|p − 1| = δ + k for a specified constant δ, andp = γq + 1, for a specified integer γ.


CEC2005,July2005



A unique subgroup Gq of prime order q of themultiplicative group Z∗

p and generators g0, g1,g2 of Gq are defined.


CEC2005,July2005



A unique subgroup Gq of prime order q of themultiplicative group Z∗

p and generators g0, g1,g2 of Gq are defined.

Hash functions H(.) from a family ofcollision-free hash functions are defined.


CEC2005,July2005

PEEC - BankSetup. . .

Bank also generates a secret key XB ∈R Zq

and corresponding public keys h = gXB

0 ,h1 = gXB

1 , h2 = gXB

2 .The Bank also chooses a value n thatrepresents the number of PEE-cheques in aPEE-cheque book.


CEC2005,July2005

PEEC - BankSetup. . .

Bank also generates a secret key XB ∈R Zq

and corresponding public keys h = gXB

0 ,h1 = gXB

1 , h2 = gXB

2 .The Bank also chooses a value n thatrepresents the number of PEE-cheques in aPEE-cheque book.

p, q, H(.), (g0, g1, g2) are published along withh, h1 and h2 .


CEC2005,July2005

PEEC - Payer andPayee Setup

Payer U setup

Each payer U has to intitally register with theBank B. The payer generates a public key I = gu1

1

where u1 ∈ Gq such that gu1

1 g2 6= 1.


CEC2005,July2005

PEEC - Payer andPayee Setup

Payer U setup

Each payer U has to intitally register with theBank B. The payer generates a public key I = gu1

1

where u1 ∈ Gq such that gu1

1 g2 6= 1.

Payee M setup

Similar to the payer, each payee M intitally regis-

ter with the Bank B to obtain a certified public key

P = gXP

1 where XP ∈ Gq.Privacy Enhanced Electronic Cheque System – p.12/19

CEC2005,July2005

PEEC - RegistrationProtocol

Payer U Bank B

I = gu11

I→

k, [k1, k2, .kj ., kn], t ∈R Zq

∀ n: E′

i = H(Igbactgi)

∀ n: SE

′

i

= E′

iXB + kj mod q

y = gt1 ; Y = Iy

SY = Y XB + k2 mod qY,SY ,y,t,←

[E′

i,...,E

′

i+n],

←[S

E′

i

,...,SE

′

i+n

]

←

VerifySign(SY

′ )

∀ n: VerifySign(SE

′

i

)Privacy Enhanced Electronic Cheque System – p.13/19

CEC2005,July2005

PEEC - PaymentProtocol

Payer U PayeeM

{amt,d/t,MName}SM←

s, w ∈R Zq

A = Y s ; A1 = gu1s1 , A2 = ys

O = H(d/t||MName||amt)

r = u1s2t−O.u1.s

r′

= r.s

r′,A1,A2,A,O→

E′

i,S

E′

i

,Y,SY ,SUE

′

i→

O′

= H(d/t||MName||amt)

VerifySign(SY ) ; A?= A1A2

A?= AO

′

1 Y r′

VerifySign(SU ′ )


CEC2005,July2005

PEEC - DepositProtocol

PayeeM Bank B

k3 ∈R Zq

SMO′ = O′XM + k3 mod q

amt,d/t,MName,O′

→

SMO′ ,r′,SY ,Y,→

SIE′

i

,E′

i,A,A1,A2

→

O′′ = H(d/t||MName||amt)

O′′ ?= O′ ?

= O

VerifySign(SY ), VerifySign(SIE′

i

)

VerifySign(SMOrder′)

VerifySign(SY ) ; A?= A1A2

(I, bact, i) = ObtainIdbasenum(Y )

VerifyY value(i, Y, I)Privacy Enhanced Electronic Cheque System – p.15/19

CEC2005,July2005

PEEC -Characteristics

Security(a) There exists no polynomial-time algorithm tosolve the discrete log problem,(b) Schnorr signatures are unforgeable and(c) Hash functions are cryptographically secure.


CEC2005,July2005


Security(a) There exists no polynomial-time algorithm tosolve the discrete log problem,(b) Schnorr signatures are unforgeable and(c) Hash functions are cryptographically secure.Privacy- The payer’s identity remains protected by an anonymous identity.- No communication with the bank to create an anonymous identity A- There is a provable linkage between the original identity and the anonymous identity.

- The anonymous identity is guaranteed to be secure as long as the linkage value t re-

mains known only to the payer and the bank.


CEC2005,July2005


Authentication- Based on public key verification.- The proof for anonymous identity is essential a Schnorr identification protocol in anon-interactive setting.- From Schnorr identification and the payer’s signature on the PEE-cheque presented tothe payee, authentication of the payer is guaranteed.- The Bank authenticates the payee by verifying the digital signature on the Order′ thatis sent by the payee during the deposit protocol.- The authentication of the payee towards the payer and the bank is based on verificationof the payee’s public key identityM.


CEC2005,July2005


Authentication- Based on public key verification.- The proof for anonymous identity is essential a Schnorr identification protocol in anon-interactive setting.- From Schnorr identification and the payer’s signature on the PEE-cheque presented tothe payee, authentication of the payer is guaranteed.- The Bank authenticates the payee by verifying the digital signature on the Order′ thatis sent by the payee during the deposit protocol.- The authentication of the payee towards the payer and the bank is based on verificationof the payee’s public key identityM.

Unforgeability- Every e-cheque created by the bank uses a cryptographically secure hash function withinputs, payer’s identity I, payer’s unique bank account (bact) and a unique e-chequenumber generated by the bank (i).- The e-cheque is digitally signed.

- For a e-cheque to be forgeable by the payer, the payer must be able to forge the digitalPrivacy Enhanced Electronic Cheque System – p.17/19

CEC2005,July2005

PEEC - ExtensionMultiple Payers and Payees.


CEC2005,July2005


Multiple Account withdraws and deposits.


CEC2005,July2005



Mobile payments.


CEC2005,July2005



Mobile payments.

Point of sale payments.


CEC2005,July2005

Thank [email protected]


Technology

Privacy Enhanced Electronic Cheque System