Abstract
Electronic check (e-check) was first introduced by Chaum in 1990. Afterwards, electronic checkbook (e-checkbook) mechanisms are proposed to eliminate the need to follow a protocol jointly with the bank for each e-check issuance. Despite the fact that the total amount of payments made with checks is high and the processing times of the checks are considerably long, there are not many attempts in the literature regarding the electronic checkbook design. Very recently, most of the previously proposed e-checkbook schemes are shown to be broken by Sertkaya and Kalkar. The one that is not broken, unfortunately, does not satisfy e-check transferability and anonymity properties. In this study, we propose an e-checkbook scheme that supports transferable e-checks and satisfies anonymity property against eavesdropper. More concretely, we first provide game-based security definitions for e-checkbook unforgeability, e-check unforgeability and non-manipulability, and e-check anonymity. After describing the details of the proposed scheme that is based on a signcryption scheme, we prove that our scheme satisfies aforementioned properties along with resistance against double spending and replay attacks. We further discuss computational costs and possible extensions to suit check related legal frameworks.
Similar content being viewed by others
Notes
Please refer to https://www.eccho.org/wordpress/wp-content/uploads/PREP_GUIDE_2019_FINAL.pdfThe national check payments certification program: payments resource and examination preparation report for details.
Please refer to Wikipedia Anonymity Networks Category. for possible anonymity network solutions to counter such de-anonymization techniques.
References
Anderson, M. M. (1998). The electronic check architecture. Tech. rep., Financial Services Technology Consortium. http://echeck.org/files/ArchitectualOverview.pdf
Bank for International Settlements. (2017). Statistics on payment, clearing and settlement systems in the CPMI countries. https://www.bis.org/cpmi/publ/d172.pdf
Barbulescu, R., & Duquesne, S. (2019). Updating key size estimations for pairings. Journal of Cryptology, 32(4), 1298–1336. https://doi.org/10.1007/s00145-018-9280-5
Barreto, P. S. L. M., Libert, B., McCullagh, N., & Quisquater, J. J. (2005). Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In B. Roy (Ed.), Advances in Cryptology - ASIACRYPT 2005 (pp. 515–532). Berlin: Springer. https://doi.org/10.1007/11593447_28.
Bellare, M., Desai, A., Pointcheval, D., & Rogaway, P. (1998). Relations among notions of security for public-key encryption schemes. Advances in Cryptology– CRYPTO ’98. https://doi.org/10.1007/BFb0055718.
Boyen, X. (2003). Multipurpose identity-based signcryption. In D. Boneh (Ed.), Advances in Cryptology - CRYPTO 2003 (pp. 383–399). Berlin: Springer. https://doi.org/10.1007/978-3-540-45146-4_23.
Brands, S. (1993). An Efficient Off-line Electronic Cash System Based On The Representation Problem. Tech. rep., Centrum Wiskunde & Informatica (CWI).
Chan, N. (2015). e-Cheque: A new era of payments in Hong Kong. https://www.hkma.gov.hk/eng/key-information/insight/20151029.shtml
Chang, C. C., Chang, S. C., & Lee, J. S. (2009). An on-line electronic check system with mutual authentication. Computers & Electrical Engineering, 35(5), 757–763. https://doi.org/10.1016/j.compeleceng.2009.02.007
Chang, C. C., Chang, S. C., & Wu, Y. C. (2016). Novel electronic check mechanism using elliptic curve cryptosystem. Journal of Computers, 27(3), 111–122. https://doi.org/10.3966/199115592016102703011
Chaum, D., den Boer, B., van Heyst, E., Mjølsnes, S., & Steenbeek, A. (1990). Efficient offline electronic checks. In J. J. Quisquater & J. Vandewalle (Eds.), Advances in Cryptology – EUROCRYPT ’89 (pp. 294–301). Berlin: Springer. https://doi.org/10.1007/3-540-46885-4_31.
Chaum, D., Fiat, A., & Naor, M. (1990). Untraceable electronic cash. In S. Goldwasser (Ed.), Advances in cryptology – CRYPTO’ 88 (pp. 319–327). New York, NY: Springer. https://doi.org/10.1007/0-387-34799-2_25.
Chen, C. L., Wu, C. H., & Lin, W. C. (2010). Improving an on-line electronic check system with mutual authentication. In Proceedings of international conference on advanced information technologies (AIT 2010).
Chen, T. H., Yeh, S. C., Liao, K. C., & Lee, W. B. (2009). A practical and efficient electronic checkbook. Journal of Organizational Computing and Electronic Commerce, 19(4), 285–293. https://doi.org/10.1080/10919390903262677
Chen, W. K. (2005). Efficient on-line electronic checks. Applied Mathematics and Computation, 162(3), 1259–1263. https://doi.org/10.1016/j.amc.2004.03.006
El Mrabet, N., & Joye, M. (2017). Guide to pairing-based cryptography. Chapman and Hall/CRC.
Galbraith, S. D., Paterson, K. G., & Smart, N. P. (2008). Pairings for cryptographers. Discrete Applied Mathematics, 156(16), 3113–3121. https://doi.org/10.1016/j.dam.2007.12.010
Goldwasser, S., Micali, S., & Rivest, R. L. (1988). A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2), 281–308. https://doi.org/10.1137/0217017.
Hinarejos, M. F., Ferrer-Gomila, J., Draper-Gil, G., Huguet-Rotger, L. (2012). Anonymity and transferability for an electronic bank check scheme. In 2012 IEEE 11th international conference on trust, security and privacy in computing and communications (pp. 427–435). https://doi.org/10.1109/TrustCom.2012.92
Kim, S., & Oh, H. (2002). A new electronic check system with reusable refunds. International Journal of Information Security, 1(3), 175–188. https://doi.org/10.1007/s10207-002-0015-z
Malone-Lee, J. (2002). Identity-based signcryption. Cryptology ePrint Archive, Report 2002/098. https://eprint.iacr.org/2002/098
McCullagh, N., Barreto, P. S. L. M. (2004). Efficient and forward-secure identity-based signcryption. Cryptology ePrint Archive, Report 2004/117. https://eprint.iacr.org/2004/117
Pasupathinathan, V., Pieprzyk, J., & Wang, H. (2005) Privacy enhanced electronic cheque system. In Seventh IEEE international conference on E-commerce technology (CEC’05) (pp. 431–434). https://doi.org/10.1109/ICECT.2005.68
Plateaux, A., Lacharme, P., Coquet, V., Vernois, S., Murty, K., & Rosenberger, C. (2013). An e-payment architecture ensuring a high level of privacy protection. In T. Zia, A. Zomaya, V. Varadharajan, & M. Mao (Eds.), Security and privacy in communication networks (pp. 305–322). Cham: Springer. https://doi.org/10.1007/978-3-319-04283-1_19.
Rackoff, C., & Simon, D. R. (1992). Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum (Ed.), Advances in cryptology – CRYPTO ’91 (pp. 433–444). Berlin: Springer. https://doi.org/10.1007/3-540-46766-1_35.
Rogaway, P., & Shrimpton, T. (2004). Cryptographic hash-function basics: Definitions, implications and separations for preimage resistance, second-preimage resistance, and collision resistance. Cryptology ePrint Archive, Report 2004/035. https://eprint.iacr.org/2004/035
Scott, M. (2003). Miracl-a multiprecision integer and rational arithmetic c/c++ library. http://www.shamus.
Sertkaya, I., & Kalkar, O. (2019). An efficient electronic checkbook scheme with mutual authentication. Suleyman Demirel University Journal of Natural and Applied Sciences 590 – 596. https://doi.org/10.19113/sdufenbed.514167
Sertkaya, I., & Kalkar, O. (2020). Security analysis and attacks on some electronic checkbook schemes. Under review.
Sirohi, P., Agarwal, A., & Tyagi, S. (2016). A comprehensive study on security attacks on SSL TLS protocol. In 2nd international conference on next generation computing technologies (NGCT) (pp. 893–898). IEEE.
Wang, Y., Manulis, M., Au, M. H., & Susilo, W. (2013). Relations among privacy notions for signcryption and key invisible “sign-then-encrypt”. Cryptology ePrint Archive, Report 2013/230. https://eprint.iacr.org/2013/230
Yu, H. C., Hsi, K. H., & Kuo, P. J. (2002). Electronic payment systems: an analysis and comparison of types. Technology in Society, 24(3), 331–347. https://doi.org/10.1016/S0160-791X(02)00012-X
Acknowledgements
The authors would like to thank Ali Aydın Selçuk who has provided detailed reviews and much helped to produce this paper.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix
Signcryption Scheme
Definition 4
[16] Let \({\mathbb {G}}_1,{\mathbb {G}}_2\) (additively written) and \({\mathbb {G}}_T\) (multiplicatively written) be groups of prime order r. A pairing e is defined as a map \(e: {\mathbb {G}}_1 \times {\mathbb {G}}_2 \rightarrow {\mathbb {G}}_T\) that has the following properties:
-
bilinearity: for all \(A \in {\mathbb {G}}_1, B \in {\mathbb {G}}_2\) and \(a,b \in {\mathbb {Z}}_r\), we have
$$\begin{aligned} e([a]A,[b]B)=e(A,B)^{ab}\, , \end{aligned}$$ -
non-degenerecy: for \(A \ne 0_{{\mathbb {G}}_1}, B \ne 0_{{\mathbb {G}}_2}\), \(e(A,B) \ne 1_{{\mathbb {G}}_T}\), where \(0_{{\mathbb {G}}_1}\), \(0_{{\mathbb {G}}_2}\), and \(1_{{\mathbb {G}}_T}\) are the identity elements of \({\mathbb {G}}_1\), \({\mathbb {G}}_2\), and \({\mathbb {G}}_T\), respectively.
Then, a bilinear environment is a tuple,
where \(r, {\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T\) and e are defined as above, and P (resp. Q) is a generator of \({\mathbb {G}}_1\) (resp. \({\mathbb {G}}_2\)).
For cryptographic and efficiency purposes, e is required to be efficiently computable, hard to inverse and to possess underlying groups on which the necessary computational assumptions holds.
Pairing-based protocols generally involve hashing to elliptic curve subgroups, in the seguel, the following hash functions -assumed to be publicly known- will be utilized.
Here, we are going to recall the signcryption scheme proposed in [4], that is updated from the protocol given in [22]. Please note that, here the protocol will be given in Type-III setting (as defined in [17]). This is mainly due to the recent attacks on elliptic curves and hence on pairings, see [3] and the references therein.
\({\mathsf{SignC}} = ({{{\mathcal {G}}}}, {{{\mathcal {K}}}}, {{{\mathcal {S}}}}, {{{\mathcal {V}}}})\) is a signcryption scheme, where each algorithm is given as follows.
-
Setup (\({\mathsf{pp}} \leftarrow {{{\mathcal {G}}}}(1^{\kappa })\)). Given a security parameter \(\kappa\), Key generation Center (KGC) constructs a bilinear environment with groups \({\mathbb {G}}_1, {\mathbb {G}}_2 \text {, and } {\mathbb {G}}_T\) of prime order \(r>2^{\kappa }\). Then, chooses a random secret \(s \leftarrow _{\$} {\mathbb {Z}}_{r}^{*}\) as its master private key \({\mathsf{sk_{KGC}}}=s\), and publishes system wide public parameters pp as
$$\begin{aligned} \{r, {\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, P, Q, e, {{{\mathcal {H}}}}_1, {{{\mathcal {H}}}}_2, {{{\mathcal {H}}}}_3, g, {\mathsf{pk_{KGC}}}\} \end{aligned}$$where \(g=e(P,Q)\) and \({\mathsf{pk_{KGC}}}=([s]P,[s]Q)\) for the signcryption scheme.
-
Keygen (\(({\mathsf{sk_{U}}}, {\mathsf{pk_{U}}}) \leftarrow {{{\mathcal {K}}}}({\mathsf{pp}}, {\mathsf{U}})\)). Given the public parameters \({\mathsf{pp}}\) and a user’s identity \({\mathsf{U}}\), within Keygen phase, private key of \({\mathsf{U}}\) is generated by KGC. First, user’s identity \({\mathsf{U}}\) is hashed as a public element \(u \leftarrow {{{\mathcal {H}}}}_1 ({\mathsf{U}}) \in {\mathbb {Z}}_r^{*}\). Then, KGC computes the user’s private keys as
$$\begin{aligned} {\mathsf{sk_U}} \leftarrow ({\mathsf{sk_U^P}}, {\mathsf{sk_U^Q}})=([(s+u)^{-1}]P,[(s+u)^{-1}]Q) \end{aligned}$$where the inverses are taken modulo r. Anyone can compute the corresponding public keys using U and \({\mathsf{pk_{KGC}}}\) as
$$\begin{aligned} {\mathsf{pk_U}}&\leftarrow \, ({\mathsf{pk_U^P}}, {\mathsf{pk_U^Q}}) \\&= \, ([s]P+[{{{\mathcal {H}}}}_1 ({\mathsf{U}})]P, [s]Q+[{{{\mathcal {H}}}}_1 ({\mathsf{U}})]Q) \\&= \, ([s]P+[u]P, [s]Q+[u]Q) \\&= \, ([s+u]P, [s+u]Q) \, . \end{aligned}$$ -
Signcrypt (\(\sigma _{\mathsf{UV}} \leftarrow {{{\mathcal {S}}}}({\mathsf{sk_{U}}},m,{\mathsf{V}})\)). To signcrypt a message \(m \in \{0,1\}^{*}\) to V, U generates a random integer \(x \leftarrow _{\$} {\mathbb {Z}}_r^{*}\) and computes:
$$\begin{aligned} R&\leftarrow \, g^x \\ c&\leftarrow \, m \oplus {{{\mathcal {H}}}}_3(R) \\ h&\leftarrow \, {{{\mathcal {H}}}}_2(m,R) \\ S&\leftarrow \, [x+h]{\mathsf{sk_U^P}} \\ T&\leftarrow \, [x]{\mathsf{pk_V^P}} \end{aligned}$$The signcrypted message from U to V is
$$\begin{aligned} \sigma _{\mathsf{UV}} \leftarrow (c,S,T). \end{aligned}$$ -
Unsigncrypt (\({{{\mathcal {V}}}}({\mathsf{sk_{V}}},\sigma _{\mathsf{UV}},{\mathsf{U}})\)). Given the signcrypted message \(\sigma _{\mathsf{UV}}\), Bob computes
$$\begin{aligned} R&\leftarrow \, e(T,{\mathsf{sk_V^Q}}) \\ m&\leftarrow \, c \oplus {{{\mathcal {H}}}}_3(R) \\ h&\leftarrow \, {{{\mathcal {H}}}}_2(m,R) \\ W&\leftarrow \, e(S,{\mathsf{pk_U^Q}}) \, \end{aligned}$$and verifies that
$$\begin{aligned} W \overset{?}{=}Rg^{h}\, . \end{aligned}$$If the verification holds, returns the message m, otherwise outputs an error \(\perp\).
Whenever the signer follows this scheme as supposed to, the following and hence correctness holds as expected.
As it can be seen easily, since the signature computation depends on R, that is a value that can only be computed by the legitimate receiver, Unsigncrypt step is not publicly verifiable. However, if the the legitimate receiver cooperates and shares \(\sigma _{\mathsf{UV}}\) and R, anyone can successfully run Unsigncrypt. Obviously, in this case this would also result in leaking the message itself.
Signcryption schemes naturally involve both encryption and signature procedures. Based on this, [21] stated two security notions separately, following the de facto security models by [5, 25] for public key encryption and by [18] for signature schemes.
Security model definitions for identity-based signcryption schemes is constructed with two parts, namely indistinguishability of identity-based signcryptions under chosen ciphertext attack (IND-IBSC-CCA) for encryption and existentially signature-unforgeability under adaptive chosen messages and ciphertexts attacks (ESUF-IBSC-CMA), separately. Based on these definitions, [4] also shows that security of the given signcryption scheme satisfies both IND-IBSC-CCA and ESUF-IDSC-CMA properties under the assumption of q-Bilinear Diffie-Hellman Inversion Problem and q-Strong Diffie-Hellman Problem are intractable, respectively. [6] formalizes security definitions for multi-purpose signcryption schemes based on the message confidentiality, ciphertext unlinkability, ciphertext authentication, ciphertext anonymity, and signature non-repudiation properties. We now recall three of these definitions following the notations of [4, 6, 22] on which the eChb scheme’s security reductions will be built. For further details on security formalization, reader may also refer to [6, 31].
Definition 5
(IND-IBSC-CCA) An identity-based signcryption scheme (IBSC) has the indistinguishability against adaptive chosen ciphertext attacks property (IND-IBSC-CCA) if no polynomially bounded adversary \({{{\mathcal {A}}}}\) has a non-negligible advantage in the following game.
-
1.
The challenger \({{{\mathcal {C}}}}\) runs the Setup algorithm with a security parameter \(\kappa\) and sends the public parameters pp to the adversary \({{{\mathcal {A}}}}\).
-
2.
Find Phase: In this phase, \({{\mathcal {A}}}\) adaptively performs a polynomially bounded number of queries to the following oracles:
-
Keygen: given arbitrary identities, returns the private keys associated to the given identities
-
Signcrypt: given (U, V, m) as input with a pair of identities U, V (presumably sender’s and receiver’s, respectively), and a plaintext m, it returns an encryption of the message m under the receiver’s identity V in the name of the sender’s identity U.
-
Unsigncrypt:given (\(\sigma\), U, V) as input with a pair of identities U, V and a ciphertext \(\sigma\), it generates the receiver’s private key \({\mathsf{sk_{V}}}\). If under the private key \({\mathsf{sk_{V}}}\), \(\sigma\) decrypts into a valid message-signature pair for the sender’s identity V, it returns (m, (h, S)). Otherwise, it returns \(\perp\).
-
-
3.
\({{\mathcal {A}}}\) chooses two plaintexts \(m_0\), \(m_1\), and two identities U\(^{*}\), V\(^{*}\). She may not have queried the private key of V\(^{*}\) and she obtains \(c={\mathsf{Signcrypt}}(m_b, {\mathsf{sk_{U^{*}}}}, {\mathsf{V}}^{*})\) under system public parameters pp, for a random bit \(b \leftarrow _{\$} \{0,1\}\).
-
4.
Guess phase: \({{\mathcal {A}}}\) asks new queries as in Find Phase, however she cannot submit c to Unsigncrypt oracle for the target identity V\(^{*}\) or issue a key extraction request on V\(^{*}\).
-
5.
\({{\mathcal {A}}}\) outputs a bit \(b'\) and wins if \(b'=b\).
Then, adversary \({{{\mathcal {A}}}}\)’s advantage is defined to be
hence an IBSC has possesses the IND-IBSC-CCA property only if
Definition 6
(ESUF-IBSC-CMA) An identity-based signcryption scheme is said to be existentially signature-unforgeable for adaptive chosen messages and ciphertext attacks (ESUF-IBSC-CMA) if no polynomially bounded adversary has a non-negligible advantage in the following game.
-
1.
The challenger \({{\mathcal {C}}}\) runs the Setup algorithm with a security parameter \(\kappa\) and gives the public parameters pp to the adversary \({{\mathcal {A}}}\).
-
2.
\({{\mathcal {A}}}\) performs a polynomially bounded number of requests as in the Definition 5.
-
3.
Finally, \({{\mathcal {A}}}\) constructs a triple \((\sigma ^{*}, {\mathsf{U}}^{*}, {\mathsf{V}}^{*})\) and wins the game
-
if the sender’s identity \({\mathsf{U}}^{*}\) was not corrupted and
-
if the result of Unsigncrypt oracle on \(\sigma ^{*}\) under the private key associated to \({\mathsf{V}}^{*}\) is a valid message-signature pair \((m^{*}, (h^{*},S^{*}))\) such that no Signcrypt query
-
involved \(m^{*}\), \({\mathsf{U}}^{*}\) and some receiver \({\mathsf{V}}'\) (possibly different from \({\mathsf{V}}^{*}\)) and
-
resulted in a ciphertext \(\sigma '\) whose decryption under the private key \({\mathsf{sk_{U}}}'\) is alleged forgery
$$\begin{aligned} (m^{*}, (h^{*},S^{*}), {\mathsf{U}}^{*}). \end{aligned}$$
-
-
Then adversary \({{{\mathcal {A}}}}\)’s advantage is
thus an IBSC has possesses the ESUF-IBSC-CMA property only if
Definition 7
(ANON-IBSC-CCA) An identity-based signcryption scheme is said to be ciphertext anonymous against adaptive chosen-ciphertext insider attacks, or (ANON-IBSC-CCA) secure, if no polynomially bounded adversary \({{{\mathcal {A}}}}\) has a non-negligible advantage in the following game.
-
1.
The challenger \({{{\mathcal {C}}}}\) runs the Setup algorithm with a security parameter \(\kappa\)and provides the public parameters pp to the adversary \({{{\mathcal {A}}}}\).
-
2.
Find phase: \({{\mathcal {A}}}\) performs a polynomially bounded number of requests as in the Definition 5.
-
3.
\({{{\mathcal {A}}}}\) chooses two sender identities \({\mathsf{U}}_1,{\mathsf{U}}_2\) and two recipient identities \({\mathsf{V}}_1,{\mathsf{V}}_2\) along with a message m.
-
4.
\({{{\mathcal {C}}}}\) flips two random coins \(b_1,b_2 \in \{0,1\}\) and gives \(c={\mathsf{Signcrypt}}(m,{\mathsf{sk}}_{{\mathsf{U}}_{b_1}},{\mathsf{V}}_{b_2})\) to \({{{\mathcal {A}}}}\).
-
5.
Guess phase: \({{{\mathcal {A}}}}\) performs new queries as in Find phase, however she may not request key extraction on neither \({\mathsf{V}}_{b_1}\) nor \({\mathsf{V}}_{b_2}\) and cannot submit c to Unsigncrypt oracle.
-
6.
Finally, \({{{\mathcal {A}}}}\) outputs \((b'_1,b'_2)\) and wins if \((b'_1,b'_2) = (b_1,b_2)\).
Then, adversary \({{{\mathcal {A}}}}\)’s advantage is defined to be
similarly, an IBSC has the ANON-IBSC-CCA property only if
Rights and permissions
About this article
Cite this article
Sertkaya, I., Kalkar, O. A Privacy Enhanced Transferable Electronic Checkbook Scheme. Wireless Pers Commun 123, 2895–2921 (2022). https://doi.org/10.1007/s11277-021-09268-4
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-021-09268-4