The present invention relates to an electronic cash system which implements the use of electronic cash through utilization of a telecommunication system or smart card by a bank who issues the electronic cash, a customer or user who uses the electronic cash and a shop who receives the electronic cash from the user and settles an account with the bank.
An electronic funds transfer through a telecommunication system is now coming into common use. In general, a certificate which is refundable (such as a draft or check) has a symbolic function of its own (which guarantees its possessor to the rights stated thereon). When handled in the telecommunication system, the certificate is in the form of digitized data, which can readily be copied for conversion into money a plurality of times. This problem is encountered as well in the implementation of electronic cash such as a prepaid card because it can also be copied many times for abuse such as refund or purchase in the possessor's name.
Another method for the implementation of such an electronic cash system is to settle accounts later through use of an electronic ID card (such as an electronic credit card or electronic check). This method differs in the manner or form of use (settlement of accounts) from the real cash system but can be regarded as one kind of application or embodiment of electronic cash. With the electronic credit card, the use of a digital signature as a substitute for a handwritten signature allows electronic processing of all pieces of data involved and hence permits the transfer of information for settlement of accounts through telecommunication circuits. However, the most crucial problem of this system is that the privacy of the user is not ever guaranteed--the same is true of the current credit cards and checks. That is, an organization which issues credit cards and settles accounts is capable of acquiring users' purchase records.
On the other hand, it has been proposed by D. Chaum ("Security without Identification: Transaction Systems to Make Big Brothers Obsolute," Comm. of ACM. 28, 10, pp. 1030-1044, 1985) that the above-noted problems inherent with the prior art system could be solved by a combination of a blind digital signature scheme and an on-line check for each transaction at a shop (that is, the shop inquires on-line of a management center about the double usage or abuse of the user's blind digital signature). From the viewpoints of the processing time (or user's waiting time), the communication cost, the on-line processing cost and database maintenance and management cost at the management center and so forth, the above-said inquiry from the shop to the management center for each transaction is feasible on a small scale but cannot be said to be practical. It is therefore preferable that the procedure between the user and the shop at the time of payment of electronic cash be executed off-line just like a sales-person verifies the validity of ordinary or real cash by the senses of sight and touch and performs local (off-line) processing accordingly.
Taking the foregoing into account, the criteria describing the ideal electronic cash system are as follows:
(a) Independence: The security of electronic cash cannot depend on any condition. Then, the cash can be transferred through networks.
(b) Security: The ability to copy (reuse) and forge the cash must be prevented.
(c) Privacy (Untraceability): The privacy of the user should be protected. That is, the relationship between the user and his purchases must be untraceable by anyone.
(d) Off-line payment: When a user pays electronic cash to a shop, the procedure between the user and the shop should be executed in an off-line manner. That is, the shop does not need to be linked to the host in the user's payment procedure.
(e) Transferrability: The cash can be transferred to other users.
(f) Dividability: One issued piece of cash worth value C (dollars) can be subdivided into many pieces such that each subdivided piece is worth any desired value less than C and the total value of all pieces is equivalent to C.
The last two criteria (e) and (f) are naturally called for from the viewpoint of the handiness of electronic cash. The dividability (f) is a relatively severe criterion that even the real cash system cannot satisfy. That is, it is impossible to subdivide a hundred-dollar bill into 10 pieces each worth $10. This is the reason why we must hold many bills and coins in our wallets. On the other hand, the current prepaid card systems feature this function and trade on the handiness based thereon but do not satisfy the criteria (a), (b) and (c).
Recently there have been proposed some electronic cash systems which satisfy criteria (a), (b), (c) and (d). Of them, a system by Chaum et al. (D. Chaum, A. Fiat and M. Noar, "Untraceable Electronic Cash," the Proc. of Crypto '88, pp. 319-327, 1988) satisfies these four criteria but fails to satisfy criteria (e) and (f). Moreover, this system involves communication and processing of an appreciably large amount of information between the bank and the user upon each issuance of electronic cash. A system by Okamoto and Ohta (U.S. Pat. No. 4,977,595) satisfies criterion (e) in addition to the four criteria (a) through (d) and satisfies criterion (f) to some extent.
In the foregoing Okamoto and Ohta system the user obtains a blind signature of the bank to user information V.sub.i generated from secret information S.sub.i containing the user's identification (ID) in a raw form and holds the signed user information as a license B.sub.i. When the user wants the bank to issue electronic cash, he obtains the blinds signature of the bank to a set of k/2 pieces of authentication information X.sub.i produced from k/2 pieces of random information R.sub.i and the license B.sub.i, and uses the thus signed information as electronic cash C. When the user pays with the electronic cash at a shop, he shows the k/2 pieces of authentication information X.sub.i, k/2 pieces of user information V.sub.i, the license B.sub.i, etc. to the shop together with the electronic cash C and executes an authentication with interactive proof property by which the user makes a response Y.sub.i to an inquiry E.sub.i from the shop. The security of this method is based on the difficulty in the calculation of the higher degree roots. In the event that the user has committed invalid double usage of the electronic cash (that is, when the user has used twice the user information V.sub.i and the authentication information X.sub.i of the same group), two sets of different inquiries E.sub.i and responses V.sub.i with respect to the user information V.sub.i and the authentication information X.sub.i of the same group are reported to the bank; so that the secret information S.sub.i of the user can be obtained from the two sets of inquiries and responses, and hence the user's ID contained in the raw form in the information S.sub.i can be specified.
With the system proposed by Okamoto and Ohta, it is necessary that after issuance of the electronic cash C the k/2 pieces of authentication information X.sub.i corresponding to k/2 pieces of random information R.sub.i be stored on, for example, a smart card together with the license B.sub.i. Assuming, for example, that the amounts of data necessary for one piece of authentication information X.sub.i and the license B.sub.i are each 64 bytes and k/2=20, then the above system requires as large a storage capacity as 64.times.21 bytes for only these pieces of information.
In the Okamoto-Ohta system, an electronic coupon ticket is also proposed, in which one piece of electronic cash can be subdivided into many pieces whose values are all equivalent. In this system, however, if the user pays for an article with cents, the store receives an enormous number of one-cent electronic coupon tickets from the user. For example, when the price of the article is $356.27, the store receives 35,627 electronic coupon tickets, where the data size of each ticket is several bytes. Thus the store receives about 200 megabytes of data for the transaction of just one article--this is utterly impractical.