Designing a Secure Digital Receipt Protocol (DRP) with Derived Identities, AES-GCM & Ed25519 Signatures
Published: (December 4, 2025 at 12:43 AM EST)
3 min read
Source: Dev.to
Source: Dev.to
Introduction
Today’s digital receipts suffer from fragmentation: merchants, issuers, acquirers, and card networks follow different schemas, formats, and privacy models.
A Digital Receipt Protocol (DRP) aims to introduce a unified, consent‑driven, end‑to‑end encrypted, verifiable, user‑controlled standard for line‑item receipt portability.
This article proposes a DRP Capsule architecture, including:
- Derived identities
- AES‑GCM encryption
- Ed25519 integrity protection
- Strong alignment with NIST SP 800‑171 Rev.3 and PCI DSS v4.0
- A full Python reference implementation
Architectural Principles
- Users hold a long‑term root secret.
- A pseudonymous identity is created for each merchant.
- A unique symmetric key encrypts each receipt.
These measures ensure unlinkability, privacy, and cryptographic isolation.
DRP Capsule Structure
A DRP Capsule consists of:
- Header – public metadata, no sensitive data, integrity‑protected.
- Ciphertext – AES‑256‑GCM encrypted claims.
- Signature – Ed25519 issuer signature over a deterministic digest.
Regulatory Alignment
The implementation includes comments mapping cryptographic operations to:
-
NIST 800‑171 Rev.3 controls
- SC‑13 (Cryptographic Protection)
- SC‑28 (Data at Rest)
- IA‑5 (Authenticator/Secret Management)
- AU‑2 / AU‑3 (Auditability)
-
PCI DSS v4.0 controls
- Req.3 (Protect Stored PAN Data)
- Req.4 (Encrypt Transmission)
- Req.6.4.3 (Secure Crypto Design)
Full Python Implementation
"""
This implementation is for EDUCATIONAL PURPOSES ONLY.
Compliance-oriented inline notes reference:
NIST SP 800-171 Rev.3 (SC-13, SC-28, IA-5, AU-2, AU-3)
PCI DSS v4.0 (Req.3, Req.4, Req.6.4.3)
Goal:
Derived Identities
AES-256-GCM
Ed25519 issuer signatures
"""
from dataclasses import dataclass, asdict
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.hazmat.primitives.asymmetric.ed25519 import (
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives import hashes, serialization
@dataclass
class DerivedIdentityWallet:
def __init__(self, root_secret: bytes):
self._root_secret = root_secret
def derive_user_key(self, merchant_context: str) -> bytes:
"""AES-256 key derivation using HKDF."""
hkdf = HKDF(
algorithm=hashes.SHA256(),
length=32,
salt=None,
info=merchant_context.encode(),
)
return hkdf.derive(self._root_secret)
def derive_user_pseudonym(self, merchant_context: str) -> str:
"""Privacy-preserving pseudonymous ID."""
hkdf = HKDF(
algorithm=hashes.SHA256(),
length=32,
salt=None,
info=(merchant_context + "|pseudonym").encode(),
)
raw = hkdf.derive(self._root_secret)
digest = hashes.Hash(hashes.SHA256())
digest.update(raw)
return base64.urlsafe_b64encode(digest.finalize()).decode()
def encrypt_receipt_claims(claims: ReceiptClaims, key: bytes):
...
def generate_issuer_keypair() -> Ed25519PrivateKey:
...
def export_public_key_pem(pk: Ed25519PublicKey) -> str:
...
def sign_capsule_digest(priv: Ed25519PrivateKey, header, nonce_b64, ciphertext_b64):
h = hashes.Hash(hashes.SHA256())
h.update(capsule)
digest = h.finalize()
return priv.sign(digest)
def verify_drp_capsule(capsule: DRPCapsule, pub: Ed25519PublicKey):
h = hashes.Hash(hashes.SHA256())
h.update(data)
digest = h.finalize()
sig = base64.b64decode(capsule.issuer_signature)
try:
pub.verify(sig, digest)
return True
except Exception:
return False
def decrypt_drp_capsule(capsule: DRPCapsule, key: bytes) -> ReceiptClaims:
items = [LineItem(**it) for it in raw["line_items"]]
return ReceiptClaims(**{**raw, "line_items": items})
def issue_drp_capsule(claims, wallet, issuer_priv):
nonce, ciphertext = encrypt_receipt_claims(claims, key)
nonce_b64 = base64.b64encode(nonce).decode()
ct_b64 = base64.b64encode(ciphertext).decode()
header = DRPHeader(
drp_version="1.0.0",
capsule_id=base64.b32encode(os.urandom(10)).decode().rstrip("="),
issuer_id=claims.merchant_id,
schema_id="DRP-RECEIPT-V1",
country_code=claims.country_code,
)
sig = sign_capsule_digest(issuer_priv, header, nonce_b64, ct_b64)
return DRPCapsule(
header=header,
ciphertext=ct_b64,
nonce=nonce_b64,
issuer_signature=base64.b64encode(sig).decode(),
)
if __name__ == "__main__":
issuer_priv = generate_issuer_keypair()
issuer_pub = issuer_priv.public_key()
items = [
LineItem("SKU1", "Coffee 1kg", 1, 15.99, 0.07),
LineItem("SKU2", "Cup", 2, 8.50, 0.07),
]
subtotal = sum(i.unit_price * i.quantity for i in items)
tax = sum(i.unit_price * i.quantity * i.tax_rate for i in items)
claims = ReceiptClaims(
merchant_id="MRC-001",
terminal_id="POS-01",
country_code="US",
currency="USD",
total_amount=round(subtotal + tax, 2),
tax_amount=round(tax, 2),
timestamp_utc=int(time.time()),
card_network="VISA",
network_profile="VISA-US-2025",
pan_token="tok_visa_4242",
auth_code="AUTH123",
line_items=items,
)
capsule = issue_drp_capsule(claims, wallet, issuer_priv)
print("VALID SIGNATURE:", verify_drp_capsule(capsule, issuer_pub))
key = wallet.derive_user_key("MRC-001|VISA-US-2025")
recovered = decrypt_drp_capsule(capsule, key)
print(json.dumps(asdict(recovered), indent=2))Diagrams
Diagram 1 – DRP Capsule Architecture
Integrity-protected via Ed25519 signature
│
Confidentiality + Integrity (AEAD)
│
Issuer authentication & non-repudiationDiagram 2 – Derived Identity Wallet (Key Hierarchy)
Root Secret (32 bytes)
(Never leaves secure enclave)
│
▼
HKDF (merchant_context = "merchant_id | network_profile")
│
├─ Derived User Key
├─ Derived Pseudonym
└─ Derived Identifier (optional)Diagram 3 – Issuance Flow (Merchant → User Wallet)
(illustrative flow, not shown in code)
Diagram 4 – Verification & Decryption Flow
Wallet Derives Key via HKDF
│
▼
AES‑GCM Decryption
│
▼
Reconstruct Receipt Claims
│
▼
Decrypted Receipt (Plain)