Author: Antonio José Socorro Marín
Year: 2025
*Copyright © 2025 Antonio José Socorro Marín
Note: The code and architecture presented here are for educational purposes only.
They illustrate how a Digital Receipt Protocol (DRP) could be designed with modern cryptography, wallet-controlled identity, and compliance alignment.
This is not a production-ready implementation.
🧩 1. Introduction
Today’s digital receipts suffer from fragmentation: merchants, issuers, acquirers, and card networks follow different schemas, formats, and privacy models.
A Digital Receipt Protocol (DRP) aims to introduce:
A unified,
Consent-driven,
End-to-end encrypted,
Verifiable,
User-controlled
standard for line-item receipt portability.
This article proposes a DRP Capsule architecture, including:
Derived identities
AES-GCM encryption
Ed25519 integrity protection
Strong alignment with NIST SP 800-171 Rev.3 and PCI DSS v4.0
A full Python reference implementation
🔐 2. Architectural Principles
2.1 Wallet-centric control
Users hold a long-term root secret.
From this, the wallet derives:
A pseudonymous identity for each merchant
A unique symmetric key for encrypting each receipt
This ensures unlinkability, privacy, and cryptographic isolation.
2.2 DRP Capsule Structure
A DRP Capsule consists of:
Header
Public metadata
No sensitive data
Integrity-protected
Ciphertext
AES-256-GCM encrypted claims
Signature
Ed25519 issuer signature over a deterministic digest
2.3 Regulatory Alignment
The implementation includes comments mapping cryptographic operations to:
NIST 800-171 Rev.3 controls:
SC-13 (Cryptographic Protection)
SC-28 (Data at Rest)
IA-5 (Authenticator/Secret Management)
AU-2/AU-3 (Auditability)
PCI DSS v4.0 controls:
Req.3 (Protect Stored PAN Data)
Req.4 (Encrypt Transmission)
Req.6.4.3 (Secure Crypto Design)
🧪 3. Full Python Implementation
(WITH NIST & PCI DSS COMMENTS — EDUCATIONAL ONLY)
🔽 Copy-and-paste ready code (complete)
-- coding: utf-8 --
"""
Digital Receipt Protocol (DRP) - Educational Reference Example
Author : Antonio José Socorro Marín
Year : 2025
Copyright (c) 2025, Antonio José Socorro Marín
This implementation is for EDUCATIONAL PURPOSES ONLY.
Compliance-oriented inline notes reference:
- NIST SP 800-171 Rev.3 (SC-13, SC-28, IA-5, AU-2, AU-3)
- PCI DSS v4.0 (Req.3, Req.4, Req.6.4.3)
Goal:
Demonstrate a DRP Capsule architecture using:
- Derived Identities
- AES-256-GCM
- Ed25519 issuer signatures """
---------------------------------------------------------------------------
Standard Libraries
---------------------------------------------------------------------------
from dataclasses import dataclass, asdict
from typing import List
import json
import base64
import os
import time
---------------------------------------------------------------------------
Cryptographic Primitives (NIST/PCI aligned)
---------------------------------------------------------------------------
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
AES-GCM -> NIST SC-13 (Cryptographic Protection)
AES-256 -> PCI DSS Req.4 (Strong Encryption)
from cryptography.hazmat.primitives.asymmetric.ed25519 import (
Ed25519PrivateKey, Ed25519PublicKey
)
Ed25519 signatures -> NIST SC-16, PCI Req.6.4.3
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
HKDF -> NIST IA-5 (Secret Derivation), PCI Req.3.6
from cryptography.hazmat.primitives import hashes, serialization
---------------------------------------------------------------------------
Data Models
---------------------------------------------------------------------------
@dataclass
class LineItem:
"""Encrypted under AES-GCM. Sensitive transaction metadata."""
sku: str
description: str
quantity: int
unit_price: float
tax_rate: float
@dataclass
class ReceiptClaims:
"""
Encrypted receipt payload:
Must meet NIST SC-28 and PCI DSS Req.3 data-protection requirements.
"""
merchant_id: str
terminal_id: str
country_code: str
currency: str
total_amount: float
tax_amount: float
timestamp_utc: int
card_network: str
network_profile: str
pan_token: str # Tokenized PAN only — PCI DSS Req.3
auth_code: str
line_items: List[LineItem]
@dataclass
class DRPHeader:
"""Non-sensitive metadata that will be integrity-protected."""
drp_version: str
capsule_id: str
issuer_id: str
schema_id: str
country_code: str
@dataclass
class DRPCapsule:
"""
DRP Capsule = Header + Ciphertext + Signature
Signature meets NIST SC-16 & PCI DSS integrity requirements.
"""
header: DRPHeader
ciphertext: str
nonce: str
issuer_signature: str
---------------------------------------------------------------------------
Derived Identity Wallet
---------------------------------------------------------------------------
class DerivedIdentityWallet:
"""
Root secret → Derived keys & pseudonyms
Supports NIST IA-5 and privacy-by-design identity separation.
"""
def __init__(self, root_secret: bytes):
self._root_secret = root_secret
def derive_user_key(self, merchant_context: str) -> bytes:
"""AES-256 key derivation using HKDF."""
hkdf = HKDF(
algorithm=hashes.SHA256(),
length=32,
salt=None,
info=merchant_context.encode(),
)
return hkdf.derive(self._root_secret)
def derive_user_pseudonym(self, merchant_context: str) -> str:
"""Privacy-preserving pseudonymous ID."""
hkdf = HKDF(
algorithm=hashes.SHA256(),
length=32,
salt=None,
info=(merchant_context + "|pseudonym").encode(),
)
raw = hkdf.derive(self._root_secret)
digest = hashes.Hash(hashes.SHA256())
digest.update(raw)
return base64.urlsafe_b64encode(digest.finalize()).decode()
---------------------------------------------------------------------------
Crypto Utilities
---------------------------------------------------------------------------
def encrypt_receipt_claims(claims: ReceiptClaims, key: bytes):
"""AES-256-GCM encryption (NIST SC-13, PCI Req.3/4)."""
aesgcm = AESGCM(key)
data = json.dumps(asdict(claims), separators=(",", ":")).encode()
nonce = os.urandom(12) # PCI-compliant nonce entropy
ciphertext = aesgcm.encrypt(nonce, data, None)
return nonce, ciphertext
def generate_issuer_keypair() -> Ed25519PrivateKey:
"""Issuer keypair (NIST SC-12, PCI Req.3.6)."""
return Ed25519PrivateKey.generate()
def export_public_key_pem(pk: Ed25519PublicKey) -> str:
"""PEM export for distribution (PCI Req.3.6.1)."""
return pk.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
).decode()
def sign_capsule_digest(priv: Ed25519PrivateKey, header, nonce_b64, ciphertext_b64):
"""Deterministic capsule digest signature."""
capsule = json.dumps(
{"header": asdict(header), "nonce": nonce_b64, "ciphertext": ciphertext_b64},
separators=(",", ":")
).encode()
h = hashes.Hash(hashes.SHA256())
h.update(capsule)
digest = h.finalize()
return priv.sign(digest)
def verify_drp_capsule(capsule: DRPCapsule, pub: Ed25519PublicKey):
"""Ed25519 verification (NIST SI-7, PCI DSS Req.10)."""
data = json.dumps(
{"header": asdict(capsule.header), "nonce": capsule.nonce,
"ciphertext": capsule.ciphertext},
separators=(",", ":"),
).encode()
h = hashes.Hash(hashes.SHA256())
h.update(data)
digest = h.finalize()
sig = base64.b64decode(capsule.issuer_signature)
try:
pub.verify(sig, digest)
return True
except Exception:
return False
def decrypt_drp_capsule(capsule: DRPCapsule, key: bytes) -> ReceiptClaims:
"""AES-GCM decryption (NIST SC-28, PCI Req.3.4)."""
aesgcm = AESGCM(key)
nonce = base64.b64decode(capsule.nonce)
ct = base64.b64decode(capsule.ciphertext)
data = aesgcm.decrypt(nonce, ct, None)
raw = json.loads(data.decode())
items = [LineItem(**it) for it in raw["line_items"]]
return ReceiptClaims(**{**raw, "line_items": items})
---------------------------------------------------------------------------
Issue Capsule
---------------------------------------------------------------------------
def issue_drp_capsule(claims, wallet, issuer_priv):
"""DRP Capsule issuance aligns with NIST SC-13 + PCI Req.4."""
ctx = f"{claims.merchant_id}|{claims.network_profile}"
key = wallet.derive_user_key(ctx)
nonce, ciphertext = encrypt_receipt_claims(claims, key)
nonce_b64 = base64.b64encode(nonce).decode()
ct_b64 = base64.b64encode(ciphertext).decode()
header = DRPHeader(
drp_version="1.0.0",
capsule_id=base64.b32encode(os.urandom(10)).decode().rstrip("="),
issuer_id=claims.merchant_id,
schema_id="DRP-RECEIPT-V1",
country_code=claims.country_code,
)
sig = sign_capsule_digest(issuer_priv, header, nonce_b64, ct_b64)
return DRPCapsule(
header=header,
ciphertext=ct_b64,
nonce=nonce_b64,
issuer_signature=base64.b64encode(sig).decode(),
)
---------------------------------------------------------------------------
Demo Example
---------------------------------------------------------------------------
if name == "main":
root = os.urandom(32)
wallet = DerivedIdentityWallet(root)
issuer_priv = generate_issuer_keypair()
issuer_pub = issuer_priv.public_key()
items = [
LineItem("SKU1", "Coffee 1kg", 1, 15.99, 0.07),
LineItem("SKU2", "Cup", 2, 8.50, 0.07),
]
subtotal = sum(i.unit_price * i.quantity for i in items)
tax = sum(i.unit_price * i.quantity * i.tax_rate for i in items)
claims = ReceiptClaims(
merchant_id="MRC-001",
terminal_id="POS-01",
country_code="US",
currency="USD",
total_amount=round(subtotal + tax, 2),
tax_amount=round(tax, 2),
timestamp_utc=int(time.time()),
card_network="VISA",
network_profile="VISA-US-2025",
pan_token="tok_visa_4242",
auth_code="AUTH123",
line_items=items,
)
capsule = issue_drp_capsule(claims, wallet, issuer_priv)
print("VALID SIGNATURE:", verify_drp_capsule(capsule, issuer_pub))
key = wallet.derive_user_key("MRC-001|VISA-US-2025")
recovered = decrypt_drp_capsule(capsule, key)
print(json.dumps(asdict(recovered), indent=2))
DIAGRAM 1 — DRP CAPSULE ARCHITECTURE
┌───────────────────────────────────────────────────────────────┐
│ DRP CAPSULE │
├───────────────────────────────────────────────────────────────┤
│ 1. HEADER (Public, Non-Sensitive Metadata) │
│ - drp_version │
│ - capsule_id │
│ - issuer_id │
│ - schema_id │
│ - country_code │
│ │
│ Integrity-protected via Ed25519 signature │
├───────────────────────────────────────────────────────────────┤
│ 2. ENCRYPTED CLAIMS (AES-256-GCM) │
│ - merchant_id │
│ - terminal_id │
│ - timestamp_utc │
│ - totals (amount, tax) │
│ - card_network / network_profile │
│ - tokenized PAN (DPAN) │
│ - authorization code │
│ - line items │
│ │
│ Confidentiality + Integrity (AEAD) │
├───────────────────────────────────────────────────────────────┤
│ 3. SIGNATURE (Ed25519) │
│ Signature over: SHA-256( canonical(header + nonce + ciphertext) )│
│ │
│ Issuer authentication & non-repudiation │
└───────────────────────────────────────────────────────────────┘
⭐ DIAGRAM 2 — DERIVED IDENTITY WALLET (KEY HIERARCHY)
USER WALLET (SECURE HARDWARE)
─────────────────────────────
Root Secret (32 bytes)
(Never leaves secure enclave)
│
▼
HKDF (merchant_context =
"merchant_id | network_profile")
│
┌─────────────────────────────┼─────────────────────────────┐
│ │ │
▼ ▼ ▼
Derived User Key Derived Pseudonym Derived Identifier (optional)
(AES-256 symmetric key) (privacy-preserving ID) (future DRP)
│ │
▼ ▼
Used for AES-GCM Encryption Used to avoid cross-merchant
of receipt claims correlation of identity
⭐ DIAGRAM 3 — ISSUANCE FLOW (MERCHANT → USER WALLET)
┌──────────────────────────────┐
│ Merchant / POS System │
└───────────────┬──────────────┘
│
│ 1. Build Receipt Claims (JSON)
▼
┌──────────────────────────────┐
│ Receipt Claims │
└───────────────┬──────────────┘
│
│ 2. Wallet Derives User Key (HKDF)
▼
user_wallet.derive_user_key()
│
▼
3. AES-256-GCM Encryption
│
▼
Ciphertext + GCM Nonce
│
▼
4. Construct DRP Header (non-sensitive)
│
▼
5. Sign Capsule Digest (Ed25519)
│
▼
┌──────────────────────────────┐
│ DRP CAPSULE │
└──────────────────────────────┘
⭐ DIAGRAM 4 — VERIFICATION & DECRYPTION FLOW
┌──────────────────────────────┐
│ DRP CAPSULE │
└──────────────┬───────────────┘
│ Contains:
│ - header
│ - nonce
│ - ciphertext
│ - signature
▼
1. Canonical JSON Representation
│
▼
2. Compute SHA-256 Digest
│
▼
3. Verify Ed25519 Signature
│
Is signature valid?
│
┌──────┴────────┐
│ │
Yes No
│ │
▼ ▼
- Wallet Derives Key Reject Capsule via HKDF │ ▼
- AES-GCM Decryption │ ▼
- Reconstruct Receipt Claims │ ▼ ┌──────────────────────────────┐ │ Decrypted Receipt (Plain) │ └──────────────────────────────┘
Top comments (0)