Using the Same PayWord Chains Associated with a Single Account from Multiple Mobile Devices

Customer awareness and interest in mobile payments are increasing. However, security and privacy risks remain major barriers to their adoption, with customers worrying about their personal data being hacked or intercepted. In this paper, we present the design of a secure scheme for mobile payments that can guarantee mutual nonrepudiation between the customer, merchant, and banker. A customer can use the proposed scheme to make a payment with the same PayWord chains of a single account from multiple devices.


Introduction
Smartphones are being increasingly used to replace keys, cameras, and televisions, and further convenience would result from their use as tools for making payments. A mobile payment has been defined as "any payment where a mobile device is used in order to initiate, activate, and/or confirm this payment" [1]. Although large-scale mobile payment systems are still under development, several mobile financial and mobile commerce applications (e.g., the Starbucks app, iTunes, and Google Wallet) are encouraging more users to take advantage of the convenience they afford in making mobile payments.
Mobile payment technology can provide benefits to both customers and merchants relative to traditional payment methods [2,3]. An electronic payment can be classified as either a macro-or micropayment depending on its amount. Macropayment schemes are used by most e-commerce websites, and they employ complex encryption techniques to conform with rigorous security requirements [4,5]. In contrast, micropayment schemes only need low-overhead hashing functions and are suitable for specific mobile commerce applications associated with low-value and high-volume purchases [6,7]. However, a major problem of micropayment schemes is implementing solutions that ensure authentica-tion, nonrepudiation, and privacy. The development of mobile payments is further limited by the current high startup costs and complicated configurations.
Rivest and Shamir proposed a scheme called PayWord in 1996 that offered a more efficient scheme for micropayments [7], and many subsequently developed efficient micropayment schemes are based on it [8][9][10][11][12]. Until now, PayWordbased micropayment schemes have used PayWord chains of a single account from one device. However, since customers often use more than one mobile device, in the present study, we considered the situation where multiple client devices need to access PayWord chains associated with a single account. For example, consider a customer who has both a smartphone and a tablet. He/she generates hash-chain coins with his/her smartphone and makes payments with them. The inability to use the tablet to pay using the remainder of the hash-chain coins is inconvenient for the customer. This situation motivated us to design a scheme whereby customers can register the hash-chain coins of a single account and pay with them from multiple devices.
The remainder of this paper is organized as follows: Section 2 gives an overview of related work and technologies, Section 3 presents the proposed scheme for mobile payments, Section 4 presents a security analysis, and conclusions about the work described in the paper are drawn in Section 5.

Related Work and Technologies
Many consumers now carry a smartphone more often than a wallet or purse. Moreover, it typically takes 5-6 hours for someone to realize he/she has lost a wallet, while only around 15 minutes typically passes before realizing that a smartphone is missing [13]. However, security and privacy risks are major barriers to the adoption of mobile payments, with customers worrying about their personal data being hacked or intercepted. Many people consider mobile transactions to be less secure than credit-and debit-card transactions, even though mobile payments can be equally secure or even more secure than traditional payment methods. When customers are offered a secure online payment environment that works via advanced mobile Web systems, they are freed from the burden of providing physical currency each time they want to make a mobile purchase or pay a bill online.
A survey performed by the Consumer Research Section of the Board of Governors of the Federal Reserve System revealed that more than half of customers believed that mobile contactless payments would become a major form of payment within the next 5 years, and more than onethird of the survey subjects indicated that they would use the method if it were made available [14]. Mobile payments are expected to become a mainstream payment method, with an Allied Market Research report projecting that their value will reach $12.06 trillion by 2027 [15].
Different types of mobile payments can be differentiated based on various characteristics, including the technology used and the transaction size, location, and funding mechanism [16]. The type of payment can be categorized into one of two types based on the underlying technology: proximity or remote payments. Proximity payments generally refer to contactless payments employing near-field communication [17][18][19], while remote payments are made via a mobile Web browser or a smartphone application, in which the smartphone is used as a device to authenticate personal information that is stored remotely. Such payments utilize services such as SMS (Short Message Service) to initiate or authorize a payment. The funding mechanisms for payments made in mobile payment systems have previously been differentiated into the following types: bank accounts, credit cards, and telecommunication company billing, or into an account, real-time, prepaid, postpaid, smart card, credit card, mobile POS, mobile wallets, and P2P payments [1,16,20,21].
The increasing interest in mobile payments and commerce is also increasing the importance of privacy and security to customers, which continue to constitute major obstacles to widespread adoption. The specific security issues identified have varied between surveys. Some customer reservations about mobile payments stem from fears of payment account information being intercepted, the threat of unauthorized parties accessing personally identifiable information, and the receipt of unsolicited promotional material [14,22]. A First Data mobile payments study found that more than half of the customers surveyed believed a smartphone pay-ment to be less secure than payments made in person or credits [23]. Regardless of the specific reasons for these security concerns and their validity, security issues must be addressed in order to achieve the mass adoption of mobile payments.

The Proposed Micropayment Scheme
We present a new novel micropayment scheme based on using the same PayWord chains of a single account from multiple devices [6] in order to address the problem where a customer wishes to use multiple devices for payments and all of the involved entities can store attestations. The proposed scheme involves the following entities: a customer (C), merchant (M), and banker (B), which have the following public and private key pairs: (pri(C), pub(C)), (pri(M), pub(M)), and (pri(B), pub(B)), respectively.
[O] pri(x) and [O] pub(x) are used to denote a digital signature and the encryption of data object O that is generated by the private and public keys of a subject x, and data objects within square brackets that are separated by commas are first connected and then have cryptographic operations performed on them. Let hðxÞ denotes a cryptographically strong hash function: calculating y = hðxÞ is easy, whereas calculating the inverse x = h -1 ðyÞ is infeasible. ID C and ID M represent the identities of C and M. The scheme comprises three phases: a registration phase, a transaction phase, and a redemption and remittance phase. Figure 1 shows the following steps and message exchanges involved in the registration phase:

Registration Phase.
(1) C sends CSR = ½ID C , IMEI pubðBÞ to B. Tell B the identity of C and the IMEI number of the device (2) B decrypts ½ID C , IMEI pubðBÞ using pri(B) and registers a customer account with ½ID C , IMEI, and then sends an ACK to C to indicate that the registration is successful (5) B sends ½E, F, e * 0 pubðCÞ to C. C decrypts this using pri(C) to obtain PayWord chains E-chain and F -chain, as well as e * 0 , which is used to verify E * -chain (6) B sends ½E * , e 0 , f 0 pubðMÞ to M. M decrypts this using pri(M) to obtain return-change chain E * . Note that the merchant should pay money for E * -chain 3.2. Transaction Phase. In the transaction phase, it could be that the customer is using electronic coins for the first time, or that the electronic coins have already been used previously. The following steps (depicted in Figure 2) are involved when a customer wants to make a payment with E-chain and F-chain of the electronic coins.
(1) M tells C the total payment amount. C sends a payment message ½e p ' , f q ' , e p ' +a , f q ' +b , a, b to M, where the numbers of coins obtained from E and F are "a" and "b," respectively, e p ' and f q ' represent the anchors of the last payment, and e p ' +a and f q ' +b represent the anchors of the most-recent payment (2) M receives the payment message ½e p ' , f q ' , e p ' +a , f q ' +b , a, b. Check whether E-chain and F-chain have been used before by e p and f q . If they have been used before, check whether or not anchors (e p ' and f q ' ) from C are the same as those of the last payment. If the anchors are not the same, send ½e p , f q to C, and C substitutes the anchors of E-chain and F-chain with e p and f q .
Step 1 is then performed again. If the anchors are the same, verify that e p is equal to h a ðe p ' +a Þ and f q is equal to h b ðf q ' +b Þ. M then substitutes anchors e p and f q with e p ' +q and f q ' +b to complete the payment (3) M sends a return-change message ½e * r , e * r+1 , ⋯, e * r+c to C. C verifies that e * r is equal to h c ðe * r+c Þ in order to accept the returned change ðe * r+1 , e * r+2 , ⋯ , e * r+c Þ. The return-change chain (E * -chain) could be used when E-chain-which is the same denomination of E * -chain-is used up. However, the merchant cannot use E * -chain to return change again 3.3. Redemption and Remittance Phase. In the described scheme, each PayWord chain has a duration scope. Merchant M may redeem the money from banker B after the expiration date or at the end of a certain period. The details of the message exchanges in the redemption and remittance phase illustrated in Figure 3 are as follows: (1) M sends ½ID C , ID M , e p+a , f q+b pubðBÞ to B

Wireless Communications and Mobile Computing
(3) B sends ½e p+a , f q+b pubðCÞ to C. C decrypts this using pri(C) to obtain anchors e p+a , and f q+b , and then verifies whether or not these two anchors are valid (4) M sends ½e p+a , f q+b pubðCÞ to C. C decrypts this using pri(C) to obtain anchors e p+a and f q+b , and then verifies whether or not these two anchors are valid. C checks if these anchors from B and C are the same or different

Security Analysis and Discussion
In this study, we made no assumption about the honesty of the customer, merchant, and banker. The main goal of the proposed scheme is to prevent the problems associated with counterfeiting and reusing PayWord chains. The required security and privacy features were implemented as follows: (1) Confidentiality and Authentication. The proposed scheme employs the SSL protocol to authenticate the server and to cryptographically protect the channel used for communication between the client and the server. The client must provide the username and password of the customer's account, as well as the IMEI number of the device to the authorization server. An attacker could potentially guess the account username and password. However, he/she cannot use the mobile device to obtain the IMEI number  anchor that is stored by the banker with the one that the merchant sends last to the customer when the banker deducts more money from the customer Theorem 1. The proposed scheme is secure even though attackers intercept the values of e p ' , f q ' , e p ' +a , and f q ' +b (see Figure 2) sent from a device.
Proof. Suppose that we have m various devices, and that the final payment anchors for each device are fe p i , f q i g, 1 ≤ i ≤ m. Obviously, the newly updated payment anchors fe p , f q g in merchant M are the newest and should be the largest anchors from the anchors fe p i , f q i g, 1 ≤ i ≤ m. Via the one way property of hash function, we can derive fe p , f q g from e p = h a ðe p i Þ and f q = h b ð f q i Þ, 1 ≤ i ≤ m. Thus, attackers do not have any additional information from the intercepted values fe p i , f q i , e p i +a , f q i +b g, 1 ≤ i ≤ m.
According to the above analysis and proof, we compared the proposed scheme with other two PayWord-based micropayment schemes [6,7] shown in Table 1.

Conclusion
This paper has presented a PayWord-based scheme for micropayments, in which a customer uses mobile devices to obtain PayWord chains as electronic coins. The proposed scheme not only includes authentication, confidentiality, and integrity but also guarantees mutual nonrepudiation between the customer, merchant, and banker. Moreover, we have shown that the proposed scheme allows the customer to make a payment with the same PayWord chains of a single account from multiple mobile devices.

Data Availability
No data were used to support this study.

Conflicts of Interest
The authors declare that they have no conflicts of interest.