A Privacy Enhanced Transferable Electronic Checkbook Scheme

Abstract

Electronic check (e-check) was first introduced by Chaum in 1990. Afterwards, electronic checkbook (e-checkbook) mechanisms are proposed to eliminate the need to follow a protocol jointly with the bank for each e-check issuance. Despite the fact that the total amount of payments made with checks is high and the processing times of the checks are considerably long, there are not many attempts in the literature regarding the electronic checkbook design. Very recently, most of the previously proposed e-checkbook schemes are shown to be broken by Sertkaya and Kalkar. The one that is not broken, unfortunately, does not satisfy e-check transferability and anonymity properties. In this study, we propose an e-checkbook scheme that supports transferable e-checks and satisfies anonymity property against eavesdropper. More concretely, we first provide game-based security definitions for e-checkbook unforgeability, e-check unforgeability and non-manipulability, and e-check anonymity. After describing the details of the proposed scheme that is based on a signcryption scheme, we prove that our scheme satisfies aforementioned properties along with resistance against double spending and replay attacks. We further discuss computational costs and possible extensions to suit check related legal frameworks.

Appendices

Appendix

Signcryption Scheme

Definition 4

[16] Let \({\mathbb {G}}_1,{\mathbb {G}}_2\) (additively written) and \({\mathbb {G}}_T\) (multiplicatively written) be groups of prime order r. A pairing e is defined as a map \(e: {\mathbb {G}}_1 \times {\mathbb {G}}_2 \rightarrow {\mathbb {G}}_T\) that has the following properties:

• bilinearity: for all \(A \in {\mathbb {G}}_1, B \in {\mathbb {G}}_2\) and \(a,b \in {\mathbb {Z}}_r\), we have

  $$\begin{aligned} e([a]A,[b]B)=e(A,B)^{ab}\, , \end{aligned}$$

• non-degenerecy: for \(A \ne 0_{{\mathbb {G}}_1}, B \ne 0_{{\mathbb {G}}_2}\), \(e(A,B) \ne 1_{{\mathbb {G}}_T}\), where \(0_{{\mathbb {G}}_1}\), \(0_{{\mathbb {G}}_2}\), and \(1_{{\mathbb {G}}_T}\) are the identity elements of \({\mathbb {G}}_1\), \({\mathbb {G}}_2\), and \({\mathbb {G}}_T\), respectively.

Then, a bilinear environment is a tuple,

$$\begin{aligned} (r, {\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, P, Q, e) \end{aligned}$$

where \(r, {\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T\) and e are defined as above, and P (resp. Q) is a generator of \({\mathbb {G}}_1\) (resp. \({\mathbb {G}}_2\)).

For cryptographic and efficiency purposes, e is required to be efficiently computable, hard to inverse and to possess underlying groups on which the necessary computational assumptions holds.

Pairing-based protocols generally involve hashing to elliptic curve subgroups, in the seguel, the following hash functions -assumed to be publicly known- will be utilized.

$$\begin{aligned} {{{\mathcal {H}}}}_{1}:&\, \{0,1\}^{*} \rightarrow {\mathbb {Z}}_r^{*} \, , \\ {{{\mathcal {H}}}}_{2}:&\, \{0,1\}^{*} \times {\mathbb {G}}_T \rightarrow {\mathbb {Z}}_r^{*} \, , \\ {{{\mathcal {H}}}}_{3}:&\, {\mathbb {G}}_T \rightarrow \{0,1\}^{*} \, . \end{aligned}$$

Here, we are going to recall the signcryption scheme proposed in [4], that is updated from the protocol given in [22]. Please note that, here the protocol will be given in Type-III setting (as defined in [17]). This is mainly due to the recent attacks on elliptic curves and hence on pairings, see [3] and the references therein.

\({\mathsf{SignC}} = ({{{\mathcal {G}}}}, {{{\mathcal {K}}}}, {{{\mathcal {S}}}}, {{{\mathcal {V}}}})\) is a signcryption scheme, where each algorithm is given as follows.

• Setup (\({\mathsf{pp}} \leftarrow {{{\mathcal {G}}}}(1^{\kappa })\)). Given a security parameter \(\kappa\), Key generation Center (KGC) constructs a bilinear environment with groups \({\mathbb {G}}_1, {\mathbb {G}}_2 \text {, and } {\mathbb {G}}_T\) of prime order \(r>2^{\kappa }\). Then, chooses a random secret \(s \leftarrow _{\$} {\mathbb {Z}}_{r}^{*}\) as its master private key \({\mathsf{sk_{KGC}}}=s\), and publishes system wide public parameters pp as

  $$\begin{aligned} \{r, {\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, P, Q, e, {{{\mathcal {H}}}}_1, {{{\mathcal {H}}}}_2, {{{\mathcal {H}}}}_3, g, {\mathsf{pk_{KGC}}}\} \end{aligned}$$

  where \(g=e(P,Q)\) and \({\mathsf{pk_{KGC}}}=([s]P,[s]Q)\) for the signcryption scheme.

• Keygen (\(({\mathsf{sk_{U}}}, {\mathsf{pk_{U}}}) \leftarrow {{{\mathcal {K}}}}({\mathsf{pp}}, {\mathsf{U}})\)). Given the public parameters \({\mathsf{pp}}\) and a user’s identity \({\mathsf{U}}\), within Keygen phase, private key of \({\mathsf{U}}\) is generated by KGC. First, user’s identity \({\mathsf{U}}\) is hashed as a public element \(u \leftarrow {{{\mathcal {H}}}}_1 ({\mathsf{U}}) \in {\mathbb {Z}}_r^{*}\). Then, KGC computes the user’s private keys as

  $$\begin{aligned} {\mathsf{sk_U}} \leftarrow ({\mathsf{sk_U^P}}, {\mathsf{sk_U^Q}})=([(s+u)^{-1}]P,[(s+u)^{-1}]Q) \end{aligned}$$

  where the inverses are taken modulo r. Anyone can compute the corresponding public keys using U and \({\mathsf{pk_{KGC}}}\) as

  $$\begin{aligned} {\mathsf{pk_U}}&\leftarrow \, ({\mathsf{pk_U^P}}, {\mathsf{pk_U^Q}}) \\&= \, ([s]P+[{{{\mathcal {H}}}}_1 ({\mathsf{U}})]P, [s]Q+[{{{\mathcal {H}}}}_1 ({\mathsf{U}})]Q) \\&= \, ([s]P+[u]P, [s]Q+[u]Q) \\&= \, ([s+u]P, [s+u]Q) \, . \end{aligned}$$

• Signcrypt (\(\sigma _{\mathsf{UV}} \leftarrow {{{\mathcal {S}}}}({\mathsf{sk_{U}}},m,{\mathsf{V}})\)). To signcrypt a message \(m \in \{0,1\}^{*}\) to V, U generates a random integer \(x \leftarrow _{\$} {\mathbb {Z}}_r^{*}\) and computes:

  $$\begin{aligned} R&\leftarrow \, g^x \\ c&\leftarrow \, m \oplus {{{\mathcal {H}}}}_3(R) \\ h&\leftarrow \, {{{\mathcal {H}}}}_2(m,R) \\ S&\leftarrow \, [x+h]{\mathsf{sk_U^P}} \\ T&\leftarrow \, [x]{\mathsf{pk_V^P}} \end{aligned}$$

  The signcrypted message from U to V is

  $$\begin{aligned} \sigma _{\mathsf{UV}} \leftarrow (c,S,T). \end{aligned}$$

• Unsigncrypt (\({{{\mathcal {V}}}}({\mathsf{sk_{V}}},\sigma _{\mathsf{UV}},{\mathsf{U}})\)). Given the signcrypted message \(\sigma _{\mathsf{UV}}\), Bob computes

  $$\begin{aligned} R&\leftarrow \, e(T,{\mathsf{sk_V^Q}}) \\ m&\leftarrow \, c \oplus {{{\mathcal {H}}}}_3(R) \\ h&\leftarrow \, {{{\mathcal {H}}}}_2(m,R) \\ W&\leftarrow \, e(S,{\mathsf{pk_U^Q}}) \, \end{aligned}$$

  and verifies that

  $$\begin{aligned} W \overset{?}{=}Rg^{h}\, . \end{aligned}$$

  If the verification holds, returns the message m, otherwise outputs an error \(\perp\).

Whenever the signer follows this scheme as supposed to, the following and hence correctness holds as expected.

$$\begin{aligned} R&= \, e(T,{\mathsf{sk_V^Q}}) = e([x(s+v)]P, [(s+v)^{-1}]Q) \\&= \, e(P,Q)^x = g^{x}\, ,\\ W&= \, e(S,{\mathsf{pk_U^Q}}) = e([(x+h)(s+u)^{-1}]P, [s+u]Q) \\&= \,e(P,Q)^{x+h} = Rg^{h} \, . \end{aligned}$$

As it can be seen easily, since the signature computation depends on R, that is a value that can only be computed by the legitimate receiver, Unsigncrypt step is not publicly verifiable. However, if the the legitimate receiver cooperates and shares \(\sigma _{\mathsf{UV}}\) and R, anyone can successfully run Unsigncrypt. Obviously, in this case this would also result in leaking the message itself.

Signcryption schemes naturally involve both encryption and signature procedures. Based on this, [21] stated two security notions separately, following the de facto security models by [5, 25] for public key encryption and by [18] for signature schemes.

Security model definitions for identity-based signcryption schemes is constructed with two parts, namely indistinguishability of identity-based signcryptions under chosen ciphertext attack (IND-IBSC-CCA) for encryption and existentially signature-unforgeability under adaptive chosen messages and ciphertexts attacks (ESUF-IBSC-CMA), separately. Based on these definitions, [4] also shows that security of the given signcryption scheme satisfies both IND-IBSC-CCA and ESUF-IDSC-CMA properties under the assumption of q-Bilinear Diffie-Hellman Inversion Problem and q-Strong Diffie-Hellman Problem are intractable, respectively. [6] formalizes security definitions for multi-purpose signcryption schemes based on the message confidentiality, ciphertext unlinkability, ciphertext authentication, ciphertext anonymity, and signature non-repudiation properties. We now recall three of these definitions following the notations of [4, 6, 22] on which the eChb scheme’s security reductions will be built. For further details on security formalization, reader may also refer to [6, 31].

Definition 5

(IND-IBSC-CCA) An identity-based signcryption scheme (IBSC) has the indistinguishability against adaptive chosen ciphertext attacks property (IND-IBSC-CCA) if no polynomially bounded adversary \({{{\mathcal {A}}}}\) has a non-negligible advantage in the following game.

1. 1.

   The challenger \({{{\mathcal {C}}}}\) runs the Setup algorithm with a security parameter \(\kappa\) and sends the public parameters pp to the adversary \({{{\mathcal {A}}}}\).

2. 2.

   Find Phase: In this phase, \({{\mathcal {A}}}\) adaptively performs a polynomially bounded number of queries to the following oracles:

   • Keygen: given arbitrary identities, returns the private keys associated to the given identities

   • Signcrypt: given (U, V, m) as input with a pair of identities U, V (presumably sender’s and receiver’s, respectively), and a plaintext m, it returns an encryption of the message m under the receiver’s identity V in the name of the sender’s identity U.

   • Unsigncrypt:given (\(\sigma\), U, V) as input with a pair of identities U, V and a ciphertext \(\sigma\), it generates the receiver’s private key \({\mathsf{sk_{V}}}\). If under the private key \({\mathsf{sk_{V}}}\), \(\sigma\) decrypts into a valid message-signature pair for the sender’s identity V, it returns (m, (h, S)). Otherwise, it returns \(\perp\).

3. 3.

   \({{\mathcal {A}}}\) chooses two plaintexts \(m_0\), \(m_1\), and two identities U\(^{*}\), V\(^{*}\). She may not have queried the private key of V\(^{*}\) and she obtains \(c={\mathsf{Signcrypt}}(m_b, {\mathsf{sk_{U^{*}}}}, {\mathsf{V}}^{*})\) under system public parameters pp, for a random bit \(b \leftarrow _{\$} \{0,1\}\).

4. 4.

   Guess phase: \({{\mathcal {A}}}\) asks new queries as in Find Phase, however she cannot submit c to Unsigncrypt oracle for the target identity V\(^{*}\) or issue a key extraction request on V\(^{*}\).

5. 5.

   \({{\mathcal {A}}}\) outputs a bit \(b'\) and wins if \(b'=b\).

Then, adversary \({{{\mathcal {A}}}}\)’s advantage is defined to be

$$\begin{aligned} Adv({{{\mathcal {A}}}}) = \left| \text {Prob}(b' = b) - \frac{1}{2}\right| , \end{aligned}$$

hence an IBSC has possesses the IND-IBSC-CCA property only if

$$\begin{aligned} Adv({{{\mathcal {A}}}}) = \left| \text {Prob}(b' = b) - \frac{1}{2}\right| \le {\mathsf{negl}}(\kappa ). \end{aligned}$$

Definition 6

(ESUF-IBSC-CMA) An identity-based signcryption scheme is said to be existentially signature-unforgeable for adaptive chosen messages and ciphertext attacks (ESUF-IBSC-CMA) if no polynomially bounded adversary has a non-negligible advantage in the following game.

1. 1.

   The challenger \({{\mathcal {C}}}\) runs the Setup algorithm with a security parameter \(\kappa\) and gives the public parameters pp to the adversary \({{\mathcal {A}}}\).

2. 2.

   \({{\mathcal {A}}}\) performs a polynomially bounded number of requests as in the Definition 5.

3. 3.

   Finally, \({{\mathcal {A}}}\) constructs a triple \((\sigma ^{*}, {\mathsf{U}}^{*}, {\mathsf{V}}^{*})\) and wins the game

   • if the sender’s identity \({\mathsf{U}}^{*}\) was not corrupted and

   • if the result of Unsigncrypt oracle on \(\sigma ^{*}\) under the private key associated to \({\mathsf{V}}^{*}\) is a valid message-signature pair \((m^{*}, (h^{*},S^{*}))\) such that no Signcrypt query

     • involved \(m^{*}\), \({\mathsf{U}}^{*}\) and some receiver \({\mathsf{V}}'\) (possibly different from \({\mathsf{V}}^{*}\)) and

     • resulted in a ciphertext \(\sigma '\) whose decryption under the private key \({\mathsf{sk_{U}}}'\) is alleged forgery

       $$\begin{aligned} (m^{*}, (h^{*},S^{*}), {\mathsf{U}}^{*}). \end{aligned}$$

Then adversary \({{{\mathcal {A}}}}\)’s advantage is

$$\begin{aligned} Adv({{{\mathcal {A}}}}) = |\text {Prob}({{{\mathcal {A}}}} \text { wins})|. \end{aligned}$$

thus an IBSC has possesses the ESUF-IBSC-CMA property only if

$$\begin{aligned} Adv({{{\mathcal {A}}}}) = |\text {Prob}({{{\mathcal {A}}}} \text { wins})| \le {\mathsf{negl}}(\kappa ). \end{aligned}$$

Definition 7

(ANON-IBSC-CCA) An identity-based signcryption scheme is said to be ciphertext anonymous against adaptive chosen-ciphertext insider attacks, or (ANON-IBSC-CCA) secure, if no polynomially bounded adversary \({{{\mathcal {A}}}}\) has a non-negligible advantage in the following game.

1. 1.

   The challenger \({{{\mathcal {C}}}}\) runs the Setup algorithm with a security parameter \(\kappa\)and provides the public parameters pp to the adversary \({{{\mathcal {A}}}}\).

2. 2.

   Find phase: \({{\mathcal {A}}}\) performs a polynomially bounded number of requests as in the Definition 5.

3. 3.

   \({{{\mathcal {A}}}}\) chooses two sender identities \({\mathsf{U}}_1,{\mathsf{U}}_2\) and two recipient identities \({\mathsf{V}}_1,{\mathsf{V}}_2\) along with a message m.

4. 4.

   \({{{\mathcal {C}}}}\) flips two random coins \(b_1,b_2 \in \{0,1\}\) and gives \(c={\mathsf{Signcrypt}}(m,{\mathsf{sk}}_{{\mathsf{U}}_{b_1}},{\mathsf{V}}_{b_2})\) to \({{{\mathcal {A}}}}\).

5. 5.

   Guess phase: \({{{\mathcal {A}}}}\) performs new queries as in Find phase, however she may not request key extraction on neither \({\mathsf{V}}_{b_1}\) nor \({\mathsf{V}}_{b_2}\) and cannot submit c to Unsigncrypt oracle.

6. 6.

   Finally, \({{{\mathcal {A}}}}\) outputs \((b'_1,b'_2)\) and wins if \((b'_1,b'_2) = (b_1,b_2)\).

Then, adversary \({{{\mathcal {A}}}}\)’s advantage is defined to be

$$\begin{aligned} Adv({{{\mathcal {A}}}}) = \left| \text {Prob}((b'_1,b'_2) = (b_1,b_2)) - \frac{1}{4}\right| , \end{aligned}$$

similarly, an IBSC has the ANON-IBSC-CCA property only if

$$\begin{aligned} Adv({{{\mathcal {A}}}}) = \left| \text {Prob}((b'_1,b'_2) = (b_1,b_2)) - \frac{1}{4}\right| \le {\mathsf{negl}}(\kappa ). \end{aligned}$$