DIGICASH - NUMBERS THAT ARE MONEY
The ultimate electronic payment system for any application
_________________________________________________________________
Copyright (c) 1994 by DigiCash bv.
_________________________________________________________________
Electronic Cash. . .
Electronic cash by DigiCash is a new concept in payment systems. It
combines computerized convenience with security and privacy that
improve on paper cash. It adds value to any service involving payment.
And its versatility opens up a host of new markets and applications.
Electronic cash is not just a step on the way to tomorrow's payment
system technology. It is that technology, and it's here now.
. . .by DigiCash.
DigiCash works with payment system and service providers in all phases
of electronic cash innovation. We help you develop and refine the
concept, and we see it through every step to final implementation.
We're the experts.
We're the experts first of all because our technology is unique--and
we invented it. But we're also world-class experts in our fields. The
DigiCash team brings together top cryptographers and payment-system
specialists with some of Europe's best software and hardware
specialists. DigiCash is young but experienced, innovative but here to
stay.
Our products have already proven successful. And we'd enjoy helping
you find out how your firm can benefit.
Why Electronic Cash?
VERSATILITY
Wherever value is exchanged, between business, government, customer,
client, or citizen, electronic cash is the medium of choice. For
computerized payments over the phone, the user needs only our special
software. Road toll payments can be made from moving vehicles--in less
time than it takes a car going 200 km/h to travel a single meter. And
users can pay directly at a counter, kiosk, or phone booth with
current smart-cards as the platform; with the pocket-size card readers
we've developed, they can even make payments to each other.
SECURITY
The security provided by electronic cash is unmatched in scope and
cost-effectiveness. There's no need for an acquirer of value to
contact a central system more than weekly, because the technology is
secure against cheating and misuse even without on-line connections.
Since electronic cash is digitally "signed" by the issuer, there's no
room for dispute over payments, and no mutually trusted center is
necessary. All parties need only select and protect their own
hardware; our software does the rest.
PRIVACY
Electronic cash, unlike even paper cash, is unconditionally
untraceable. The "blinding" carried out by the user's own device makes
it impossible for anyone to link payment to payer. But users can prove
unequivocally that they did or did not make a particular payment,
without revealing anything more. Besides appealing to consumers, this
level of privacy limits exposure to future data-privacy legislation
and reduces record-keeping costs.
Electronic Cash Applications
Here are some of the opportunities for electronic cash applications
we've been working on:
At the point of sale:
* prepaid cards
* credit cards
* vending
For telepayment:
* phone cards
* teleshopping and telebanking
* conditional access to services
In transportation:
* automatic toll collection
* parking systems
* public transit
How Electronic Cash Works
Electronic cash is based on the increasingly used cryptographic
systems for "digital signatures" (see sidebar). One such system
involves a pair of numeric keys that work like the halves of a
codebook: messages encoded with one key decode with the other key. One
key is made public, while the other is kept private. By supplying all
users with its public key, a bank can allow them to decode any message
encoded with its private key. If decoding by a user yields a
meaningful message, the user can be sure that only the bank could have
encoded it. These digital signatures are far more resistant to forgery
than handwritten ones.
In the basic electronic cash system, the user's equipment generates a
random number, which serves as the "note". His equipment then "blinds"
the note using a random factor (see sidebar) and transmits it to a
bank. In exchange for money debited from the user's account or
otherwise supplied, the bank uses its private key to digitally sign
the blinded note, and transmits the result back to the user. The
user's equipment unblinds the note, which it later pays with. The
payee checks that the note's digital signature is authentic and later
sends the note on to the bank, who in turn checks the signature and
credits the payee accordingly.
Security--For All Concerned
Neither the user nor the payee can counterfeit the bank's signature.
But either can verify that the payment is valid, since each has the
bank's public key; and the user can prove that he made the payment,
since he can make available the blinding factor. But because the
user's original note number was blinded when it was signed, the bank
can't connect the signing with the payment. The bank is protected
against forgery, the payee against the bank's refusal to honor a
legitimate note, and the user against false accusations and invasion
of privacy.
What prevents users from spending the same note twice? One obvious
method is checking the bank's signatures on-line against a database of
spent notes. For most systems, which handle high volumes of low- value
payments, this is too expensive. We've found better solutions. Before
accepting an off-line payment, the payee's equipment issues an
unpredictable challenge to which the user's equipment must respond
with some information about the note number. By itself, this
information discloses nothing about the user. But if the user spends
the note a second time, the information yielded by the next challenge
gives away his identity when the note is ultimately deposited. For
enhanced practical protection, smart cards can also be programmed to
prevent double spending at the moment it is tried.
More Possibilities
We've devised a number of variations on these basic systems. For the
bank to issue users with enough separate electronic "coins" of various
denominations would be cumbersome in communication and storage. So
would a system that required payees to return change. To sidestep such
costs, we use an electronic "check"--a single number that contains
multiple denomination terms sufficient for any transaction up to a
prescribed limit, and to which the appropriate value is assigned at
payment time. What's more, the values of the denomination terms can be
made variable. In this way, users can receive interest on their
unspent checks, the bank can receive interest on credit payments, and
the same check can be spent in different currencies.
Just as the form of electronic cash itself can be varied, so can the
hardware configurations needed to apply it. Rather than having their
accounts debited at a Bank, users can insert hard currency into
terminal equipment. The user's equipment can be an ordinary smart
card, a public-key-capable smart card, or a personal computer. We've
also developed a pocketable smart card "reader" with its own keypad,
display, and infra-red link.
(Documentation and technical details for these and other options are
available on request. Patents have been issued and are pending in
most major markets.)
About Our Company
DigiCash is headquartered in Amsterdam, on the national research
campus for exact sciences. This puts us next door to CWI (the national
center for research in mathematics and computer science), several
physics laboratories, a supercomputer center, and the University of
Amsterdam computer science faculty. We're also close to several other
young hi-tech companies.
Our location gives us capabilities beyond the ordinary. We draw on the
skills of the CWI Cryptography Group, one of the acknowledged world
centers of cryptographic expertise and invention. Our software
designers, ACM European Programming Contest champions, enjoy the
considerable resources available on campus. Likewise, our
award-winning hardware designers find specialized support for in-house
prototyping and testing.
And all these areas--cryptography, software, and electronics--are
finely integrated. We have demonstrated performance in each phase of
payment system development--from conception, through feasibility
studies, bread-boards, and prototypes, to production management.
Before anything else, we're creative, innovative, and flexible, and
we're growing fast. But we're also careful planners. We've taken care
to give the company a base as solid as the reputation of our research
team. That's because we want to drive the cutting edge of transaction
system technology for many years to come.
How We Work With You
We like to develop solutions jointly right from the start. And, as we
said before, we enjoy creating systems for new and challenging
applications. So if you see possibilities for electronic cash in your
firm's future, we invite you to explore those possibilities with us.
_________________________________________________________________
Digital Signatures
In the RSA public-key cryptosystem used for electronic cash, both
encryption and decryption are done by raising the message--here, the
note number--to a power that is the appropriate key. These
exponentiations are done in a modular arithmetic system: one that
saves only the result of division by a fixed number called a modulus.
(This modulus needs to be quite large, usually at least 150 digits.)
When the system is set up, the key-making bank generates two large
primes p and q. Their product pq will be the modulus of the
exponentiations. The basis of the RSA system is the fact that
x^(p-1)(q-1) = 1 (mod pq)
(provided x is divisible neither by p nor by q, which
possibility can safely be ignored).
Next, the keymaker chooses an e and d with
ed = 1 (mod (p-1)(q-1)),
where e will be its public key and d its private key.
Consequently, anything encrypted with d can be decrypted with e:
(x^d)^e = x (mod pq).
The keymaker disseminates the public key e to all users, together
with the modulus pq, while it of course never reveals p, q, or
the private key d.
_________________________________________________________________
Blind Signatures
Suppose a user wants the bank's signature on x, but does not want
the bank to find out what x is. This can be achieved with a blind
signature protocol, as follows:
1. The user chooses a blinding factor r independently and uniformly
at random, and she presents the bank with xr^e (mod
pq),where x is the note number to be signed.
2. The bank signs it: (xr^e)^d = rx^d (mod pq).
3. The user divides out the blinding factor: (rx^d)/r = x^d
(mod pq).
4. And finally, the user stores x^d, the signed note that she
will pay with later. Since r is random, the bank cannot
determine x, and thus cannot connect the signing with the
subsequent payment.
_________________________________________________________________
For more information contact:
info@digicash.nl
tel +31 20 665 2611
fax +31 20 668 5486
_________________________________________________________________
