Untraceable and Anonymous Mobile Payment Scheme Based on Near Field Communication

: With the developments of mobile communications, M-commerce has become increasingly popular in recent years. However, most M-commerce schemes ignore user anonymity during online transactions. As a result, user transactions may easily be traced by shops, banks or by Internet Service Providers (ISPs). To deal with this problem, we introduce a new anonymous mobile payment scheme in this paper. Our new scheme has the following features: (1) Password-based authentication: authentication of users is done by low-entropy password; (2) Convenience: the new scheme is designed based on near ﬁeld communication (NFC)-enabled devices and is compatible with EuroPay, MasterCard and Visa (EMV-compatible); (3) Efﬁciency: users do not need to have their own public/private key pairs and conﬁdentiality is achieved via symmetric-key cryptography; (4) Anonymity: users use virtual accounts in the online shopping processes, thereby preventing attackers from obtaining user information even if the transaction is eavesdropped; (5) Untraceablity: no one (even the bank, Trusted Service Manager (TSM), or the shop) can trace a transaction and link the real identity with the buyer of a transaction; (6) Conﬁdentiality and authenticity: all the transaction is either encrypted or signed by the sender so our new scheme can provide conﬁdentiality and authenticity. We also present the performance and the security comparison of our scheme with other schemes. The results show that our scheme is applicable and has the most remarkable features among the existing schemes.


Introduction
Mobile commerce (M-commerce) [1][2][3][4] has come into the limelight in recent years thanks to the universality of smartphones and the rapid developments of wireless and mobile communication technologies.By using M-commerce, a user can use an internet-enabled mobile device such as a smartphone or a tablet and then he/she can perform online activities.Possible online activities include online shopping, online auctions, online payments, etc.
M-commerce is convenient and attractive to both users and merchants.For users, M-commerce is convenient and simple compared to traditional transactions.Moreover, it brings possible customers from all over the world from a merchant's viewpoint.Furthermore, merchants can collect customer behaviors via transactions and can make statistical analysis to speculate the consumption preferences of users.The analysis helps a merchant to send subsequent information that may be attractive to users in the future to push up sales.

Related Works
Due to the importance of M-commerce, many online payment schemes have been proposed [1,[5][6][7][8][9][10].Some of them are designed to increase the performance and some are designed to enhance the security or privacy of transactions.For example, Toorani et al. [11] proposed a secure short message service payment protocol.The scheme allows users to pay the bill by the short message service (SMS).However, some weaknesses have been found including replay-attack and SMS message forging attack.Molloy et al. [12] proposed a payment protocol using a virtual credit card instead of a real card.In addition, the virtual credit card can be generated as many times as a user wishes.On the other hands, to provide user anonymity and unlinkability, Martínez-Peláez et al. [13] proposed a micropayment protocol basing on the anonymous electronic cash.To increase the performance of online payment protocol, Kungpisdan et al. [9] proposed an account-based online payment protocol.The protocol adopted symmetric-key cryptography instead of public-key cryptography for achieving confidentiality.Compared to many schemes using public-key cryptographies, the scheme achieves low computation during tractions.Liao [14] proposed a cross-domain anonymous online payment scheme which allows users to consume in different merchants in mobile communication with user anonymity.On the other hand, near field communication (NFC) [15][16][17] has come into limelight in recent years and has become increasingly popular.For this reason, NFC-enabled mobile payment protocols are provided [18][19][20][21] in which credit card information is combined into NFC-enabled mobile devices.The NFC-chip embed into a smartphone will change itself to the card simulation mode to simulate a credit card when an online transaction is proceeded and the information inside the (simulated) card is requested.In this way the card information is transmitted securely via NFC standard protocol to the merchant or to the card issuer for authentication.In practice, Apple [22], Microsoft [23], and Google Inc. [24] have introduced their idea separately to replace the traditional credit card by a virtual credit card.In addition, the cards are stored in NFC-enabled smartphones.By using the smartphone, mobile payments, online transactions can be proceeded very efficiently and conveniently.For this reason, IT industries and many researches have continuously focusing on such a promising technology to continuously improve its security, performance and/or to add new features on it [25][26][27][28][29].For example, Pasquet et al. [28] proposed an infrastructure to test the security of the simulated credit card in the NFC-enabled smartphone.Pailles et al. [27] focus on the protection of private data in user accounts.Mainetti et al. [26] proposed a protocol for message-exchange between the NFC-enabled smartphone and the Point of Sale (PoS) terminal using a peer to peer method .The advantage of the scheme in [26] is that the transaction confirmation message can be stored and customized by merchant.Finally, Urien and Piramuthu [29] assumes that a user's NFC-enabled smartphone may be untrustworthy and, instead of using the built-in security element in NFC-enabled smartphones, they proposed the cloud security element to achieve the goal .Moreover, their scheme follows the EMV standard and can execute the EMV credit card protocol.Their concept is similar to the Host Card Emulation [25] technique.

Motivation
Anonymity is an important issue for mobile payment and online transactions from customers' viewpoints.In general, speaking, the identity of a user is required to be presented to its counterparty who may be a card issuer, a merchant, or a Trusted Service Manager (TSM) during the process of an online payment.The identity presented here is used for authentication.However, this may leak the information on who the owner of the card holder is and/or by whom and where the goods or items have been bought, and from which merchant.Furthermore, with this information, an impersonation-attack may be launched to forge an invalid transaction.To deal with this problem, Luo et al. [30] in 2016 proposed an NFC-based mobile payment protocol with user anonymity.However, we found that their scheme has some security issues and may not be functional in practice.For example, they use the same private key for digital-signature signing and for ciphertext decryption.Unlinkability is also a problem.It is difficult to be achieved according to the definition of unlinkability.Furthermore, Lee et al. [31], also mentioned that Luo et al.'s idea suffers from the symmetric-key leakage problem.Although Lee et al. [31] introduced their remedy, the new scheme is designed for pre-paid system but not for credit card applications.In addition, the new scheme is not EMV-compatible.

Our Contributions
In this paper, we are going to introduce a new NFC-based mobile payment protocol.The new scheme has the following features:

•
Password-based authentication: Password-based authentication does not require expensive infrastructure compared to digital-signature and biometrics-based authentications.In addition, it is convenient for users since users can use low-entropy and easy-to-remember password to establish a high-entropy session key.Consequently, in our protocol, we assume that a user of our scheme possesses no high-entropy secret key and no public/private key pair in advance.
What the user has in advance is only a low-entropy password (pw) shared with a bank (card issuer).The pw will then be used for user-authentication and for securing communication.Efficiency: Users of our scheme do not need to have their own public/private key pairs and confidentiality is achieved via symmetric-key cryptography.

•
Anonymity: A user's virtual account is all set up and registered via the bank.Except the bank, no one else will know the actual identity of the user even when eavesdropping is occurred during the transactions.

•
Untraceablity: No one (even the bank, TSM or the shop) can trace a transaction and link the real identity with the buyer of a transaction.

•
Confidentiality and Authenticity: Every communication for transactions is either encrypted by a session key from Diffie-Hellman key exchange [35] or by a pre-shared key between a bank and TSM.

Paper Organization
The paper is organized as follows: Section 2 presents some preliminaries required for our construction as well as Luo et al.'s scheme.The model and our new NFC-based anonymous mobile payment protocol is provided in Section 3. We provide the security of our protocol in Section 4 and the conclusion is given in Section 5.

Preliminaries and Luo et al.'s Scheme Revisited
This section reviews some cryptographic primitives and definitions required for our construction.We will also review Lou et al.'s work and discuss the security flaws of their scheme.

Security Assumptions
Definition 1. Discrete Logarithm (DL) Problem: G is a cyclic group with prime order p. g is a primitive root of G.The DL problem to the base g means the following problem: Given g, h ∈ G, find an integer x such that h = g x mod p.
The DL problem is believed to be difficult and to be the hard direction of a one-way function.Based on the DL problem, Computational Diffie-Hellman Assumption can be defined as follows: Definition 2. Computational Diffie-Hellman (CDH) Problem: G is a cyclic group of prime order p and g is a primitive root of G, the CDH assumption says that given (g, g a , g b ) for a, b ∈ Z * p picked randomly, there exists no polynomial-time algorithm to find an element C ∈ G such that C = g ab mod p with non-negligible probability.
CDH problem is also believed to be difficult and based on the problem, any two entities can generate C = g ab mod p as their session key which is called the Diffie-Hellman (key-exchange)-based key [35].

Luo et al.'s Scheme Revisited
We first review Luo et al.'s protocol (UAPS for short) in this subsection and discuss the security flaws of their scheme.There are four entities in UAPS: a secure element (SE) embedded in a smart phone, a user, a card issuer (i.e., the bank) and a virtual credit card issuer (i.e., the TSM).In addition, the protocol consists of four stages: registration stage, anonymous virtual bank account generation stage, anonymous transaction account generation and issuing of virtual credit card stages.Details are described as follows:

Registration Stage
In this phase, each entity must generate its own identity ID and an asymmetric key pair (PK ID , SK ID ) with a certificate issued by a Certificate Authority (CA).At the beginning, a user with identity ID U must open a bank account and to register his NFC-enabled smartphone to the bank.The bank then generates a shared key K B,U between the bank and the user and returns it to the user.

Anonymous Virtual Bank Account Generation Stage
At this stage, the user with identity ID U requests the bank to establish a virtual account AID i for him/her.The SE in the user's NFC-enabled smartphone will generate a public/private key pair (PK AID i , SK AID i ), and then uses the private key SK AID i to sign the public key PK AID i .Then it delivers the signature to the bank.After authenticating the identity of the user, the bank will issue the corresponding certification of AID i to user. Figure 1 shows the communication flaws and the detailed descriptions are listed as follows: 1.The user sends ID U E K B,U (ID U N 1 Sign SK U (ID U N 1 )) to the bank.Here N 1 is a nonce, Sign SK U (M) denotes the signature on message M signed by the signing key SK U , and E K (M) denotes the ciphertext of message M encrypted by the key K.
Here AID i _ExpTime is the expiry time of AID i and AID i _Limit is the credit limit of AID i .7. The user sends the ciphertext to the SE.SE retrieves the shared key K AID i ,B and the certificate CERT B AID i .

Anonymous Transaction Account Generation Stage
After making registration to the bank, the user then needs to register its (virtual) identity to TSM to get the virtual credit card.The virtual credit card will be used in the actual transactions.The user will establish a pre-stored credit account in TSM and the credit limit for this account can be decided by the user itself.This account will be linked to the virtual account AID i in the bank for consuming via mobile payment.On the other hand, for security of the payment, user generates BI NFO (i.e., payment information) which is composed of virtual account AID i , account expiry date AID i _ExpTime, account limit AID i _Limit, and the session key K AID i ,B .The message is signed by the signing key SK AID i , and then be sent to the bank via TSM.Besides, user will encrypt the payment message by session key K TID i ,TSM , and then signed the cipher text by SK TID i .The signature as well as TSMI NFO are then sent to TSM.TSM decrypts it and then encrypts the content by using the bank's public key PK B .TSM signs the cipher text to generate TSMBI NFO.TSM transmits the BI NFO and TSMBI NFO to the bank.The bank can retrieve BI NFO and TSMBI NFO.After comparing the information between the BI NFO and TSMBI NFO, the bank authenticates the identities and returns the credit information of the virtual account to TSM. Figure 2 shows the communication flaws and the details are described as follows: 1.
The user generates virtual transaction account TID i and a key pair (PK TID i , SK TID i ).He/she then signs PK TID i with SK TID i and encrypts it with PK TSM .Then the user sends the ciphertext E PK TSM (Sign SK TID i (TID i PK TID i Timestamp))to TSM. 2.
After decrypts the message, TSM establishes a session key K TID i ,TSM and returns TID i E PK TID i (TID i K TID i ,TSM ) to the user.

3.
The user requests identifiers SID, AID i , ID B and nonce N 1 to the SE.

4.
The SE generates the payment message BI NFO and send it with N 1 to user.Here BI NFO = The user generates transaction message TSMI NFO = Sign SK TID i (E K TID i ,TSM (SID AID i ID TSM ID B N 2 AID i _ExpTime AID i _Limit)) and encrypts BI NFO, TSMI NFO and N 1 with PK TID i .That is, user sends Sign SK TID i (TID i E PK TID i (TID i TSMI NFO BI NFO N 2 ) to TSM. 6.
After decrypted TSMI NFO, TSM will generate the authentication message TSMBI NFO = Sign SK TSM (E PK B (SID )) and sends E PK B (ID B AID i BI NFO SID ID TSM TSMBI NFO) to the bank for confirmation.

7.
The bank uses its corresponding keys to decrypt the ciphertext.The bank then compares BINFO with TSMBINFO.The bank accepts the message if they are identical.In this case, the bank will send the credit information of AID i to TSM. 8.
After receiving the returned message, TSM verifies that TID i is authorized to access the service and TSM will send TID i E K TID i ,TSM (Status TID i _ExpTime TID i _Limit) to the user.

Issuing of Virtual Credit Card Stage
During this phase, user can apply to TSM for a virtual credit card.TSM will issue a virtual credit card with shorter expiry date and lower credit limit.Besides, the credit card is complied with be EMV standard and is stored in the SE.A user can repeat this stage to get new virtual credit card when the expiry date is coming or remained limit is exhausted.Figure 3 shows the communication flaws and detail steps are listed as below: 1.The user sends a request to the SE with anonymous transaction identifier TID i ., and sends the encrypted message E K TID i ,TSM (TID i − CreditI NFO CERT TSM TID i ) to the user. 5.After receiving the message, user decrypts ciphertext and stores the corresponding certification and the new credit card information into the SE. 6.The remaining process just follows the EMV standard.

Comments on Luo et al.'s Scheme
As mentioned at the beginning, this scheme focusses on the topic of user anonymity.However, it suffers from several problems.Lee et al. [31] pointed out that the scheme leaks the symmetric key shared between the SE and the bank.It means an adversary may attack the mobile device to find sensitive information in the SE.The adversary may also impersonate the mobile phone owner and do mobile payments on behalf of the real user.
Besides, in this protocol, it uses the same key pair for encryption/decryption and for (digital) signature signing/verification.This kind of mixing use of the same key is not recommended since it may cause some unexpected security flaws.For example, if using the same key for both RSA encryption scheme and for RSA digital-signature scheme, then an attacker may eavesdrop some ciphertexts sending from others to the user, then the attacker may cheat the sender to encrypt the ciphertexts (for any reason the user may believe).As a result, the attacker will get the plaintexts corresponding to the ciphertext.The reason this attack may happening is the same key pair used for signature and for encryption and this kind of mix-using should be avoided.

Proposed Scheme
In this section, we introduce a new untraceable NFC-based anonymous mobile payment protocol to overcome the security weaknesses of Luo et al.'s scheme.There are three types of entities in our new scheme: a user, a bank and a TSM.

•
A user is a customer who applies for a virtual account and a virtual transaction account for privacy protection reason.With the accounts he/she can pay using his NFC-enabled smartphone via our mobile payment protocol in an anonymous and untraceable manner.
A bank is a card issuer who generates a virtual account and issues the corresponding virtual card for users.

•
TSM is a very important entity in NFC payment ecosystem.TSM is assumed to be the trusted third party who sets up technical connections and business agreements with mobile network operators, or other entities controlling the SE on smartphones.
In addition, our scheme consists of four stages, (  1 lists the notations we will use in our protocol.Figure 4 shows the communication flaws of our new scheme.Signature of entity a on the message m x y Concatenation of messages x and y TS Time stamp

Initialization
This is the stage for initial setting.At first, assume every single entity (i.e., user U, TSM, Bank) has their own identifiers (i.e., ID U , ID TSM , ID B ) at the beginning.
• The user U is assumed to have a physical bank account and a password pw shared with the bank (for authentication).The pw is assumed to be low-entropy (i.e., not as secure as a high-entropy secret key) so it can be kept secretly very easily (e.g., store in the SE of a smart phone or just keep it in mind without memorizing it anywhere).
On the other hand, both TSM and the bank are the organizations possessing with high levels power of computation, it is reasonable to assume that they can have the public-key cryptosystem's key pairs (PK, SK).Furthermore, we assume that their keys are Discrete-Logarithm-based (DL-based) keys (ref.Definition 1).The public-key cryptosystems are mainly used for authentication and for Diffie-Hellman-based key-exchange (ref.Definition 2).There are many candidates of such (DL-based) public-key cryptosystems such as Digital-Signature Standard (DSS), Schnorr Signature and/or ElGamail signature.On the other hand, confidentiality is achieved via symmetric-key cryptography such as AES or RC4 et al.
• TSM has its own public/private key pair (PK TSM , SK TSM ).More precisely, PK TSM = (y TSM , g TSM , p TSM , q TSM ) where p TSM is a large prime, g TSM is a generator of a multiplicative group G =< g TSM > of order q TSM and y TSM = g x TSM TSM mod p TSM .SK TSM = x TSM ∈ Z q * TSM .In addition, TSM holds a high-entropy secret key PSK B,TSM shared with the bank.
• The same as TSM, the bank has its own public/private key pair (PK B , SK B ).More precisely, PK B = (y B , g B , p B , q B ) where p B is a large prime, g B is a generator of a multiplicative group G =< g B > of order q B and y B = g x B B mod p B .SK B = x B ∈ Z q * B .In addition, the bank holds a high-entropy secret key PSK B,TSM shared with TSM.
In short, at the end of the stage, a user with identity ID U has pw; TSM with identity ID TSM has a symmetric key PSK B,TSM , a DL-based public/private key pair (PK TSM , SK TSM ) ; the bank with identity ID B has a symmetric key PSK B,TSM , a DL-based public/private key pair (PK B , SK B ) and a pw as the one shared with ID U .All those keys are generated in advance before the starting of our protocol.

Virtual Account Application
This stage is to authenticate the user via pw.It then aims to create a virtual account identifier AID U and make it registered to the bank.The bank will record that together with user identity ID U .Some information for later communication between U and TSM such as a ticket Ticket B,TSM will be sent back to the user side.Description in detail is listed as follows: 1. U → Bank : (ID U , VA − request, T, C) This step is to apply for registration and to inform the bank about which TSM the user will communicate with in the next stage.The user computes and does the following steps: • Pick x ← Z * q B , use pw and bank's public key PK B = (y B , g B , p B , q B ) to compute T = g x B y pw B mod p B .• Pick r ← Z * q TSM , use TSM's public key PK TSM = (y TSM , g TSM , p TSM , q TSM ) and compute R = g r TSM mod p TSM .• Create a virtual account identifier AID U , compute k = y x B mod p B , k = H(ID U ID B k T) and h va = H(VA − request ID U ID TSM AID U T R N 1 TS 1 ) where N 1 is a nonce and TS 1 is a time stamp.
• Send (ID U , VA − request, T, C) to the bank as request for virtual account registration.

Bank →
In this stage, the bank authenticates the user via pw, generates a virtual credit card and a ticket for AID U .The ticket is generated for later communication between the user and the TSM.Detail steps of banks are described as follows: • Check the identity ID U from its member-list and find the corresponding password pw.
Reject and terminate if ID U is not in the list.3. U: After receiving the returned information from the bank, the user U does the following computations: • Decrypt C B , check the time stamp TS 1 and the correctness of N 1 + 1.
• Store AID U , AID U _Extime, AID U _Limit and Ticket B,TSM securely.

Virtual Transaction Account Application and Virtual Credit Card Issuance
This stage is to create a virtual transaction account TID U of U and to make registration of TID U to the TSM.Based on the account TID U , TSM will issue a virtual credit card for U without knowing the real identity of U (i.e., TSM only knows AID U alternatively).For the virtual credit card, TSM will generate the corresponding expiry time and limit of the card for TID U , and then TSM will send the virtual credit card, the expiry time and account balance back to the user.Steps in detail are listed as follows: 1. ID U → ID TSM : (ID B , Ticket B,TSM , C TSM ) The user does the following steps: • Compute the session key k U,TSM = H(ID U ID TSM k TSM R) where k TSM = y r TSM mod p TSM and r ∈ Z * q TSM is the random number picked at step (1) of the previous stage.• Generate a virtual transaction account TID U and compute h vta = H(VTA − request AID U TID U ID B Ticket B,TSM ).• Use k U,TSM and generate the ciphertext C TSM = E k U,TSM (VTA − request AID U TID U h vta ).
Note: The VTA-request is the request of registering U's virtual transaction account TID U to TSM.
2. ID TSM : (K U,TSM , ID B , AID U , TID U ) TSM does the following steps after receiving the information from U.
• Decrypt the Ticket B,TSM using the symmetric key K B,TSM shared with the bank in advance.Accept the ticket Ticket B,TSM if the signature from the bank is correct and the ticket is valid by checking the time stamp TS  The user does the following steps:

Conclusions
In this paper, we investigate the scheme introduced by Luo et al. at Computers and Electrical Engineering in 2016.We found some security flaws and weakness of the scheme.In addition, we introduce a new EMV-compatible NFC-based anonymous payment scheme.The important feature of the new scheme is the user needs only a low-entropy password shared with a bank in advance instead of a high-entropy secret key or a cumbersome public/private key pair.The new scheme provides many privacy preserving properties such as anonymity, untraceability and is suitable for mobile payments of users.

Figure 1 .
Figure 1.Anonymous Virtual Bank Account Generation Phase.

Figure 3 .
Figure 3. Issuing of Virtual Credit Card Phase.

Figure 4 .
Figure 4. Communication Flaw of the Proposed Scheme.

3 .•
2 and the lifetime.Do the following steps if Ticket B,TSM is accepted.• Compute k U,TSM = H(ID U ID TSM k TSM R) where k U.TSM = R SK TSM mod p TSM and then decrypt C TSM by the key k U,TSM .• Accept the VTA − request if AID U in C TSM is the same as that in Ticket B,TSM and h vta is correct.ID TSM → ID U : (TSM_In f o) TSM does the following steps: Generate a virtual credit card and the corresponding information Credit_In f o for TID U .• Determine the corresponding expiry time, TID U _Extime, and credit balance, TID U _Limit, where TID U _Extime ≤ AID U _Extime and TID U _Limit ≤ AID U _Limit.• Generate the ciphertext TSM_In f o = E K U,TSM (ID TSM AID U TID U TID u _Extime TID U _Limit Credit_In f o TS 3 Sig SK TSM (M)) where M includes the whole message in the ciphertext TSM_In f o excluding the signature.• Return the ciphertext TSM_In f o to the user U.
2. The bank decrypts the message with the share key and verifies the signature.If it passed, then the bank generates a virtual account AID i and a nonce N 2 .The bank then sends backID B E K B,U (ID U AID i N 2 ) backto the user.3. The user receives AID i and stores ID U AID i N 2 into the SE. 4. The SE generates a key pair (PK AID i , SK AID i ) corresponding to AID i .SK AID i is stored in the SE and the SE returns PK AID i Sig SK AID i (ID U AID i PK AID i N 2 ) to the user. 5.The user sends ID U E K B,U (Sig SK U (ID U AID i N 2 Sig SK AID i (ID U AID i PK AID i N 2 ) to the bank.6.The bank decrypts the message and gets PK AID i .It will then create a certificate CERT B 2. The SE generates a new public/private key pair (PK TID i , SK TID i ) corresponding to TID i and sends Sign SK TDI i (AID i TID i N 1 N 2 ) N 1 to user. 3. The user sends the encrypted message E K TID i ,TSM (Sign SK TDI i (AID i TID i N 1 N 2 ) N 1 )) by key K TID i ,TSM to TSM. 4. After receiving the request, TSM will issue a new virtual credit card TID i − CreditI NFO and generate a new certification CERT TSM TID i Virtual Transaction Account Application and Virtual Credit Card Issuance; (4) Virtual Credit Card and/or Virtual Transaction Account Updating.The details are described as follows and Table
and check the time stamp TS 1 .Accept the VA − request if h va = h va and TS 1 is valid.•Records (ID U , AID U ) in its database, determine the expiry time (i.e., AID U _ExTime) and the credit limit (i.e., AID U _Limit) of the credit card going to be issued to AID U .• Use the symmetric key K B,TSM corresponding to ID TSM and generate Ticket B,TSM = E K B,TSM (ID B AID U AID U _Extime AID U _Limit R TS 2 Li f etime Sig SK B (ID B AID U AID U _Extime AID U _Limit R TS 2 Li f etime)).Here Sig SK B (M) is the signature of the bank on the message M. • Generate a ciphertext by the session key k and get C B = E K (ID U AID U AID U _Extime AID U _Limit N 1 + 1 Ticket B,TSM TS 1 ).• Return ID B and C B to the user.

Table 3 .
Comparison of Features.