DigiCash - Numbers That Are Money

The ultimate electronic payment system for any application


Copyright (c) 1994 by DigiCash bv.


Electronic Cash. . .

Electronic cash by DigiCash is a new concept in payment systems. It combines computerized convenience with security and privacy that improve on paper cash. It adds value to any service involving payment. And its versatility opens up a host of new markets and applications.

Electronic cash is not just a step on the way to tomorrow's payment system technology. It is that technology, and it's here now.

. . .by DigiCash.

DigiCash works with payment system and service providers in all phases of electronic cash innovation. We help you develop and refine the concept, and we see it through every step to final implementation. We're the experts.

We're the experts first of all because our technology is unique--and we invented it. But we're also world-class experts in our fields. The DigiCash team brings together top cryptographers and payment-system specialists with some of Europe's best software and hardware specialists. DigiCash is young but experienced, innovative but here to stay.

Our products have already proven successful. And we'd enjoy helping you find out how your firm can benefit.

Why Electronic Cash?

Versatility

Wherever value is exchanged, between business, government, customer, client, or citizen, electronic cash is the medium of choice. For computerized payments over the phone, the user needs only our special software. Road toll payments can be made from moving vehicles--in less time than it takes a car going 200 km/h to travel a single meter. And users can pay directly at a counter, kiosk, or phone booth with current smart-cards as the platform; with the pocket-size card readers we've developed, they can even make payments to each other.

Security

The security provided by electronic cash is unmatched in scope and cost-effectiveness. There's no need for an acquirer of value to contact a central system more than weekly, because the technology is secure against cheating and misuse even without on-line connections. Since electronic cash is digitally "signed" by the issuer, there's no room for dispute over payments, and no mutually trusted center is necessary. All parties need only select and protect their own hardware; our software does the rest.

Privacy

Electronic cash, unlike even paper cash, is unconditionally untraceable. The "blinding" carried out by the user's own device makes it impossible for anyone to link payment to payer. But users can prove unequivocally that they did or did not make a particular payment, without revealing anything more. Besides appealing to consumers, this level of privacy limits exposure to future data-privacy legislation and reduces record-keeping costs.

Electronic Cash Applications

Here are some of the opportunities for electronic cash applications we've been working on:

At the point of sale:

For telepayment:

In transportation:

How Electronic Cash Works

Electronic cash is based on the increasingly used cryptographic systems for "digital signatures" (see sidebar). One such system involves a pair of numeric keys that work like the halves of a codebook: messages encoded with one key decode with the other key. One key is made public, while the other is kept private. By supplying all users with its public key, a bank can allow them to decode any message encoded with its private key. If decoding by a user yields a meaningful message, the user can be sure that only the bank could have encoded it. These digital signatures are far more resistant to forgery than handwritten ones.

In the basic electronic cash system, the user's equipment generates a random number, which serves as the "note". His equipment then "blinds" the note using a random factor (see sidebar) and transmits it to a bank. In exchange for money debited from the user's account or otherwise supplied, the bank uses its private key to digitally sign the blinded note, and transmits the result back to the user. The user's equipment unblinds the note, which it later pays with. The payee checks that the note's digital signature is authentic and later sends the note on to the bank, who in turn checks the signature and credits the payee accordingly.

Security--For All Concerned

Neither the user nor the payee can counterfeit the bank's signature. But either can verify that the payment is valid, since each has the bank's public key; and the user can prove that he made the payment, since he can make available the blinding factor. But because the user's original note number was blinded when it was signed, the bank can't connect the signing with the payment. The bank is protected against forgery, the payee against the bank's refusal to honor a legitimate note, and the user against false accusations and invasion of privacy.

What prevents users from spending the same note twice? One obvious method is checking the bank's signatures on-line against a database of spent notes. For most systems, which handle high volumes of low- value payments, this is too expensive. We've found better solutions. Before accepting an off-line payment, the payee's equipment issues an unpredictable challenge to which the user's equipment must respond with some information about the note number. By itself, this information discloses nothing about the user. But if the user spends the note a second time, the information yielded by the next challenge gives away his identity when the note is ultimately deposited. For enhanced practical protection, smart cards can also be programmed to prevent double spending at the moment it is tried.

More Possibilities

We've devised a number of variations on these basic systems. For the bank to issue users with enough separate electronic "coins" of various denominations would be cumbersome in communication and storage. So would a system that required payees to return change. To sidestep such costs, we use an electronic "check"--a single number that contains multiple denomination terms sufficient for any transaction up to a prescribed limit, and to which the appropriate value is assigned at payment time. What's more, the values of the denomination terms can be made variable. In this way, users can receive interest on their unspent checks, the bank can receive interest on credit payments, and the same check can be spent in different currencies.

Just as the form of electronic cash itself can be varied, so can the hardware configurations needed to apply it. Rather than having their accounts debited at a Bank, users can insert hard currency into terminal equipment. The user's equipment can be an ordinary smart card, a public-key-capable smart card, or a personal computer. We've also developed a pocketable smart card "reader" with its own keypad, display, and infra-red link.

(Documentation and technical details for these and other options are available on request. Patents have been issued and are pending in most major markets.)

About Our Company

DigiCash is headquartered in Amsterdam, on the national research campus for exact sciences. This puts us next door to CWI (the national center for research in mathematics and computer science), several physics laboratories, a supercomputer center, and the University of Amsterdam computer science faculty. We're also close to several other young hi-tech companies.

Our location gives us capabilities beyond the ordinary. We draw on the skills of the CWI Cryptography Group, one of the acknowledged world centers of cryptographic expertise and invention. Our software designers, ACM European Programming Contest champions, enjoy the considerable resources available on campus. Likewise, our award-winning hardware designers find specialized support for in-house prototyping and testing.

And all these areas--cryptography, software, and electronics--are finely integrated. We have demonstrated performance in each phase of payment system development--from conception, through feasibility studies, bread-boards, and prototypes, to production management.

Before anything else, we're creative, innovative, and flexible, and we're growing fast. But we're also careful planners. We've taken care to give the company a base as solid as the reputation of our research team. That's because we want to drive the cutting edge of transaction system technology for many years to come.

How We Work With You

We like to develop solutions jointly right from the start. And, as we said before, we enjoy creating systems for new and challenging applications. So if you see possibilities for electronic cash in your firm's future, we invite you to explore those possibilities with us.


Digital Signatures

In the RSA public-key cryptosystem used for electronic cash, both encryption and decryption are done by raising the message--here, the note number--to a power that is the appropriate key. These exponentiations are done in a modular arithmetic system: one that saves only the result of division by a fixed number called a modulus. (This modulus needs to be quite large, usually at least 150 digits.)

When the system is set up, the key-making bank generates two large primes p and q. Their product pq will be the modulus of the exponentiations. The basis of the RSA system is the fact that

x^(p-1)(q-1) = 1 (mod pq)

(provided x is divisible neither by p nor by q, which possibility can safely be ignored).

Next, the keymaker chooses an e and d with

ed = 1 (mod (p-1)(q-1)),

where e will be its public key and d its private key. Consequently, anything encrypted with d can be decrypted with e:

(x^d)^e = x (mod pq).

The keymaker disseminates the public key e to all users, together with the modulus pq, while it of course never reveals p, q, or the private key d.


Blind Signatures

Suppose a user wants the bank's signature on x, but does not want the bank to find out what x is. This can be achieved with a blind signature protocol, as follows:

  1. The user chooses a blinding factor r independently and uniformly at random, and she presents the bank with xr^e (mod pq),where x is the note number to be signed.
  2. The bank signs it: (xr^e)^d = rx^d (mod pq).
  3. The user divides out the blinding factor: (rx^d)/r = x^d (mod pq).
  4. And finally, the user stores x^d, the signed note that she will pay with later. Since r is random, the bank cannot determine x, and thus cannot connect the signing with the subsequent payment.

For more information contact:

info@digicash.nl

tel +31 20 665 2611

fax +31 20 668 5486