An Improvement to the Set Protocol Based on Signcryption

Electronic commerce, as exemplified by the popularity of the Internet, is becoming more important along with fast progress in communications and information technology. The SET (Secure Electronic Transaction) protocol is a scheme designed to ensure that merchants and cardholders can conduct business over a public network. Although the SET protocol has some disadvantages, but still it is the most commonly used protocol in the Internet shopping. Signcryption is a cryptographic primitive which simultaneously provides both confidentiality and authenticity in a single logical step. Signcryption based on elliptic curves provides the same level of security using smaller keys compared to schemes based on the discrete logarithm problem over finite fields. This paper examines the benefits of using signcryption rather than signaturethen-encryption in the SET protocol. Using identity-based signcryption in the SET protocol reduces the number of encryption and decryption operations. Moreover, signcryption is less time consuming than signature-then-encryption.


INTRODUCTION
Mobile payment is the transaction of fiscal values by means of mobile phones or other handheld devices. According to one of the Gartner's report [1] the total mobile users in the world will reach 7.4 billion by 2015. With such a large number of people using mobile devices, it would be increasingly used not only for communication but also as a means of monetary transactions [2]. As mobile phones have become more and more powerful with multiple features, people would rather like to have their monetary transaction done with a mobile device rather than carrying currencies and notes in their pocket. Therefore the mobile security is considered to be a major issue for mobile payment that can be faced through sensitive payment. Actually, there are many research papers discussing businesses markets, payment processing and payment schemes [3,4], but in fact there are a few papers that deal with the construction of wireless payment schemes, involving protocols and security protection solutions [5,6,7].
Also, there are many existing mobile payment protocols, one of the most widely accepted mobile payment protocols the Secure Electronic Transaction protocol. Secure Electronic Transaction (SET) is a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET is a set of rules and regulations that enable users to perform financial transactions through existing payment system over insecure wireless network (internet) in much secure and reliable manner [8]. SET is an application to provide various security services as confidentiality, data integrity and authenticity for all electronic transactions over the internet.
The SET protocol makes use of cryptography in order to provide confidentiality and security, to ensure payment integrity, and to authenticate both the merchant and the cardholder. Security means that merchants are protected from purchases with an authorized payment card and denial of purchases. As for cardholders, security means that they are protected from merchant imposters or theft of their payment card numbers [9]. The SET protocol, developed by Visa and Master Card, is an open standard for encryption and security specification for credit card transactions over the Internet [10].
To guarantee unforegeability, integrity and confidentiality of communications, the traditional method is to digitally sign a message with the private key of the sender then encrypt the message and the signature with a randomly chosen key using a symmetric cipher. The random key is then encrypted using the public key of the receiver. The encrypted (message + signature) is then sent together with the encrypted symmetric key. The reverse process is run at the receiver. This scheme is known as signature-then-encryption. An alternative scheme called signcryption was proposed by Zheng to simultaneously sign and encrypt messages in a single logical step with a computational cost significantly lower than that required by the traditional signature-then-encryption approach [11].
This paper discusses the SET protocol and introduces the use of signcryption in this protocol seeking performance improvements. The rest of the paper is organized as follow. An overview of the basic SET protocol and its merits is introduced in Section 2. Then, a related scheme that improves the security of the basic SET is reviewed in Section 3. In Section 4, the proposed improvement to the SET protocol based signcryption is introduced. Finally, Section 5 concludes the paper.
• The payment gateway (merchant's Bank, acquirer). The payment gateway is a device operated by an acquirer. Sometimes, these two entities are treated as separate entities. • Issuer (cardholder's bank).
Before participating in the transaction, both the customer and the merchant must obtain a digital certificate for their public keys from a certifying authority (CA).

How it Works
Both customers and merchants must register with the CA first, before they can buy or sell over the Internet. Once registration is done, a customer and a merchant can participate in electronic transactions The protocol involves nine basic steps are described in [12,13], which are summarized below. The flow of information is depicted in Figure 1.
1. The customer browses the website of the merchant and chooses the product. 2. The merchant returns a form containing the list of items along with the total price and the order number. A copy of the digital certificate is also sent for authentication of the merchant. 3. The customer sends its signature of the order information and the payment information along with its digital certificate to the merchant. The digital certificate is to validate the customer's authenticity. The order information confirms that the customer will make the purchase, whereas the payment information is encrypted by the public key of the payment gateway which cannot be read by the merchant. 4. The merchant forwards the payment information to the merchant bank. 5. The merchant bank then forwards the information to the customer bank for authorization and payment. 6. The customer bank confirms authorization to the merchant bank and the merchant bank sends the authorization confirmation to the merchant. 7. The merchant completes the order and sends it to the customer. 8. The merchant captures the transaction from its bank. 9. The customer bank sends a notification to the customer that the payment has been processed. Electronic copy available at: https://ssrn.com/abstract=3677808

Merits of the SET Protocol
The SET protocol has the following merits [10,14]: 1. It provides the merchant with a protective means against online fraud. 2. As for the consumer, it guarantees the authenticity of the merchant so that credit card number will not be stolen. SET keeps more secrets for the consumer to improve the satisfaction of their on-line shopping experience. 3. It helps the bank and the credit card company to expand their service to a more broad space through the Internet and it lowers the probability of credit card on-line fraud. 4. It has defined an interface for all quarters of an online transaction so that a system can be built on the products made by the different manufacturers.

RELATED WORK
An improvement to the basic SET protocol has been developed by Zhang Boping, and Shang Shiyu [10] to achieve more secure electronic transactions. In the new payment model, an electronic transaction centre is introduced which has the following responsibilities: It acts as the region certifying authority, and it plays the role of the payment gateway, it ensures transaction data preservation, time-stamps transactions, and finally resolves disputes; that is, it acts as an arbitration centre.
The steps in the SET protocol have been modified as follows: 1. Customer C sends out procurement request to Merchant M. 2. Merchant M provides the inventory detail list to customer C.
3. Customer C agrees the quoted price, and then makes a purchase order. After the order is processed and digitally signed by the customer, the digital certificate is encrypted together with the digital signature of the order using the public key of the merchant M, then CM1 is sent to the merchant: .
Then, customer C produces symmetrical key K stochastically, which is used to encrypt PI': . The account information of customer C (PANIC name, credit card number and so on) and K are encrypted with the public key of the payment gateway P: , it then transmits them to the payment gateway P. 7. The payment gateway decrypts CAP4: and confirms whether it is sent by the transaction authentication center CA. PI is then decrypted by the payment gateway to confirm whether it is sent by customer C. K is obtained and used to decrypt PI'': . The public key of customer C is used to decrypt PI: . The payment gateway obtains PI and sends PI to the credit card companies through the safe financial network. 8. Credit card companies check customer C in their databases, confirm the account has enough money, and then deposit this deal into a blocked account. After that, the credit card company will inform the payment gateway and the money will have been already deducted through the financial network. 9. Payment gateway P issues the delivery notice to merchant M: 10. Merchant M decrypts Msg to confirm that it is sent by payment gateway: . Then, merchant M delivers goods to customer C.

THE PROPOSED SET PROTOCOL
In this section, the proposed is described in detail. It is an enhancement to the above described protocol [10]. Full specifications of the encryption and digital signing schemes are provided.

The Set-up Phase
The customer C, merchant M, payment gateway P submit their IDs to the certificate authority that generates the secret keys and computes the public keys for itself and the other three entities: customer, merchant and payment gateway. It then sends the secret keys through a secure channel and publishes the public keys.
• CA selects two large primes p and q where 1 − p q . An elliptic curve E is chosen with P is a generator point on the elliptic curve and a hash function and computes its public key .
• CA computes the customer secret key: and the customer public key: .
• CA computes the merchant secret key: and the merchant public key: .
• CA computes the payment gateway secret key: and the payment gateway public key: .

The Proposed SET Protocol
The SET protocol improvement is shown in Figure 2. The SET protocol steps will be detailed in what follows.
The merchant performs the signing process is as follows: to the certificate authority CA.
6. The certificate authority CA verifies that 3 CCA is sent by customer C, then makes sure that MC2 is sent by merchant M. The procedure carried out by the CA is given below.
Electronic copy available at: https://ssrn.com/abstract=3677808 The certificate authority CA performs the verification process to authenticate the customer: It accepts the signature if P u S Q C The payment gateway obtains PI and sends PI to the credit card companies through the safe financial network.
8. Credit card companies check customer C in their databases, confirm the account has enough money, and then deposit this deal into a blocked account. After that, the credit card company will inform the payment gateway and the money will have been already deducted through the financial network. 9. The payment gateway signs the delivery notice using its secret key P d and sends it to

Security Analysis
The security of the proposed SET protocol is based on the elliptic curve discrete logarithm problem (ECDLP) [15]. Up till now, the ECDLP is considered to be hard.
Definition 1: The Elliptic Curve Discrete Logarithm Problem (ECDLP) is defined as follows. Let G and Q be two points on an elliptic curve and G is of order n and n is a prime. The point , where n k < . Given these two points G and Q , find the discrete logarithm of Q to the base G; that is, k .
The proposed scheme possesses the following properties: 1. Unforgeability It is computationally infeasible for an adaptive attacker to masquerade as the signcrypter in creating a signcrypted text. Signcrypted text is generated using the sender's secret key. Thus, no one can generate a valid signcrypted text without knowing the sender's secret key. Also, the ciphertext and the signature are tightly coupled in the verification phase thus if an attacker attempts to forge a signcrypted text , the verification at the receiver will fail. Therefore, forgery attack is likely not to occur. For example in step 5 if an attacker wants to generate a signcrypted text, he does the following : * Generate random number w' The payment gateway unsigncrypts the message by recovering the key k' as follows: Without knowing the customer secret key, no attacker can generate a valid signcrypted text. Therefore, the proposed protocol achieves unforgeability.
2. Confidentiality It is computationally infeasible for an adaptive attacker to find out any secret information from a signcrypted text. The message is encrypted with a symmetric key cipher that is generated by the sender using the receiver's public key and only a valid receiver can recover the key using his secret key. Therefore, finding out any secret information from a signcrypted text is computationally infeasible. For example Electronic copy available at: https://ssrn.com/abstract=3677808 when the customer signcrypts the order information in step 3 and sends ) s , c , r ( If the attacker wants to derive the original message, he must be able to recover the randomly generated session key k. The secret key used to encrypt the message, k 1 , is part of the x-coordinate value of the point K. However, the extraction of the secret key k 1 is equivalent to solving the ECDLP. Assume that the attacker tries to compute point ) y , , he should derive the receiver's secret key m d , where P . d Q m m = , therefore to derive m d one needs to solve the ECDLP. Without knowing the secret key of the receiver, no attacker can recover the message encryption key. It is only the valid receiver with secret key m d who can recover the key and unsigncrypt the message.
3. Non-repudiation: It is computationally feasible for a judge to settle a dispute between the signcrypter and the recipient in an event where the signcrypter denies the fact that he is the sender of the signcrypted text to the recipient. If the sender denies sending the message, the receiver sends the recovered key K to a trusted third party who decrypts the message then hashes it with the key and checks if the claimed sender is the origin of the message or not.

Comparative Study
When comparing the proposed protocol with the protocol in [10], it is apparent that there is no need for the certificates in the proposed protocol because the customer, merchant and payment gateway send their IDs to the CA that generates the key pair for each entity. This way the key management procedure is simplified and the need for verifying CA signatures over digital certificates is eliminated. This reduces bandwidth requirements as well as the computational burden associated with the implementation of the SET protocol.
Moreover, the scheme in [10] uses signature-then-encryption to provide authentication and confidentiality. On the other hand, the proposed scheme uses signcryption and this further reduces the computational time. Table 1 shows the time abbreviations that will be used in the comparison table. Table 2 shows the comparison between the protocol in [10]; that is based on signature-thenencryption, and the proposed protocol; that is based on the signcryption. The comparison shows that the proposed protocol is more computationally efficient than that in [10]; where the former uses four signature operations, five signature verifications, two signcryption operations and two unsigncryption operations but the latter uses six signature operations, seven signature verifications, four encryption operations and four decryption operations. This means that the proposed protocol saves the time required for two encryption and decryption operations. Moreover, signcryption is less time consuming than signature-then-encryption. Symbol Operation T EC-mult time required for executing a multiplication operation on an elliptic curve E T EC-add time required for executing an addition operation on an elliptic curve E T mult time required for executing a modular multiplication in a finite field T h time required for executing one way hash function operation T enc time required by the system for executing an encryption operation T dec time required by the system for executing a decryption operation T sig time required by the system for executing a signing operation T verify time required by the system for executing the signature verification T si_cry time required by the system for executing a signcryption operation T unsi_cry time required by the system for executing an unsigncryption operation Table 2. The comparison of the proposed protocol with the protocol in [10] Step Protocol in [10] The Proposed protocol 3 1T sign +1T enc 1T si_cry 4 1T dec +1T sign +1T verify 1T unsi_cry +1T sig 5 1T verify +2T sign +2T enc 1T verify +1T si_cry +1T sign 6 2T verify +1T sign 2T verify +1T sign 7 2T verify +2T dec 1T unsi_cry +1T verify 9 1T sign 1T sign 10 1T verify 1T verify Total 6T sig + 7T verify +4T enc +4T dec 4T sig + 5T verify + 2T si_cry +2T unsi_cry Moreover, when the proposed protocol is compared with the protocol in [16], it is found that the protocol in [16] uses the basic SET protocol discussed in Section 2, but using signature-thenmultiple-encryption by the DES scheme. On the other hand, the proposed protocol uses the signcryption primitive that is fast and more secure than the protocol in [16].

Performance of the Proposed Protocol
The performance analysis of the proposed protocol is presented in Table 3, it provides the count of the computationally expensive operations involved in the protocol as a whole. In the proposed protocol, the customer performs 5 scalar point multiplications over an elliptic curve, 2 encryptions, 3 hash operations and 3 multiplications over a finite field. As for the merchant, it performs 5 scalar point multiplications and one addition operation over an elliptic curve. It also requires one hashing operation and 2 multiplications over a finite field. The payment gateway performs 5 scalar point multiplications and one addition operation over an elliptic curve. Additionally, it carries out one decryption operation, one hashing operation and 2 multiplications over a finite field. Finally, the certifying authority performs 5 scalar point multiplications over an elliptic curve, 2 encryption operations and one multiplication over a finite field. Table 3. The performance of the proposed protocol Step The proposed 3 1T EC-mult +1T enc +1T h +1T mult 4 4T EC-mult +1T dec +1T h +2T mult + 1T EC-add 5 3T EC-mult +1T enc +1T h +2T mult 6 5T EC-mult +1T mult 7 4T EC-mult +1T dec +1T h +1T mult +1T EC-add 9 1T EC-mult +1T mult 10 2T EC-mult Total 20T EC-mult +2T enc +2T dec +4T h +8T mult + 2T EC-add

6-CONCLUSION
This paper introduced an efficient secure electronic transaction (SET) protocol based on signcryption, which is more efficient than signature-then-encryption. The use of an identity-based infrastructure eliminates the need for digital certificates. This simplifies the key management process and reduces both the required bandwidth and the computational time associated with the SET protocol. The proposed protocol achieves various security requirements through the use of an efficient signcryption scheme. The signature part is unforgeable, and the message is only readable to its intended recipient achieving confidentiality.
The proposed protocol outperforms other schemes in literature and thus promotes its use in practical scenarios. It is superior to the protocol in [10] as it reduces the number of encryption and decryption operations required. Moreover, resorting to signcryption provides further savings in the computational time required by the proposed protocol. Moreover, the proposed protocol is also more efficient than the protocol in [16] that employs signature-then-multiple symmetric encryption using DES.