Paper 2021/094
Reducing HSM Reliance in Payments through Proxy Re-Encryption
Sivanarayana Gaddam, Atul Luykx, Rohit Sinha, and Gaven Watson
Abstract
Credit and debit-card payments are typically authenticated with PINs. Once entered into a terminal, the PIN is sent as an encrypted \emph{PIN block} across a payments network to the destination bank, which decrypts and verifies the PIN block. Each node in the payments network routes the PIN block to the next node by decrypting the block with its own key, and then re-encrypting the PIN block with the next node's key; nodes establish shared secret keys with their neighbors to do so. This decrypt-then-encrypt operation over PIN blocks is known as \emph{PIN translation}, and it is currently performed in Hardware Security Modules (HSMs) to avoid possible PIN exposure. However, HSMs incur heavy acquisition and operational expenses. Introduced at EUROCRYPT'98, proxy re-encryption (PRE) is a cryptographic primitive which can re-encrypt without exposing sensitive data. We perform an extensive study of PRE as applied to PIN translation, and show through formalization, security analysis, and an implementation study that PRE is a practical alternative to HSMs. With PRE, we eliminate the need for HSMs during re-encryption of a PIN, thus greatly reducing the number of HSMs needed by each participant in the payments ecosystem. Along the way we conduct practice-oriented PRE research, with novel theoretical contributions to resolve issues in comparing so-called honest re-encryption to chosen-ciphertext PRE security, and a new efficient PRE scheme achieving a type of chosen-ciphertext security.
Metadata
- Available format(s)
- Category
- Applications
- Publication info
- Published elsewhere. Major revision. Usenix Security 2021
- Keywords
- Proxy Re-EncryptionPIN translationPaymentsKey Management
- Contact author(s)
- gawatson @ visa com
- History
- 2021-01-27: received
- Short URL
- https://ia.cr/2021/094
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2021/094, author = {Sivanarayana Gaddam and Atul Luykx and Rohit Sinha and Gaven Watson}, title = {Reducing {HSM} Reliance in Payments through Proxy Re-Encryption}, howpublished = {Cryptology {ePrint} Archive, Paper 2021/094}, year = {2021}, url = {https://eprint.iacr.org/2021/094} }