Privacy Enhanced Electronic Cheque System

Privacy Enhanced
Electronic Cheque System
(PEEC)
Vijayakrishnan. P
with
Prof. Josef Pieprzyk and Dr. Hua Xiong Wang
krishnan@ics.mq.edu.au

Centre for Advanced Computing - Algorithms and Cryptography
DepartmentPrivacy Enhanced Electronic Cheque System – p.1/19
of Computing,
CEC2005,July2005

Contents
Electronic cheques
Related Work
FSTC’s eCheck
Issues in FSTC’s eCheck
Privacy Enhanced E-cheque(PEEC)
Characteristics of PEEC

CEC2005,July2005

Privacy Enhanced Electronic Cheque System – p.2/19

Electronic Cheques An overview
- Typically, E-cheques mirror Paper cheques
- A payment type for high value transactions
- Post-pay method of payment

CEC2005,July2005


Electronic Cheques An overview
- Typically, E-cheques mirror Paper cheques
- A payment type for high value transactions
- Post-pay method of payment
Advantages
- Extra Services anonymity, unlinkability
- Multiple account draws and deposits
- Supports multiple signatures

CEC2005,July2005


Related Work
Based on traditional paper cheques [FSTC,
NetCheque, MANDATE]

CEC2005,July2005


Related Work
NetCheque, MANDATE]
Server based [NetBill, PayNow]

CEC2005,July2005


Related Work
NetCheque, MANDATE]
Modiﬁed version of e-Cash [Brands, Chaum]

CEC2005,July2005


Related Work
NetCheque, MANDATE]
Modiﬁed version of e-Cash [Brands, Chaum]
Need to revisit
- Introduction of Check 21 US federal law, Oct
2004.
- Development of FSTC’s eCheck system.
CEC2005,July2005


E-Cheque Working
2. Signed eCheck

Payer

Payee
1. Invoice
3. Endorsed
eCheck

5. Account Statment
(Substitute eCheck)

Issuer

4. eCheck presentment

Acquirer

(Interbank settlement)

CEC2005,July2005


FSTC eCheck Project
Backing from major ﬁnancial institutions and
goverment agencies. (Around 100 members)
Electronic payment instrument for Internet.
Compatable with interactive web transactions
or e-mail.
Same legal framework as paper cheques.
Savings in transactional and processing cost.

CEC2005,July2005


FSTC eCheck
Structure
Two core components - FSML and SDML
(XML block structures)
<fsml-doc docname="C" type="check">
<action> <blkname>C1 ... </action>
<check> <blkname>C2 ... </check>
<signature> <blkname>C3 ... </signature>
<account> <blkname>C4 ... </account>
<cert> <blkname>C5 ... </cert>
<attachment> <blkname>C6 ... </attachment> (optional)
</fsml-doc>

CEC2005,July2005


FSTC eCheck
Structure
Two core components - FSML and SDML
(XML block structures)
<fsml-doc docname="C" type="check">
<action> <blkname>C1 ... </action>
<check> <blkname>C2 ... </check>
<account> <blkname>C4 ... </account>
<attachment> <blkname>C6 ... </attachment> (optional)
</fsml-doc>

Documents attached when endorsed.

CEC2005,July2005


Issues with FSTC
eCheck
No data conﬁdentiality of payer information.

CEC2005,July2005


Issues with FSTC
eCheck
No privacy for payer account details in an
eCheck.

CEC2005,July2005


Issues with FSTC
eCheck
eCheck.
Smart card security and non-repudiation of
transactional proof.

CEC2005,July2005


Issues with FSTC
eCheck
eCheck.
Traceablility of transactional information. w.r.t
TTP.

CEC2005,July2005


Issues with FSTC
eCheck
eCheck.
Traceablility of transactional information. w.r.t
TTP.
Smart card logging problem. [FSTC]
(http://www.echeck.org/)

CEC2005,July2005


PEEC
A post pay method.

CEC2005,July2005


PEEC
A post pay method.
Works with exisiting legal and ﬁnance
infrastrucutre

CEC2005,July2005


PEEC
A post pay method.
infrastrucutre
Provide better privacy features.

CEC2005,July2005


PEEC
A post pay method.
infrastrucutre
Provide better privacy features.
Protocols:
Setup phase
Registration - payer and payee
Payment
Deposit

CEC2005,July2005


PEEC - Setup
Bank B setup
Bank B chooses primes p and q such that
|p − 1| = δ + k for a speciﬁed constant δ, and
p = γq + 1, for a speciﬁed integer γ.

CEC2005,July2005


PEEC - Setup
Bank B setup
A unique subgroup Gq of prime order q of the
∗
multiplicative group Zp and generators g0 , g1 ,
g2 of Gq are deﬁned.

CEC2005,July2005


PEEC - Setup
Bank B setup
A unique subgroup Gq of prime order q of the
∗
multiplicative group Zp and generators g0 , g1 ,
g2 of Gq are deﬁned.
Hash functions H(.) from a family of
collision-free hash functions are deﬁned.
CEC2005,July2005


PEEC - Bank
Setup. . .
Bank also generates a secret key XB ∈R Zq
X
and corresponding public keys h = g0 B ,
X
X
h1 = g1 B , h2 = g2 B .
The Bank also chooses a value n that
represents the number of PEE-cheques in a
PEE-cheque book.

CEC2005,July2005


PEEC - Bank
Setup. . .
Bank also generates a secret key XB ∈R Zq
X
and corresponding public keys h = g0 B ,
X
X
h1 = g1 B , h2 = g2 B .
The Bank also chooses a value n that
represents the number of PEE-cheques in a
PEE-cheque book.
p, q, H(.), (g0 , g1 , g2 ) are published along with
h, h1 and h2 .

CEC2005,July2005


PEEC - Payer and
Payee Setup
Payer U setup
Each payer U has to intitally register with the
u1
Bank B. The payer generates a public key I = g1
u
where u1 ∈ Gq such that g1 1 g2 = 1.

CEC2005,July2005


PEEC - Payer and
Payee Setup
Payer U setup
Each payer U has to intitally register with the
u1
Bank B. The payer generates a public key I = g1
u
where u1 ∈ Gq such that g1 1 g2 = 1.
Payee M setup
Similar to the payer, each payee M intitally register with the Bank B to obtain a certiﬁed public key
XP
P = g1 where XP ∈ Gq .
CEC2005,July2005


PEEC - Registration
Protocol
Payer U

Bank B
I

u
I = g1 1

→
k, [k1 , k2 , .kj ., kn ], t ∈R Zq
′

∀ n: Ei = H(Ig bact g i )
′

∀ n: SE ′ = Ei XB + kj mod q
i

t
y = g1 ; Y = Iy

SY = Y XB + k2 mod q
Y,SY ,y,t,

←

′

′

[Ei ,...,Ei+n ],

←

[S ′ ,...,S ′
E

i

E

←

]

i+n

VerifySign(SY ′ )
∀ n: VerifySign(SE ′ )
CEC2005,July2005i


PEEC - Payment
Protocol
Payer U

Payee M
{amt,d/t,M N ame}S

←

M

s, w ∈R Zq
u
A = Y s ; A1 = g1 1 s , A2 = y s

O = H(d/t||M N ame||amt)
r = u1 s2 t − O.u1 .s
′

r = r.s
′

r ,A1 ,A2 ,A,O

→

′

Ei ,S ′ ,Y,SY ,SU ′
E

i

E

→

i
′

O = H(d/t||M N ame||amt)
?

VerifySign(SY ) ; A = A1 A2
?

CEC2005,July2005

′

′

A = Cheque r
AO Y System – p.14/19
1
Privacy Enhanced Electronic

PEEC - Deposit
Protocol
Payee M

Bank B

k3 ∈R Zq
SMO′ = O′ XM + k3 mod q
amt,d/t,M N ame,O

′

→

SMO′ ,r ′ ,SY ,Y,

→

′
SIE ′ ,Ei ,A,A1 ,A2
i

→
O′′ = H(d/t||M N ame||amt)
?

?

O′′ = O′ = O
VerifySign(SY ), VerifySign(SIE ′ )
i

VerifySign(SMOrder′ )
?

VerifySign(SY ) ; A = A1 A2
CEC2005,July2005

(I, bact, i) = ObtainIdbasenum(Y )


PEEC Characteristics
Security
(a) There exists no polynomial-time algorithm to
solve the discrete log problem,
(b) Schnorr signatures are unforgeable and
(c) Hash functions are cryptographically secure.

CEC2005,July2005


Security
(a) There exists no polynomial-time algorithm to
solve the discrete log problem,
(b) Schnorr signatures are unforgeable and
(c) Hash functions are cryptographically secure.
Privacy
- The payer’s identity remains protected by an anonymous identity.
- No communication with the bank to create an anonymous identity A
- There is a provable linkage between the original identity and the anonymous identity.
- The anonymous identity is guaranteed to be secure as long as the linkage value t remains known only to the payer and the bank.

CEC2005,July2005


Authentication
- Based on public key verification.
- The proof for anonymous identity is essential a Schnorr identification protocol in a
non-interactive setting.
- From Schnorr identification and the payer’s signature on the PEE-cheque presented to
the payee, authentication of the payer is guaranteed.
- The Bank authenticates the payee by verifying the digital signature on the Order′ that
is sent by the payee during the deposit protocol.
- The authentication of the payee towards the payer and the bank is based on verification
of the payee’s public key identity M.

CEC2005,July2005


Authentication
- Based on public key verification.
- The proof for anonymous identity is essential a Schnorr identification protocol in a
non-interactive setting.
- From Schnorr identification and the payer’s signature on the PEE-cheque presented to
the payee, authentication of the payer is guaranteed.
- The Bank authenticates the payee by verifying the digital signature on the Order′ that
is sent by the payee during the deposit protocol.
- The authentication of the payee towards the payer and the bank is based on verification
of the payee’s public key identity M.

Unforgeability
- Every e-cheque created by the bank uses a cryptographically secure hash function with
inputs, payer’s identity I, payer’s unique bank account (bact) and a unique e-cheque
number generated by the bank (i).
- The e-cheque is digitally signed.
- For a e-cheque to be forgeable by the payer, the payer must be able to forge the digital
CEC2005,July2005

PEEC - Extension
Multiple Payers and Payees.

CEC2005,July2005


PEEC - Extension
Multiple Account withdraws and deposits.

CEC2005,July2005


PEEC - Extension
Mobile payments.

CEC2005,July2005


PEEC - Extension
Mobile payments.
Point of sale payments.

CEC2005,July2005


Thank You
krishnan@ics.mq.edu.au

CEC2005,July2005


Privacy Enhanced Electronic Cheque System

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Privacy Enhanced Electronic Cheque System

Similar to Privacy Enhanced Electronic Cheque System (6)

Recently uploaded

Recently uploaded (20)

Privacy Enhanced Electronic Cheque System