Cryptanalysis of Some Electronic Checkbook Schemes

Isa Sertkaya

and Oznur Kalkar

MCS Labs & BCLabs, T

ITAK B

ILGEM UEKAE, PK. 74, 41470, Gebze, Kocaeli, Turkey

Keywords:

Electronic Checkbook, e-Checkbook, e-Check, Cryptanalysis, Security, Privacy.

Abstract:

Paper-based check is the second mostly used payment method. Accordingly, efforts are underway to improve

electronic checkbook (shortly, e-checkbook) systems which mimics the paper-based checkbook mechanism,

in line with social needs. Considering the cost of paper check procedures and the amount of money transferred

using checks, we believe that there should be a properly designed and provably secure e-checkbook scheme.

Analyzing the vulnerabilities of the existing systems, and ﬁguring out where they originate is the ﬁrst step

towards a secure e-checkbook mechanism. In this study, we show that the e-checkbook schemes denoted as

PEEC, CYLL, CCL, CWL and CCW fail to achieve their claimed security and susceptible to various types of

attacks including e-check forgery and manipulation. Particularly, we show that Pasupathinathan et al.’s PEEC

scheme does not satisfy the correctness, anonymous identity and payment unlinkability; Chen et al.’s CYLL

scheme is not secure against e-check manipulation and e-check forgery attacks; Chang et al.’s CCL scheme,

Chen et al.’s CWL scheme and Chang et al.’s CCW scheme are susceptible to e-check manipulation attack.

1 INTRODUCTION

Check-based payments constitute around 10 percent

of payments which corresponds to 16 billion checks

transferring 27 trillion USD in USA in 2016. Since

these checks are needed to be processed manually,

they require considerable amount of corporate re-

sources. For example, the average cost for a corpo-

ration to process a check is US$1.5 as stated by Chief

Executive of Hong Kong Monetary Authority, (Chan,

2015). As a direct conclusion, in 2016, processing the

16 billion checks in USA would cost around 24 billion

dollars. This 24 billion dollars, or a large portion of it

could be saved if e-checkbook was used.

A paper check is a payment form that draws

money from a checking account when deposited. The

payer ﬁrst gathers a checkbook which is a collection

of empty checks issued by the payer’s bank. When-

ever a payer wants to pay with a paper check, he/she

writes the name of the payee and the desired face

value (amount) on the check and signs it. After re-

ceiving a check, the payee presents the received check

to the bank and requests the deposit.

An electronic check, e-check for short, on the

other hand, is electronic version of a paper check.

Whenever a payer wants to make a payment using

https://orcid.org/0000-0002-4739-0515

https://orcid.org/0000-0002-7875-3892

e-check, she writes the payee and the face value in-

formation to the check and digitally signs it. Early e-

check proposals (Chaum et al., 1990b; Chaum et al.,

1990a; Brands, 1993; Chen, 2005) require e-check

issuance before each payment which is a drawback,

since it requires the payer to run a protocol jointly

with the bank before each payment. However, e-

checks can be bundled into an e-checkbook as in the

paper check system.

Up to our knowledge, there are seven e-checkbook

schemes (Pasupathinathan et al., 2005; Chen et al.,

2009; Chang et al., 2009; Chen et al., 2010; Chang

et al., 2016; Sertkaya and Kalkar, 2019; Sertkaya and

Kalkar, 2021), that do not require e-check issuance

before each payment. As we stated earlier, consid-

ering the cost of paper check clearing / settlement

processes and the volume of money transferred by

checks, there is a need for a properly designed and

provably secure e-checkbook scheme. Analyzing the

vulnerabilities of the existing systems and ﬁguring out

where they originate is the ﬁrst step towards a secure

e-checkbook mechanism.

Related Work. Chaum (Chaum et al., 1990b) intro-

duced the idea of electronic check and proposed an

ofﬂine e-check system. Some examples of other e-

check mechanisms are (Chaum et al., 1990a; Brands,

1993; Chen, 2005; Katz and Lindell, 2014). How-

ever, all of the aforementioned propositions needs the

Sertkaya, I. and Kalkar, O.

Cryptanalysis of Some Electronic Checkbook Schemes.

DOI: 10.5220/0010981900003120

In Proceedings of the 8th International Conference on Information Systems Security and Privacy (ICISSP 2022), pages 603-612

ISBN: 978-989-758-553-1; ISSN: 2184-4356

603

payer to interact with the issuer bank for each and

every check issuance, hence they do not fully sim-

ulate paper-based checkbook system. In this paper,

we mainly consider the e-checkbook solutions and fo-

cus on the mechanisms that simulate the paper-based

checkbook system.

In 2005, following FSTC e-check scheme (An-

derson, 1998) and Check 21 Act (Check 21 Act,

2003), Pasupathinathan et al. highlighted privacy is-

sues in e-check schemes, and proposed the ﬁrst e-

checkbook scheme PEEC, (Pasupathinathan et al.,

2005). In PEEC, at the end of the issuing phase,

the payer is given different Schnorr signatures (Katz

and Lindell, 2014) for each e-check by the issuing

bank. Following the e-check mechanism given in

(Chen, 2005), three e-checkbook schemes are pro-

posed. First, (Chen et al., 2009) modiﬁed the scheme

into an e-checkbook system where the e-checkbook

can be issued with only one signature of the issuer

bank. Next, (Chang et al., 2009) proposed another

version that enables e-checkbook issuance and mutu-

ally authenticated payment, but introduced time syn-

chronization issues. Lastly, (Chen et al., 2010) claims

to improve (Chang et al., 2009) computationally at

the cost of increasing number of protocol rounds in-

volving payer, payee and the issuer bank. (Chang

et al., 2016) gives another e-checkbook mechanism

based on elliptic curve cryptography. In the pursue

of designing secure e-checkbook scheme, the authors

proposed two e-checkbook schemes; (Sertkaya and

Kalkar, 2019) that satisﬁes mutual authentication of

the payer and the payee and more recently (Sertkaya

and Kalkar, 2021) that supports transferable e-checks

and satisﬁes anonymity property against eavesdrop-

per.

Our Contributions. In this study, we focus on

the security analysis of the previously proposed e-

checkbook schemes except (Sertkaya and Kalkar,

2019; Sertkaya and Kalkar, 2021).

More concretely, we show that PEEC does not sat-

isfy the correctness, anonymous identity and payment

unlinkability, CYLL is not secure against e-check ma-

nipulation and e-check forgery attacks, CCL is sus-

ceptible to e-check manipulation attack, CWL is vul-

nerable against e-check manipulation attack, CCW is

susceptible to e-check manipulation attack.

Organization. In Section 2, we deﬁne the e-

checkbook architecture and known attack types. We

analyze (Pasupathinathan et al., 2005), (Chen et al.,

2009), (Chang et al., 2009), (Chen et al., 2010), and

(Chang et al., 2016) in Sections 3, 4, 5, 6, and 7, re-

spectively. Finally, we discuss additional privacy con-

cerns and conclude the manuscript with Section 8.

2 DEFINITIONS AND SECURITY

NOTIONS

These entities involved in an e-checkbook have the

same roles as in the paper-check solutions.

• Payer is an entity who has a registered account

with the issuer bank, wants to get an e-checkbook,

and use e-checks to make payments to another en-

tity.

• Payee is an entity who received an e-check from

a Payer, wants to deposit this e-check to the

acquirer bank and waits for the corresponding

money transaction to be ﬁnalized.

• Issuer is the bank of the Payer who issues the e-

checkbook to its registered users. In case of an

e-check presentment Issuer also initiates the ac-

tual money transfer from the Payer’s account to

the Payee’s account.

• Acquirer is the bank who holds the Payee’s reg-

istered account and whenever a Payee presents an

e-check, Acquirer initiates inter-bank transactions

to ﬁnalize the actual money transfer.

For the sake of simplicity, we assume that the Is-

suer and the Acquirer banks are the same. We denote

the bank by B, the Payer by U, and the Payee by M.

An e-checkbook scheme consists of four phases;

namely Initializing, Issuing, Paying, and Depositing

phases.

• Initializing. Given a security parameter, system en-

vironment, public parameters, private and public

key pair for each entity are generated.

• Issuing. User U and the bank B create a valid e-

checkbook for U.

• Paying. Upon agreeing on the date and amount

with M, the payer U creates an e-check and sends

it to M.

• Depositing. Whenever a payee M receives an e-

check payment, she veriﬁes its authenticity and

forwards to the bank B. After completing the nec-

essary controls, B deducts the amount from U’s

account, transfers it to M’s account and informs

2.1 Attack Types

e-checkbook Forgery. A malicious entity collects e-

checkbooks issued by B for different users and

creates a valid e-checkbook belonging to another

user as if it is issued by B.

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

604

e-check Forgery. A malicious entity collects e-

checks originating from U up to i

e-check and

creates (i + 1)

e-check belonging to U.

e-check Manipulation. An adversary collects e-

checks originating from U up to i

e-check, in-

tercepts (i + 1)

e-check, and manipulates (i +

e-check by combining parameters originating

from multiple checks.

Replay Attack. An adversary captures an e-check,

and re-sends as a valid e-check.

Double Spending Attack. A malicious payer spends

an e-check which is already spent.

E-check Linkability. Besides the payer, the payee

and the bank, an adversary deduces whether the

e-checks belong to a payer or a payee.

Core security requirements for an e-checkbook

scheme to avoid the mentioned attacks are correct-

ness, e-checkbook authentication, e-check authenti-

cation, e-check integrity, source authentication, and

e-check anonymity.

3 ANALYSIS OF PEEC SCHEME

PEEC scheme, proposed in (Pasupathinathan et al.,

2005), claims that it provides enhanced privacy by

allowing the payer to choose an anonymous identity

during a transaction which results in protection of

the payment details like payer’s account information

from merchants. We are going to show that PEEC

scheme does not satisfy the correctness, anonymous

identity and payment unlinkability properties.

3.1 PEEC Protocol

Initializing

1. B chooses a subgroup G

of prime order q of the

multiplicative group Z

∗

where prime p satisﬁes

p = γq + 1 for some speciﬁed integer γ and se-

lects generators g

, g

of G

. B ﬁxes a colli-

sion resistant hash function H (·), generates her

secret key x

←

and corresponding public

keys h = g

, h

= g

, h

= g

B publishes

system-wide public parameters

pp ← {p, q, H (·), g

, g

, h, h

, h

2. Each payer U initially registers with B for her ac-

count indexed with b

∈ Z

, generates her public

key U ← g

where x

←

such that g

PEEC scheme does not utilize g

, h, and h

, but we

still included here for siding with the original proposal.

3. Similarly, each payee registers with B and obtains

a certiﬁed public key M ← g

where x

←

Issuing

1. U sends her public key U to B.

2. B randomly selects t,k, k

, k

, . . . , k

∈

where r

being the number of e-checks in the e-checkbook.

3. B computes digital token Y ← Uy with y ← g

and signature σ

← Y x

+ k (mod q) for Y .

4. Next, B generates each e-check indexed by i with

1 ≤ i ≤ r, and signs them, i.e. ω

← H (Ug

)

and σ

← ω

+ k

(mod n).

5. For U’s e-check post-processing, B stores

(Y,U, (ω

, σ

)

1≤i≤r

, b

) in a database indexed by

Y .

6. B sends {t, y,Y,σ

, (ω

, σ

)

1≤i≤r

}

7. U veriﬁes each signatures separately and then

stores Ω

← (t, y,Y, σ

, (ω

, σ

)

1≤i≤r

) as her e-

checkbook.

Paying

Assume that U has already spent up to i − 1 e-checks

for some i < r, and is going to send i

e-check to M

upon his signed payment request with the date d, face

value a, and payee’s identity M.

1. U ﬁrst selects s, w ←

, computes anonymous

identity A ← Y

with A

← U

and A

← y

2. Next U prepares payment by computing o ←

H (d||M||a), v ← (x

t − ox

s)s and σ

←

st + w (mod q).

3. U sends ω

← {v, A, A

, A

, o, ω

, σ

,Y, σ

, σ

to M,

4. M veriﬁes the signatures σ

and σ

, and validates

= H (d||M||a), A

= A

and A

= A

Depositing

1. M chooses z ←

, creates the signature

← ox

+ z (mod n) and sends the tuple

{d, M, a, v, A, A

, A

, o, ω

,Y, σ

, σ

}

to B.

2. B ﬁrst validates o

= H (d||M||a) and then veriﬁes

the signatures σ

, σ

and σ

3. B retrieves U’s bank account number b

and his

original identity U, and e-check index i from the

database indexed by Y .

4. B veriﬁes the identity of U, if she has enough

funds in her account for clearance, and i

e-check

is not already spent.

PEEC authors omitted σ

, but it should be included

here, otherwise B has to keep records for it.

Cryptanalysis of Some Electronic Checkbook Schemes

605

5. Finally, if the veriﬁcation is successful and sufﬁ-

cient funds are available, B debits U’s account and

credits M’s account.

3.2 PEEC Scheme Flaws

Even though the authors claim that they use Schnorr’s

signature scheme, the scheme utilizes Schnorr’s iden-

tiﬁcation scheme, see (Pasupathinathan et al., 2005;

Katz and Lindell, 2014). In order to be able to suc-

cessfully perform signature veriﬁcation, each signa-

ture σ should be sent with masked ephemeral key val-

ues, see (Katz and Lindell, 2014, Construction 12.12

on p. 458). Assuming this signature veriﬁcation is

ﬁxed, the scheme still suffers from the following is-

sues.

• Correctness. Even if the payer and the payee hon-

estly follow the protocol, at the last step of Paying

phase, the necessary veriﬁcation of A

= A

that

should be pursued by the payee never holds since

t−ox

s)s

6= Y

. Hence, the payee always

rejects the payment.

• Anonymous identity. At the Issuing Phase, bank

sends t, y,Y together with the e-checks and the

signatures to the payer. Using these values, on

the contrary to the authors’ claims, one can eas-

ily construct payer’s public key U by computing

U ← Y y

−1

. Hence, PEEC scheme does not satisfy

anonymous identity for the payer.

• Payment unlinkability. At the Paying phase for

each e-check, the payer always includes the digi-

tal token and bank’s signature on the token (Y, σ

)

within the sent tuple. Hence, just by checking

these values, e-check payments of the same payer

will naturally be distinguished and linked.

4 ANALYSIS OF CYLL SCHEME

4.1 CYLL Protocol

The protocol assumes that B keeps user accounts as a

number b with 1 ≤ b ≤ k. w is deﬁned as the maximal

face value of an e-check, and r is the number of

e-checks in the e-checkbook.

Initializing

1. B chooses a one-way hash function H (·), gen-

erates two large primes p and q and computes

n = pq. B selects a public key e and computes

d such that e · d = 1 (mod φ(n)), keeps x

←

(p, q, d) as secret, and publishes public parame-

ters pp ← (n, e, H (·)).

Issuing

1. U ﬁrst generates four random numbers

, x

2. U computes

m ← H

)||H

)

and α ← H

(m) (mod n) and sends {α, r} to B.

3. B computes σ

← α

(mod n) and sends σ

to U.

4. U checks σ

(mod n) ≡ H

(m) (mod n) holds,

if so, stores Ω

= (m, σ

, r,x

, x

) as the e-

checkbook.

Paying

Assume that U has used i − 1 (i < r) e-checks and

wants to attach a face value a for the payee M with

account number b

to the e-check for the i

time.

1. U computes β

← H

), β

← H

w−a

), β

←

), β

← H

k−b

) and H

r−i

(m).

2. U sends the e-check ω

to M, where

= (a, b

, σ

, H

r−i

(m), r, i, β

, β

Depositing

1. M veriﬁes the signatures, i.e,

(mod n) ≡H

w−a

(β

)||H

(β

)||

k−b

(β

)||H

(β

)) (mod n)

and

(mod n) ≡ H

r−i

(m)) (mod n).

2. M sends ω

to B for double-spending check.

3. B ﬁrst veriﬁes the signatures as in Step 1.

4. B deducts the amount a from U’s bank account b

adds it into the M’s account b

, and informs M if

no spend records has been found.

4.2 Attacks on CYLL Scheme

• e-check Forgeability. T.-H. Chen et al. claim that

even if an attacker is in possession of a previ-

ously paid i

e-check ω

, she can not forge the

next e-check and CYLL scheme is secure against

“e-check forgeability attacks”, (see (Chen et al.,

2009, Section IV B.2 Unforgeability of e-check)).

Unfortunately, this is not true. Based on the same

assumption, we now show how an attacker A who

passively intercepts this payment or a malicious

payee who gets the payment can forge the next

e-check by following the steps given below.

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

606

1. With the knowledge of w, a, b

, k; A computes

w−a

(β

), H

(β

), H

k−b

(β

), H

(β

2. Now, A can re-construct m as

m = H

w−a

(β

)||H

(β

)||H

k−b

(β

)||H

(β

)

= H

)||H

)

3. A computes H

(r−(i+1))

(m) which is necessary

for (i + 1)

e-check.

4. A sends (a, b

, σ

, H

(r−(i+1))

(m), r, (i + 1),

, β

), as the (i + 1)

e-check ω

i+1

B, pretending it is a payment from U to M.

5. B can assure the validity of this forged e-check

since the following hold:

(mod n) ≡ H

w−a

(β

)||H

(β

)||

k−b

(β

)||H

(β

)) (mod n),

(mod n) ≡ H

i+1

(r−(i+1))

(m)) (mod n) .

6. B deducts the amount a from U’s account b

adds it into the M’s account b

, and informs M

since no records have found.

This attack shows that an attacker who has the i

e-check is capable of forging the (i + 1)

e-check

to the same payee with the same amount. In fact

the attacker can forge all the remaining e-checks

to the same payee with the same amount.

• E-check Manipulation. Consider that in addition

to i

e-check, an attacker also has j

, j < i, e-

check with the face value greater than the i

check’s face value. Then by combining these,

the attacker can manipulate (i + 1)

e-check to

the payee in i

e-check with the face value in j

e-check. Hence, this scheme is also not secure

against e-check manipulation.

A secure version of CYLL scheme is given by the

authors in (Sertkaya and Kalkar, 2019).

5 ANALYSIS OF CCL SCHEME

Similar to (Chen et al., 2009), CCL scheme focuses

on converting W.-K Chen’s e-check scheme into an e-

checkbook scheme with mutual authentication. In or-

der to do that, this scheme uses a symmetric key cryp-

tosystem (E

key

(·), D

key

(·)), RSA-based digital signa-

tures, RSA-based blind signatures and timestamps,

(Chang et al., 2009).

5.1 CCL Protocol

This scheme is originally given in only two phases,

namely Registration and Paying, in order to be

consistent with other sections, here we split them

into Initializing, Issuing, Paying and Depositing phases.

Initializing

1. B chooses a one-way hash function H (·).

2. B generates two large primes p and q and com-

putes n = pq.

3. B selects a public key e and computes d such that

e · d = 1 (mod φ(n)),

4. B keeps x

← (p, q, d) as secret, and publishes

public parameters pp ← (n, e, H (·)).

Issuing

After U registers with the bank B by creating her

own public-private key pair (pk

, sk

) and sharing the

public key with the bank, where pk

= (n

, e

) and

= (p

, q

, d

), U and B follow the Issuing Phase.

1. U randomly chooses a secret integer x

2. U computes m = H (U||H

)) and α = H (m).

3. U sends {U, α} to B.

4. B veriﬁes the identity U. computes α

≡ H

(m)

(mod n), σ

≡ (α

)

(mod n) and sends {σ

, r}

to U.

5. U veriﬁes the integrity of the message by check-

ing whether (σ

)

(mod n) ≡ H

(m) (mod n)

or not. If it holds, U stores the e-checkbook

Ω

= (m, σ

, r).

Paying

Assume that U used i − 1 (i < r) e-checks and wants

to attach a face value a (a < w) for the payee M.

1. U randomly chooses two integers R and b, and

computes k ≡ R

b (mod n

), where pk

, n

) is the public key of the payee M.

2. U sends k to M.

3. M computes k

≡ k

≡ Rb

(mod n

), where

is the private key of M. Then, M sends k

to U.

4. U computes M ≡ k

−1

≡ b

(mod n

), C

≡

w−a

) ⊕ M and C

≡ E

(i||T ), where E

(·)

is a symmetric encryption with the secret key ck

shared between U and B, and T is the current time-

stamp.

should also be included in e-checkbook, since it will

be needed in each Paying phase.

Cryptanalysis of Some Electronic Checkbook Schemes

607

5. U checks if b ≡ M

(mod n

) holds. If

it is not valid, U terminates the transac-

tion; otherwise, U sends the e-check ω

←

(U, B, a, b, r, σ

, T ) to M.

Depositing

1. M veriﬁes the integrity of ω

= (U, M, a,

b, r,σ

, T ) by checking whether

(σ

)

≡ H

(H (U||H

⊕ b

))) (mod n)

holds. If the equation holds, M sends ω

to B for

double-spending control; otherwise, the check is

rejected.

2. B checks if ω

is already recorded in the database

as spent e-check. If it is so, B rejects the e-check;

otherwise, the phase continues.

3. B rejects the e-check if a is greater than the payer

U’s deposit in the bank; otherwise, the phase con-

tinues.

4. B records the message receiving time as time-

stamp T

. Then, B computes i||T = D

checks whether (T

− T ) is in acceptable valid

time interval. If it is not so, the e-check is rejected.

5. B veriﬁes the e-check by computing

(σ

)

≡ H

r−i

(m)) (mod n).

If it holds, B deducts the amount a from U’s ac-

count b

and adds it into M’s account b

5.2 Flaws of CCL Protocol

Here, we ﬁrst point out a few inconsistencies and then

we show that CCL scheme is not resistant against e-

check manipulation attack even if these inconsisten-

cies are corrected.

• First, please note that (Chang et al., 2009) states

that (U, B, a, b, r, σ

, T )-tuple is transmit-

ted as e-check, which should be in fact

(U, M, a, b, r, σ

, T ),

otherwise B can not know who the payee M is.

• Furthermore, at the Depositing phase, the authors

claim that B veriﬁes the e-check by computing

(σ

)

= H

r−i

(m)),

but B knows neither m nor H

r−i

(m). Therefore, U

should compute H

r−i

(m) and send the e-check

← (U, M, a, b, r, σ

, T, H

r−i

(m))

to M and M should send this tuple to B.

B did not receive H

r−i

(m), hence can not verify this

step, refer to next section.

• E-check Manipulation. Suppose an adversary A

has

= (U, M, a

, b

, r,σ

, T

, H

r−i

(m)),

for some i with i < r.

1. A tracks and captures U’s (i + 1)

e-check

(U, M

, a

i+1

, b

i+1

, j, σ

i+1

, H

j−(i+1)

(m))

and blocks this e-check transmission that is

meant to be a payment to a different payee M’.

2. A create the manipulated e-check ω

as if it is

U’s (i + 1)

e-check with the following tuple.

(U, M, a

, b

, r,σ

i+1

, T

i+1

, H

r−(i+1)

(m))

Note that r, σ

are constant for each e-check

that belongs to U, T

i+1

, H

r−(i+1)

(m) are known

from ω

i+1

, and M, a

, b

, are gathered from

3. Within an acceptable time frame, A sends ω

4. B records time-stamp T

, veriﬁes that ω

is not

already recorded and U has enough balance in

the registered account.

5. B decrypts C

i+1

and gets

(i + 1)||T

i+1

= D

((i + 1)||T

i+1

))

and checks time interval T

− T

i+1

is accept-

able.

6. B veriﬁes the signature by checking

(σ

)

≡ H

(i+1)

r−(i+1)

(m)) (mod n).

7. B deducts the amount a

from U’s account b

adds it into M’s account b

, and informs A.

Including the H

j−i

(m) value in each i

e-check

tuple prevents e-check forgery. In order to resist e-

check manipulation, payer should also compute C

= E

(i||a

||b

||M||T

) to bind the amount value a,

random value b, and payee identity M which results in

integrity assurance. However, even if these ﬁxes are

applied, the scheme would still fail to satisfy e-check

anonymity requirement.

6 ANALYSIS OF CWL SCHEME

C.-L. Chen et al. claim that CCL scheme has some

shortages such as time synchronizing issue and large

computation overhead, (Chen et al., 2010). CWL

scheme is proposed based on CCL and given in two

phases, namely Registration and Paying.

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

608

6.1 CWL Protocol

In order to be consistent, here we again split the pro-

tocol into Initializing, Issuing, Paying and Depositing.

This scheme requires setting a maximum value W for

the e-checkbook at the issuance phase which is used

to make sure that the total face values of the e-checks

belonging to the same e-checkbook does not exceed

W .

Initializing

1. B chooses a one-way hash function H (·).

2. B generates two large primes p and q and com-

putes n = pq.

3. B selects a public key e and computes d such that

e · d = 1 (mod φ(n)),

4. B keeps x

← (p, q, d) as secret, and publishes

public parameters pp ← (n, e, H (·)).

Issuing

1. A payer registers with her identity U to a bank B,

and shares a symmetric key ck

for the symmetric

encryption scheme E over a secure channel.

2. B generates an identity CID

= H (U ⊕ d) with

some random value d, computes α = H (U ⊕

W ⊕ r), and creates an e-checkbook ω

←

{r,α, σ

CID

,W }.

3. B stores {U,CID

, ck

} and sends

(CID

, r,α, σ

CID

,W ) to U over a secure

channel.

Paying

1. U chooses R, b, N

, N

, computes k ≡ R

(b ⊕

) (mod n

) where (n

, pk

) being M’s RSA

public keys, and sends k to M for signing blindly.

2. M computes k

≡ k

(mod n

) and sends k

3. U computes M ≡ k

−1

= (b ⊕ N

)

(mod n

), C

= H (CID

⊕ a ⊕ M) and

= E

(r||a||N

) ⊕ σ

CID

4. U sends (C

, a, b, N

, N

,CID

, B) to M.

Depositing

1. M veriﬁes C

= H (CID

⊕ a ⊕ ((b ⊕ N

)

(mod n

)))) and sends (C

, a, N

,CID

) to B

over a secure channel.

2. B computes

( j, a, N

) ← D

⊕ (CID

(mod n

)))),

and checks if ( j, a, N

) is already stored in B’s

spent e-check database. If so B rejects e-check,

otherwise stores ( j, a, N

) as spent e-check.

3. B updates and assures remaining balance W

new

W − a ≥ 0, remaining unspent e-checks number

new

= r − 1 ≥ 0 and α

new

= H (CID

⊕W

new

⊕

new

) accordingly.

4. If all controls pass, B accepts the e-check,

deducts the amount a from U’s account, adds

it into M’s account, computes V

= (B ⊕ N

)

(mod n

), V

= (W

new

⊕r

new

⊕N

)

(mod n

)

for a random N

, and returns (V

) to M and

(α

new

, r

new

, N

) to U over a secure channel.

5. M veriﬁes V

(mod n

)

≡ (B ⊕ N

), computes

= H (V

(mod n

)) and sends V

to U.

6. U veriﬁes V

= H (W

new

⊕ r

new

⊕ N

and α

new

H (CID

⊕W

new

⊕ r

new

6.2 Flaws of CWL Scheme

The authors of CWL scheme claim that their scheme is

secure against e-check forgery attack, see (Chen et al.,

2010, Section 5.2: The forgery attack issue). The rea-

soning is based on the secrecy of ck

which is the

secret key of the symmetric-key encryption scheme E

shared between U and B.

As authors describe in (Chen et al., 2010); the reg-

istration phase, payee’s depositing request to B, and

B’s ﬁnal response are carried over a secure channel

while rest of the communications are transmitted over

an insecure channel. We now give an e-check manip-

ulation attack which is similar to the given in Section

5.2.

1. An adversary A keeps track of U’s transactions,

records the tuple (C

, a, b, N

, N

,CID

, B)

and blocks the e-check transmission that is meant

to be a payment from the payer U to a payee M.

2. A sends (CID

, N

, a,C

) to B as if it is a payment

for herself over a secure channel.

3. As the (CID

, N

, a,C

)-tuple is created by U, B

accepts the e-check, deducts the amount a from

U’s account, adds it into the A’s account, com-

putes

= (B ⊕ N

)

, V

= (W

new

⊕ r

new

⊕ N

)

and returns (V

) to A and (α

new

, r

new

, N

)

to U.

4. A computes V

= H (V

) and sends V

to U.

5. A can prove validity of the forged e-check by pre-

senting the tuple (C

, a, b

, N

,CID

, B),

where C

= H (CID

⊕a ⊕ (b

⊕N

)

) for some

randomly chosen b

, N

Cryptanalysis of Some Electronic Checkbook Schemes

609

In order to resist this attack, a payer U should com-

pute C

= E

(r||a||b||ID

||N

||H (C

)) ⊕ r

CID

and send (C

, a, b, N

, N

,CID

, B) to the payee

M. M should also include C

to the tuple she sends

to B after verifying

= H (CID

⊕ a ⊕ ((b ⊕ N

)

(mod n

))).

When B receives (C

, a, N

,CID

), computes

( j, a, b, ID

, N

, H (C

)) ←D

⊕

(CID

(mod n

)))

and checks if H (C

) = H (C

). Rest of the depositing

phase follows the same.

However, even if this ﬁx is applied, the scheme

does not fulﬁll the e-check anonymity requirement.

7 ANALYSIS OF CCW SCHEME

C.-L. Chang et al. proposed CCW e-checkbook

scheme that utilizes elliptic curve cryptography,

(Chang et al., 2016).

7.1 CCW Protocol

CCW scheme is proposed in two phases, namely Ini-

tialization and Paying. We split the protocol into

Initializing, Issuing, Paying and Depositing. In this

scheme, maximum amount w that can be spent with

an e-check needs to be determined at the issuance

phase.

Initializing

1. Let E

be an elliptic curve points group over a

ﬁnite ﬁeld of characteristic p and hQi ∈ E

be a

subgroup of order n.

2. Let h

and h

be one-way hash functions.

3. Bank B, the payer C and the payee M creates the

private keys by randomly selecting b, c, m ∈ Z

∗

and set public keys B

pub

= bQ, C

pub

= cQ and

pub

= mQ, respectively.

Issuing

1. A payer C registers with her identity ID

to a bank

2. C chooses k ∈ Z

∗

and computes K = kQ, both are

kept secret.

3. C sends (ID

, h

(wK)) to B for e-checkbook is-

suance.

4. B randomly chooses t

∈ Z

∗

, computes T

Q, sets r = x

(mod n) where x

is the x-

coordinate of the point T

and creates a virtual

identity V ID

= h

) ⊕ ID

5. B then simultaneously computes

e = h

(V ID

(wK)), s = t

−1

(e jQ) + rb) ,

= h

) ⊕ h



pub



where j is the number of e-checks in the e-

checkbook.

6. B sends (V ID

, (r,s), j, H

) as e-checkbook where

(r,s) being its signature on the e-checkbook.

7. Upon receiving the e-checkbook ω

, C com-

putes V ID

= H

⊕ h

(cB) ⊕ ID

and e =

(V ID

(wK)), veriﬁes the signature and

stores the e-checkbook as (V ID

, (r,s), j, e).

Paying

1. C randomly selects t

∈ Z

∗

and hashes h

) to a

point X ∈ E

2. C computes C



Q, X +t

pub



= (X

)

and sends C

to M.

3. M retrieves X by computing X = Y

− mX

, con-

verts X to h

) and hashes h

) = h

))

to a point Y ∈ E

4. By selecting a random t

∈ Z

∗

, M computes C

Q, (Y + t

)Q)) = (X

) and send C

the payee C.

5. Upon receiving C

, similarly C retrieves Y =

− h

and checks the validity with h

otherwise terminates.

6. If validity holds, C computes

F = (w − a)K +t

, H

= h



pub



⊕ i,

= h



pub



⊕ T

= aK = akQ

where a ≤ w is the amount, i is the number of e-

checkbook has been used, T

is the timestamp.

7. C sends (V ID

, ID

, a, j, (r, s), F, H

, H

, T

)

as the i-th e-check to the payee M.

Depositing

1. Upon receiving an e-check payment

(V ID

, ID

, a, j, (r, s), F, H

, H

, T

M ﬁrst retrieves (w−a)K = F −t

and by using

(w − a)K and H

, computes

, y

) ←(h

(V ID

((w − a)K + H

)) jQ)

Q + rB

pub

−1

2. Next, M veriﬁes r

= x

(mod n).

3. If the equation holds, the M sends

(V ID

, ID

, a, j, (r, s), F, H

, H

, T

) to the B.

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

610

4. B retrieves C’s identity ID

from V ID

, veriﬁes

C’s account balance is enough for depositing.

5. B obtains i and T

by computing

i = H

⊕ h

(bC

pub

) and T

= H

⊕ h

(bC

pub

6. Then, B veriﬁes whether the timestamp T

within a legal time interval. If it is not, the e-check

is rejected; otherwise, the procedure continues.

7. Next, B computes

(e(( j − i)Q + iQ))Q + rB

pub

−1

= (x

, y

)

to determine whether the equation r

= x

(mod n)

holds or not.

8. If the equation holds, B deducts the amount a from

C’s account and adds it into M’s amount.

9. Finally B notiﬁes both C and M.

7.2 Flaws of CCW Scheme

Here, we give an e-check manipulation attack which

is similar to the given in Section 5.2. As already men-

tioned, at the payment phase, the payer ﬁrst authenti-

cates the payee and then sends the following tuple as

the i-th e-check to the payee.

(VID

, ID

, a, j, (r, s), F, H

, H

, T

where VID

is the payer’s virtual identity, ID

is ID of

the bank, a is the amount, (a ≤ w, w max. amount), j

is maximum number of e-checks in the e-checkbook,

(r,s) is bank’s signature on payer’s e-checkbook,T

timestamp,

F := (w − a)K +t

, H

:= h

(cB

pub

) ⊕ i,

:= h

(cB

pub

) ⊕ T

, H

:= aK = akQ.

As it can be noticed easily, changing the amount

value a requires changing F and H

values. By com-

puting

= zH

= zaK, and

= F − (z − 1)H

= (w − a)K +t

− (z − 1)aK

= (w − za)K +t

one can manipulate the e-check tuple as

(VID

, ID

, za, j, (r, s), F

, H

, T

), for

any a < za ≤ w. As a result, instead of a, the amount

za will be deducted from the payers account.

In fact, in a similar way, the e-check index i value

can also be altered by letting H

= H

⊕ l such that

i < i + l ≤ j.

In any e-checkbook scheme, integrity of the e-

check index, amount and payee information should be

satisﬁed. In this scheme, unfortunately, none of them

is assured.

8 CONCLUSION

Although the volume of money transferred by checks

is high, surprisingly there is not much mechanisms

aim to transform the checkbook systems into fully

digitalized e-checkbook systems. In this work,

we analyzed security of the previously proposed e-

checkbook schemes (Pasupathinathan et al., 2005;

Chen et al., 2009; Chang et al., 2009; Chen et al.,

2010; Chang et al., 2016) and showed that these

propositions do not satisfy their claimed security by

presenting practical attacks on each of them. These

e-check forgery and/or e-check manipulation attacks

can be evaded by assuring integrity and authenticity

of the e-check index, the amount and the payee. Even

if the corrections given in respective sections are ap-

plied, these schemes would still suffer efﬁciency and

privacy-wise since they do not possess appropriate

privacy preserving cryptographic building blocks for

payment unlinkability and anonymity.

REFERENCES

Anderson, M. M. (1998). The Electronic Check Architec-

ture. Technical report, Financial Services Technology

Consortium.

Brands, S. (1993). An Efﬁcient Off-line Electronic

Cash System Based On The Representation Problem.

Technical report, Centrum Wiskunde & Informatica

(CWI).

Chan, N. (2015). e-Cheque: A new era of payments in Hong

Kong.

Chang, C.-C., Chang, S.-C., and Lee, J.-S. (2009). An on-

line electronic check system with mutual authentica-

tion. Computers & Electrical Engineering, 35(5):757

– 763.

Chang, C.-C., Chang, S.-C., and Wu, Y.-C. (2016). Novel

electronic check mechanism using elliptic curve cryp-

tosystem. Journal of Computers, 27(3):111–122.

Chaum, D., den Boer, B., van Heyst, E., Mjølsnes, S.,

and Steenbeek, A. (1990a). Efﬁcient ofﬂine elec-

tronic checks. In EUROCRYPT ’89, pages 294–301.

Springer.

Chaum, D., Fiat, A., and Naor, M. (1990b). Untraceable

electronic cash. In CRYPTO’ 88, pages 319–327.

Springer.

Check 21 Act (2003). The Check Clearing for the 21st Cen-

tury Act (Check 21).

Chen, C.-L., Wu, C.-H., and Lin, W.-C. (2010). Improv-

ing an on-line electronic check system with mutual

authentication. In AIT 2010.

Chen, T.-H., Yeh, S.-C., Liao, K.-C., and Lee, W.-B.

(2009). A practical and efﬁcient electronic checkbook.

Journal of Organizational Computing and Electronic

Commerce, 19(4):285–293.

Cryptanalysis of Some Electronic Checkbook Schemes

611

Chen, W.-K. (2005). Efﬁcient on-line electronic checks.

Applied Mathematics and Computation, 162(3):1259

– 1263.

Katz, J. and Lindell, Y. (2014). Introduction to Modern

Cryptography. Chapman & Hall/CRC, 2nd edition.

Pasupathinathan, V., Pieprzyk, J., and Wang, H. (2005). Pri-

vacy enhanced electronic cheque system. In 7th IEEE

International Conference on E-Commerce Technology

(CEC’05), pages 431–434.

Sertkaya, I. and Kalkar, O. (2019). An efﬁcient electronic

checkbook scheme with mutual authentication. Suley-

man Demirel University Journal of Natural and Ap-

plied Sciences, pages 590 – 596.

Sertkaya, I. and Kalkar, O. (2021). A privacy enhanced

transferable electronic checkbook scheme. Wireless

Personal Communications, pages 1–27.

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

612