Contents lists available at ScienceDirect
Computer Standards & Interfaces
journal homepage: www.elsevier.com/locate/csi
A secure and privacy-preserving mobile wallet with outsourced verification
in cloud computing
Zhen Qin
a
, Jianfei Sun
a
, Abubaker Wahaballa
a
, Wentao Zheng
a
, Hu Xiong
b,
⁎
, Zhiguang Qin
a
a
University of Electronic Science and Technology of China, Chengdu 610051, China
b
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China
ARTICLE INFO
Keywords:
Mobile wallet
Digital signature
Secure computation outsourcing
Cloud computing
ABSTRACT
Mobile wallet, also known as mobile payment, is becoming one of the most frequently used approach to provide
payment services under financial regulation via mobile device and may redefine our lifestyle with the rapid
popularity of mobile Internet. In this paper, we address the security of the mobile wallet by providing a detailed
threat analysis and identifying some unique design requirements in terms of security and privacy protection for
mobile wallet. We then provide a novel approach to secure the mobile wallet and protect the privacy of the
mobile user by incorporating the digital signature and pseudo-identity techniques. In view of several advantages
of cloud computing, the computation task on the client side, which is usually featured with limited computation
resources, is outsourced to the untrusted cloud server securely. The performance of our approach is evaluated
via both theoretic analysis and experimental simulations. Also, the security analysis demonstrate that our
approach can achieve desirable security properties of mobile wallet.
1. Introduction
The growth of financial-services apps and the availability of mobile
device drives the growth of mobile payment services. As one of the
modern components of mobile payment services, mobile wallet (m-
Wallet) [1,2] provides a very convenient way to allow the clients to
conduct the payment via his/her mobile device from anywhere and
anytime. According to a recent report from Transparency Market
Research [3], the global mobile wallet market is expected to reach
USD 1,602.4 billion in 2018. The most famous mobile wallets including
Google Wallet, MasterPass and Apple Pay.
In view of the tremendous benefits provided by the mobile wallet
and the huge number of potential users (hundreds of millions world-
wide), it is obvious that mobile payment is likely to become the most
popular payment method in the near future. The wide adoption of
mobile devices, such as smart phone, iPAD and PDA, does not only
introduce huge business opportunities, but also raises daunting
security challenges due to the open-medium nature of wireless com-
munications and the limited resources of the mobile devices. So far,
limited attention has been paid to the security of mobile wallet.
Unfortunately, the mobile wallet would not be preferred by the public
without the guarantee of message authentication and privacy preser-
ving. First of all, it is essential to ensure that payment information
exchanged between the client and the merchant cannot be imperso-
nated or modified by any attacker. Otherwise, the forged payment
information may be fatal to the reputation of the mobile wallet. On the
other hand, the real identity of the malicious customer should be
disclosed by the system manager; but meanwhile the privacy of the
honest customer should be protected as far as possible. Despite these
concerns seem similar to those identified in other wireless networks,
the nature of mobile payment such as the size of the network and the
limited resources of the mobile devices make the problem very novel
and challenging. The purpose of this paper is to bring a first glance to
this challenge. As there is quite limited resources (e.g., computing
resource and battery power) for mobile devices, the traditional secret
methods can not be directly applied by the mobile devices in the
scenarios of mobile payment. There is unlimited resources for the cloud
computation, it has the ability of taking over the heavy computation
workload instead of resources-constraint mobile devices. However, the
cloud server can not be trusted. If the computation workload is directly
outsourced to the third party cloud services provider, it would cause the
privacy leakage of mobile wallet users. Thus, it is necessary to solve this
problem with the secure outsourcing computing.
Digital signature [4] is a promising approach to offer the authenti-
cation and non-repudiation of the payment information during the
mobile wallet. However, the digital signature in the traditional public
key cryptography [5] and identity-based cryptography [6] suffers from
the heavy cost of the certificate management and key escrow problem
http://dx.doi.org/10.1016/j.csi.2016.11.012
Received 14 March 2016; Received in revised form 3 November 2016; Accepted 25 November 2016
⁎
Corresponding author.
E-mail address: xionghu.uestc@gmail.com (H. Xiong).
Computer Standards & Interfaces 54 (2017) 55–60
Available online 26 November 2016
0920-5489/ © 2016 Elsevier B.V. All rights reserved.
MARK