UPI is a system that everybody in India uses, Let's try to decode how it works.
The core principle of UPI is Public-key cryptography. We need a system where
- UPI users can trust the bank
- Bank can trust UPI user
- Merchants (Shopkeeper) can trust the Bank
- Users can't deny they made transactions.
In Public-key cryptography, we have a public/private key pair duo that does all these work for us
The private key is a secret and should be guarded well so we need the next vital component.
The Mobile Phone - In UPI Mobile phone is required to keep the private keys safe. All Mobile phones provide safe API to keep private keys and sign with them.
So how do Mobile phones, Public-key cryptography, and the trust system create UPI?
Banks have all user details but we need to connect users from all banks so obviously we need a central server which UPI provides. To connect all banks it provides banks common APIs that Banks implement.
Now that banks are connected to UPI servers, the next step is user registration. Here comes the user's mobile phone with an App. The App is required to
Generate public/private key pair
Sign transactions to make payment
During registration, the phone public key is required to be securely transferred to the UPI server This is done with an SMS from the bank-registered SIM card.
Once your Mobile’s public key is transferred to the UPI server you get registered in the UPI system.
Similarly, merchants can register their public key to the UPI server.
This establishes trust as stated in the first tweet. The only person that can sign with a private key is the user and it never leaves the mobile phone. Public keys uniquely identify each user and it's stored in the UPI server. Users can't deny they made a transaction as nobody else can sign their linked public key.
Now comes making the payment.
With all user public keys with the UPI server, making the payment is a matter of signing a payment string by both the merchant and the user.
When a merchant displays a payment QR code it will contain a merchant payment address. Scanner by mobile phone transfers this address to mobile. This address and payment amount are signed with the user's private key. These signed details are then transferred to the UPI server which is sent it to the bank securely using the bank's public key.
Banks now do the necessary account transfers as per the signed details.
That's UPI simplified.