DigiCash - Numbers That Are Money
The ultimate electronic payment system for any application
Copyright (c) 1994 by DigiCash bv.
Electronic Cash. . .
Electronic cash by DigiCash is a new concept in payment systems. It
combines computerized convenience with security and privacy that
improve on paper cash. It adds value to any service involving payment.
And its versatility opens up a host of new markets and applications.
Electronic cash is not just a step on the way to tomorrow's payment
system technology. It is that technology, and it's here now.
. . .by DigiCash.
DigiCash works with payment system and service providers in all phases
of electronic cash innovation. We help you develop and refine the
concept, and we see it through every step to final implementation.
We're the experts.
We're the experts first of all because our technology is unique--and we
invented it. But we're also world-class experts in our fields. The
DigiCash team brings together top cryptographers and payment-system
specialists with some of Europe's best software and hardware
specialists. DigiCash is young but experienced, innovative but here
Our products have already proven successful. And we'd enjoy helping
you find out how your firm can benefit.
Why Electronic Cash?
Wherever value is exchanged, between business, government, customer,
client, or citizen, electronic cash is the medium of choice. For
computerized payments over the phone, the user needs only our special
software. Road toll payments can be made from moving vehicles--in less
time than it takes a car going 200 km/h to travel a single meter. And
users can pay directly at a counter, kiosk, or phone booth with
current smart-cards as the platform; with the pocket-size card readers
we've developed, they can even make payments to each other.
The security provided by electronic cash is unmatched in scope and
cost-effectiveness. There's no need for an acquirer of value to
contact a central system more than weekly, because the technology is
secure against cheating and misuse even without on-line connections.
Since electronic cash is digitally "signed" by the issuer, there's no
room for dispute over payments, and no mutually trusted center is
necessary. All parties need only select and protect their own
hardware; our software does the rest.
Electronic cash, unlike even paper cash, is unconditionally
untraceable. The "blinding" carried out by the user's own device
makes it impossible for anyone to link payment to payer. But users can
prove unequivocally that they did or did not make a particular
payment, without revealing anything more. Besides appealing to
consumers, this level of privacy limits exposure to future
data-privacy legislation and reduces record-keeping costs.
Electronic Cash Applications
Here are some of the opportunities for electronic cash applications
we've been working on:
At the point of sale:
- prepaid cards
- credit cards
- phone cards
- teleshopping and telebanking
- conditional access to services
- automatic toll collection
- parking systems
- public transit
How Electronic Cash Works
Electronic cash is based on the increasingly used cryptographic
systems for "digital signatures" (see sidebar). One such system
involves a pair of numeric keys that work like the halves of a
codebook: messages encoded with one key decode with the other key.
One key is made public, while the other is kept private. By supplying
all users with its public key, a bank can allow them to decode any
message encoded with its private key. If decoding by a user yields a
meaningful message, the user can be sure that only the bank could
have encoded it. These digital signatures are far more resistant to
forgery than handwritten ones.
In the basic electronic cash system, the user's equipment generates a
random number, which serves as the "note". His equipment then
"blinds" the note using a random factor (see sidebar) and transmits it
to a bank. In exchange for money debited from the user's account or
otherwise supplied, the bank uses its private key to digitally sign
the blinded note, and transmits the result back to the user. The
user's equipment unblinds the note, which it later pays with. The
payee checks that the note's digital signature is authentic and later
sends the note on to the bank, who in turn checks the signature and
credits the payee accordingly.
Security--For All Concerned
Neither the user nor the payee can counterfeit the bank's signature.
But either can verify that the payment is valid, since each has the
bank's public key; and the user can prove that he made the payment,
since he can make available the blinding factor. But because the
user's original note number was blinded when it was signed, the bank
can't connect the signing with the payment. The bank is protected
against forgery, the payee against the bank's refusal to honor a
legitimate note, and the user against false accusations and invasion
What prevents users from spending the same note twice? One obvious
method is checking the bank's signatures on-line against a database
of spent notes. For most systems, which handle high volumes of low-
value payments, this is too expensive. We've found better solutions.
Before accepting an off-line payment, the payee's equipment issues an
unpredictable challenge to which the user's equipment must respond
with some information about the note number. By itself, this
information discloses nothing about the user. But if the user spends
the note a second time, the information yielded by the next challenge
gives away his identity when the note is ultimately deposited. For
enhanced practical protection, smart cards can also be programmed to
prevent double spending at the moment it is tried.
We've devised a number of variations on these basic systems. For the
bank to issue users with enough separate electronic "coins" of
various denominations would be cumbersome in communication and
storage. So would a system that required payees to return change. To
sidestep such costs, we use an electronic "check"--a single number
that contains multiple denomination terms sufficient for any
transaction up to a prescribed limit, and to which the appropriate
value is assigned at payment time. What's more, the values of the
denomination terms can be made variable. In this way, users can
receive interest on their unspent checks, the bank can receive
interest on credit payments, and the same check can be spent in
Just as the form of electronic cash itself can be varied, so can the
hardware configurations needed to apply it. Rather than having their
accounts debited at a Bank, users can insert hard currency into
terminal equipment. The user's equipment can be an ordinary smart
card, a public-key-capable smart card, or a personal computer. We've
also developed a pocketable smart card "reader" with its own keypad,
display, and infra-red link.
(Documentation and technical details for these and other options
are available on request. Patents have been issued and are pending in
most major markets.)
About Our Company
DigiCash is headquartered in Amsterdam, on the national research
campus for exact sciences. This puts us next door to CWI (the
national center for research in mathematics and computer science),
several physics laboratories, a supercomputer center, and the
University of Amsterdam computer science faculty. We're also close to
several other young hi-tech companies.
Our location gives us capabilities beyond the ordinary. We draw on the
skills of the CWI Cryptography Group, one of the acknowledged world
centers of cryptographic expertise and invention. Our software
designers, ACM European Programming Contest champions, enjoy the
considerable resources available on campus. Likewise, our
award-winning hardware designers find specialized support for in-house
prototyping and testing.
And all these areas--cryptography, software, and electronics--are finely
integrated. We have demonstrated performance in each phase of payment
system development--from conception, through feasibility studies,
bread-boards, and prototypes, to production management.
Before anything else, we're creative, innovative, and flexible, and
we're growing fast. But we're also careful planners. We've taken care
to give the company a base as solid as the reputation of our research
team. That's because we want to drive the cutting edge of transaction
system technology for many years to come.
How We Work With You
We like to develop solutions jointly right from the start. And, as we
said before, we enjoy creating systems for new and challenging
applications. So if you see possibilities for electronic cash in your
firm's future, we invite you to explore those possibilities with
In the RSA public-key cryptosystem used for electronic cash, both
encryption and decryption are done by raising the message--here, the
note number--to a power that is the appropriate key. These
exponentiations are done in a modular arithmetic system: one that
saves only the result of division by a fixed number called a modulus.
(This modulus needs to be quite large, usually at least 150
When the system is set up, the key-making bank generates two large
primes p and q. Their product pq will be the
modulus of the exponentiations. The basis of the RSA system is the
x^(p-1)(q-1) = 1 (mod pq)
(provided x is divisible neither by p nor by q,
which possibility can safely be ignored).
Next, the keymaker chooses an e and d with
ed = 1 (mod (p-1)(q-1)),
where e will be its public key and d its private key.
Consequently, anything encrypted with d can be decrypted with
(x^d)^e = x (mod pq).
The keymaker disseminates the public key e to all users,
together with the modulus pq, while it of course never reveals
p, q, or the private key d.
Suppose a user wants the bank's signature on x, but does not
want the bank to find out what x is. This can be achieved with
a blind signature protocol, as follows:
- The user chooses a blinding factor r independently and
uniformly at random, and she presents the bank with
xr^e (mod pq),where x is the note number
to be signed.
- The bank signs it: (xr^e)^d =
rx^d (mod pq).
- The user divides out the blinding factor:
(rx^d)/r = x^d (mod pq).
- And finally, the user stores x^d, the signed note
that she will pay with later. Since r is random, the bank
cannot determine x, and thus cannot connect the signing with
the subsequent payment.
For more information contact:
tel +31 20 665 2611
fax +31 20 668 5486