Privacy-Preserving Payment Splitting

Saba Eskandarian 1 , Mihai Christodorescu and Payman Mohassel
  • 1 Stanford University,


Widely used payment splitting apps allow members of a group to keep track of debts between members by sending charges for expenses paid by one member on behalf of others. While offering a great deal of convenience, these apps gain access to sensitive data on users’ financial transactions. In this paper, we present a payment splitting app that hides all transaction data within a group from the service provider, provides privacy protections between users in a group, and provides integrity against malicious users or even a malicious server.

The core protocol proceeds in a series of rounds in which users either submit real data or cover traffic, and the server blindly updates balances, informs users of charges, and computes integrity checks on user-submitted data. Our protocol requires no cryptographic operations on the server, and after a group’s initial setup, the only cryptographic tool users need is AES.

We implement the payment splitting protocol as an Android app and the accompanying server. We find that, for realistic group sizes, it requires fewer than 50 milliseconds per round of computation on a user’s phone and the server requires fewer than 300 microseconds per round for each group, meaning that our protocol enjoys excellent performance and scalability properties.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Spark java framework,, 2018.

  • [2] Shweta Agrawal and Dan Boneh. Homomorphic macs: Mac-based integrity for network coding. In ACNS, 2009.

  • [3] Elli Androulaki, Ghassan Karame, Marc Roeschlin, Tobias Scherer, and Srdjan Capkun. Evaluating user privacy in bitcoin. In Financial Cryptography, 2013.

  • [4] Sebastian Angel and Srinath T. V. Setty. Unobservable communication over fully untrusted infrastructure. In OSDI, 2016.

  • [5] Foteini Baldimtsi, Melissa Chase, Georg Fuchsbauer, and Markulf Kohlweiss. Anonymous transferable e-cash. In PKC, 2015.

  • [6] Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized anonymous payments from bitcoin. In IEEE Symposium on Security and Privacy, 2014.

  • [7] Elette Boyle, Niv Gilboa, and Yuval Ishai. Function secret sharing: Improvements and extensions. In CCS, pages 1292–1303, 2016.

  • [8] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. Fully homomorphic encryption without bootstrapping. IACR Cryptology ePrint Archive, 2011.

  • [9] Stefan Brands. Untraceable off-line cash in wallets with observers (extended abstract). In CRYPTO, 1993.

  • [10] Jan Camenisch. Group signature schemes and payment systems based on the discrete logarithm problem. PhD thesis, ETH Zurich, Zürich, Switzerland, 1998.

  • [11] Jan Camenisch, Susan Hohenberger, and Anna Lysyanskaya. Compact e-cash. In EUROCRYPT, 2005.

  • [12] Jan Camenisch, Susan Hohenberger, and Anna Lysyanskaya. Balancing accountability and privacy using e-cash (extended abstract). In SCN, 2006.

  • [13] Cardtronics. Health of cash study, u.s. edition, 2017.

  • [14] Agnes Hui Chan, Yair Frankel, and Yiannis Tsiounis. Easy come - easy go divisible cash. In EUROCRYPT, 1998.

  • [15] David Chaum. Blind signatures for untraceable payments. In CRYPTO, 1982.

  • [16] David Chaum. Blind signature system. In CRYPTO, 1983.

  • [17] David Chaum, Amos Fiat, and Moni Naor. Untraceable electronic cash. In CRYPTO, 1988.

  • [18] Henry Corrigan-Gibbs, Dan Boneh, and David Mazières. Riposte: An anonymous messaging system handling millions of users. In IEEE Symposium on Security and Privacy, 2015.

  • [19] Uriel Feige, Joe Kilian, and Moni Naor. A minimal model for secure computation (extended abstract). In STOC, pages 554–563, 1994.

  • [20] Craig Gentry. Fully homomorphic encryption using ideal lattices. In STOC, pages 169–178, 2009.

  • [21] Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. IACR Cryptology ePrint Archive, 2013.

  • [22] Niv Gilboa and Yuval Ishai. Distributed point functions and their applications. In Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, pages 640–658, 2014.

  • [23] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. On the cryptographic applications of random functions. In CRYPTO, 1984.

  • [24] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or A completeness theorem for protocols with honest majority. In STOC, pages 218–229, 1987.

  • [25] Shai Halevi, Yehuda Lindell, and Benny Pinkas. Secure computation on the web: Computing without simultaneous interaction. In CRYPTO, 2011.

  • [26] Tom Elvis Jedusor. Mimblewimble, 2016.

  • [27] Robert Johnson, David Molnar, Dawn Xiaodong Song, and David A. Wagner. Homomorphic signature schemes. In CT-RSA, 2002.

  • [28] Seny Kamara, Payman Mohassel, and Mariana Raykova. Outsourcing multi-party computation. IACR Cryptology ePrint Archive, 2011.

  • [29] Seny Kamara, Payman Mohassel, and Ben Riva. Salus: a system for server-aided secure function evaluation. In CCS, 2012.

  • [30] Gregory Maxwell. Confidential transactions, 2015.

  • [31] Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. A fistful of bitcoins: characterizing payments among men with no names. In IMC, 2013.

  • [32] Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten, and Michael J. Freedman. CONIKS: bringing key transparency to end users. In USENIX Security, 2015.

  • [33] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008.

  • [34] Neha Narula, Willy Vasquez, and Madars Virza. zkledger: Privacy-preserving auditing for distributed ledgers. In NSDI, 2018.

  • [35] Tatsuaki Okamoto and Kazuo Ohta. Disposable zero-knowledge authentications and their applications to un-traceable electronic cash. In CRYPTO, 1989.

  • [36] Torben P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In CRYPTO, 1991.

  • [37] Anh Pham, Italo Dacosta, Bastien Jacot-Guillarmod, Kévin Huguenin, Taha Hajar, Florian Tramèr, Virgil D. Gligor, and Jean-Pierre Hubaux. Privateride: A privacy-enhanced ride-hailing service. PoPETs, 2017.

  • [38] Splitwise. Splitwise privacy policy, 2018.

  • [39] Nirvan Tyagi, Yossi Gilad, Derek Leung, Matei Zaharia, and Nickolai Zeldovich. Stadium: A distributed metadata-private messaging system. In SOSP, 2017.

  • [40] Karl Wüst, Kari Kostiainen, Vedran Capkun, and Srdjan Capkun. Prcash: Centrally-issued digital currency with privacy and regulation. IACR Cryptology ePrint Archive, 2018.

  • [41] Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 3-5 November 1982, pages 160–164, 1982.

  • [42] Andrew Chi-Chih Yao. How to generate and exchange secrets (extended abstract). In FOCS, pages 162–167, 1986.

  • [43] Ennan Zhai, David Isaac Wolinsky, Ruichuan Chen, Ewa Syta, Chao Teng, and Bryan Ford. Anonrep: Towards


Journal + Issues