Search

EP-4738221-A1 - A SECURE WALLET HOSTING UNIT

EP4738221A1EP 4738221 A1EP4738221 A1EP 4738221A1EP-4738221-A1

Abstract

A secure wallet hosting unit (1), the secure wallet hosting unit (1) hosting monetary value token wallets (2, 3, 4) of different users and comprising: - a payment processor (20) configured for performing an exchange of an exchanged monetary value token (50) between a monetary value token wallet (2) of the secure wallet hosting unit (1) and another monetary value token wallet (7); and - a secured storage (30); wherein the hosted monetary value token wallets (2, 3, 4) respectively comprise at least one monetary value token (50) and a wallet identifier (11), wherein each monetary value token (50) comprises a secret token data element (12), and wherein the monetary value token wallets (2, 3, 4) are at least partly stored in the secured storage (30). In the present solution the secured storage (30) comprises multiple sub-units (31-34). The sub-units (31-34) respectively store a partial secret (51-54) of the secret token data element (12) of the monetary value token (50) and the sub-units (31-34) are configured to use their partial secrets (51-54) of the secret token data element (12) of the monetary value token (50) in a common digital signature creation process.

Inventors

  • Abdelrahman, Mostafa

Assignees

  • Giesecke+Devrient advance52 GmbH

Dates

Publication Date
20260506
Application Date
20241030

Claims (15)

  1. A secure wallet hosting unit (1), the secure wallet hosting unit (1) hosting monetary value token wallets (2, 3, 4) of different users and comprising: - a payment processor (20) configured for performing an exchange of an exchanged monetary value token (50) between a monetary value token wallet (2) of the secure wallet hosting unit (1) and another monetary value token wallet (7); and - a secured storage (30); wherein the hosted monetary value token wallets (2, 3, 4) respectively comprise at least one monetary value token (50) and a wallet identifier (11), wherein each monetary value token (50) comprises a secret token data element (12), and wherein the monetary value token wallets (2, 3, 4) are at least partly stored in the secured storage (30); characterized in that the secured storage (30) comprises multiple sub-units (31-34); the sub-units (31-34) respectively store a partial secret (51-54) of the secret token data element (12) of the monetary value token (50); and the sub-units (31-34) are configured to use their partial secrets (51-54) of the secret token data element (12) of the monetary value token (50) in a common digital signature creation process.
  2. The secure wallet hosting unit (1) of claim 1, characterized by further comprising a wallet storage (10), wherein the partial secrets (51-54) of the secret token data element (12) of the monetary value token (50) are stored in the secured storage (30) and a further token data element (15,16,17) of the monetary value token (50), preferably a value data element (16) of the monetary value token (50) and/or a token reference (17) of the monetary value token (50) and/or a storage reference (15) of the monetary value token (50) in the secured storage (30), is stored in the wallet storage (10).
  3. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the hosted monetary value token wallets (2, 3, 4) respectively comprise a wallet record (21), preferably in the wallet storage (10), including at least the wallet identifier (11) and one or more monetary value token records (23-25), preferably including the further token data element (15, 16, 17), and the wallet record (21) optionally including a further wallet data element (13, 14).
  4. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the common digital signature is created in the sub-units (51-54); and/or the common digital signature is a threshold signature and/or ECDSA signature.
  5. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the hosted monetary value token wallets (2, 3, 4) each comprise one or more storage references (15), wherein the storage references (15) identify the corresponding secret token data element (12) of the monetary value token (50) stored in the secured storage (30).
  6. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the secured storage (30) is configured to provide to the payment processor (20) the common digital signature and/or a token reference (17) of the monetary value token (50).
  7. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the payment processor (20) is configured to send the common digital signature to a token reference register (9) and/or to the other monetary value token wallet (7).
  8. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the sub-units (31-34) are configured to generate their partial secrets (51-54) of the secret token data element (12) of the monetary value token (50).
  9. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the secured storage (30) is configured to generate the partial secrets (51-54) of a secret token data element (12) of a monetary value token (50) from generated first partial secret summands of the secret token data element and received second secret summand of the secret token data element; and/or the secured storage (30) is configured to create a second secret summand of a secret token data element from partial secret summands and to provide the secret summand to the payment processor (20); and/or the secured storage (30) is configured to derive a token reference (17) of the monetary value token (50) from the secret token data element (12) of the monetary value token (50) and to provide the token reference (17) of the monetary value token (50) to the payment processor (20).
  10. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the payment processor (20) - preferably in a first transmission mode, more preferably in a first token sending mode - is configured to send to the other monetary value token wallet (7) a token reference (17) and/or a registration confirmation (49) of a token reference register (9); and/or the payment processor (20) - preferably in the first transmission mode - is configured to receive a token reference (17) or a token reference summand of a monetary value token to be sent.
  11. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the secured storage (30) is configured to - export a secret token data element (12) of a monetary value token (50) to be sent by the monetary value token wallet (2); and/or - import a secret token data element (12) of a monetary value token (50) received by the monetary value token wallet (2).
  12. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the payment processor (20), preferably in a second transmission mode, is configured to receive (150) the secret token data element (12) from the secured storage (30) and to send the secret token data element (12) in the exchange (160) of the monetary value token (50) between the monetary value token wallet (2) of the secure wallet hosting unit (1) and another monetary value token wallet (9).
  13. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the payment processor (20), preferably in a third or reception mode, is configured to receive (160) the secret token data element (12) from the other monetary value token wallet (9) and to provide the received secret token data element to the secured storage (30).
  14. The secure wallet hosting unit (1) of one of the preceding claims, characterized in that the secured storage (30) further comprises one or more of: a sub-unit coordinator (35), a summation unit (36) and a token secret import unit (37).
  15. A monetary value token transaction system comprising - one or more secure wallet hosting unit (1) according to one of claims 1 to 14; and one or more of the following: - a token register, preferably a token reference register (9); and/or - a token issuer unit (8); and/or - multiple local monetary value token wallets (6, 7).

Description

The invention relates to a secure wallet hosting unit hosting monetary value token wallets of different users in a transaction system, wherein monetary value tokens of the transaction system are exchanged between monetary value token wallets comprising one or more monetary value tokens. In monetary value token transaction systems typically a monetary value token is transferred between secure wallets. For example EP 3 671 514 B1, WO 2020/212331 A1, WO 2021/170646 A1, WO 2023/011758 A1 and WO 2023/011761 A1 disclose different aspects of such systems. In addition to the common secure wallet type of an independent hardware wallet, e.g. smartcard, secure wallets can also be provided as hosted wallets on a hosting unit. For example, WO 2023/011758 A1 and WO 2023/046317 A1 disclose a secure wallet hosting unit, wherein the secure wallet hosting unit hosts monetary value token wallets for different users of the transaction system. WO 2023/011758 A1 discloses a secure wallet hosting unit including the features of the preamble of claim 1. According to an object of the invention a secure wallet hosting unit of a transaction system shall be provided which improves security, particularly preventing monetary value tokens from being stolen by attackers, preferably with remaining or increased transaction reliability and/or with remaining or decreased transaction time. The above-identified objectives are solved by the subject matter of the independent claims. Further advantageous embodiments are described in the dependent claims. According to an aspect of the present invention, there is provided a secure wallet hosting unit, the secure wallet hosting unit hosting monetary value token wallets of different users and comprising: a payment processor configured for performing an exchange of an exchanged monetary value token between a monetary value token wallet of the secure wallet hosting unit and another monetary value token wallet; and a secured storage. The hosted monetary value token wallets respectively comprise at least one monetary value token and a wallet identifier. Each monetary value token comprises a secret token data element. The monetary value token wallets are at least partly stored in the secured storage. The secured storage comprises multiple sub-units. The sub-units respectively store a partial secret of the secret token data element of the monetary value token. The sub-units are configured to use their partial secrets of the secret token data element of the monetary value token in a common digital signature creation process. In contrast to only having stored the secret token data element in a secured storage and to receiving the secret token data element from the secured storage upon request, the secret token data element now not only remains within the secured storage but is further distributed over the sub-units. As a consequence security of the secret token data element can be significantly improved. It should be further noted that access to the common digital signature would be less critical in terms of security than access to the secret token data element as a whole. Since multiple or all partial secrets are required to create the common digital signature, even access to a partial secret would not be critical. Each sub-unit only stores a partial secret of the secret token data element. Typically, the partial secrets of the sub-units are mutually different to each other. The secret token data element of the monetary value token of the hosted monetary value token wallet as such however is not stored in the secured storage. Particularly, access to the secret token data element (as a whole), e.g. by an attacker or even by an authorized user of the secure wallet hosting unit, is prevented. The secure wallet hosting unit preferably further comprises a wallet storage, wherein the partial secrets of the secret token data element of the monetary value token are stored in the secured storage and a further token data element of the monetary value token is stored in the wallet storage. The one or more further token data element of the monetary value token could for example be: a value data element of the monetary value token and/or a token reference of the monetary value token and/or a storage reference of the monetary value token in the secured storage. A value data element of the monetary value token typically is a number ( > 0) which indicates the monetary value the token represents (in the transaction system). A token reference of the monetary value token may uniquely identify the token in the transaction system and/ or in the token register, preferably being a token reference register. A storage reference of the monetary value token in the secured storage may uniquely identify the monetary value token (and/or the secret token data element of the monetary value token) in the secure wallet hosting unit, particularly in the secured storage. Accordingly, the storage reference is a reference for the secret token dat