1. Field of the Invention
The invention relates to electronic payment systems.
2. Description of the Related Art
Electronic payment systems are intended to provide an adequate payment means for effecting transactions via open communication nets. Besides the degree of security and reliability, the cost of servicing, the rapidity of performing main operations, etc., an important characteristic of a payment system is the protection of user's privacy. A user's privacy implies that nobody, not even the payment system operator, can control the user's purchases. One of the ways of protecting privacy in electronic payment systems consists in that purchases are made with the help of digital data, which confirm the solvency, but do not lead to the identification of the payer. Such data are sometimes called electronic cash. However, electronic cash, as well as any digital data, can easily be copied, so that one must take care to prevent multiple spending of electronic cash.
In certain payment systems, multiple spending is prevented by payer devices (S. Brands, Untraceable Off-Line Cash in Wallets with Observers, Advances in Cryptology CRYPTO '93, Springer-Verlag, pp. 302-318). For reliable prevention of multiple spending, such payer devices must be tamper-resistant, i.e., they must prevent unauthorized access to the data contained in the payer device. The deficiency of systems using this approach is that they are extremely unstable. The matter is that penetration into one payer device can lead to disastrous effects for the entire system, because the data contained in the payer device allow one to spend arbitrary amounts of unpaid electronic cash. Known tamper resistance technologies are not sufficiently dependable to thwart such a risk.
Electronic payment systems which do not rely on tamper resistance of payer devices must ensure, in particular, that one cannot forge payment certificates, i.e., digital data confirming the payer's solvency. The forgery is prevented by cryptographic methods, namely, by the payment system operator's digital signature. Numerous examples of digital signature are described in the books: B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, John Wiley&Sons, New York, 2nd edition, 1996 and A. J. Menezes, P. C. Van Oorshot, S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997.
Electronic payment systems in which the impossibility of forgery of payment certificates is ensured by the payment system operator's digital signature can be classified into offline and online ones. In offline payment systems, the moment of receiving the money by a payee is the moment of successful verification by the payee of the payment certificates provided by the payer as a payment. An advantage of such systems is that the transfer of money from payers to payees can be performed without any third party. Here, to prevent the multiple spending of payment certificates, the payer's identifier is included in payment certificates in a concealed form, and the identifier of the payer having committed multiple spending can be disclosed. The deficiency of this method is that it does not prevent the multiple spending of payment certificates, and only allows one to detect such a spending and to make a certain payer responsible for it. Thus, if the cheater is out of reach, then the payment system operator will incur losses. In addition, an honest payer's reputation can suffer if a cheater has gained information on his payment certificates and used such a certificate. Several offline payment systems are known. For example, a system of such type is described in the patent: T. Okamoto, K. Ohta, Electronic cash system, U.S. Pat. No. 5,224,162, 8 Jun. 1992.
In an online payment system, the payee turns to the payment system operator for verification of each payment. In this case, to prevent multiple spending the payment system operator stores information on the payment certificates used earlier, and if a payment is performed with the help of a certain payment certificate, the operator checks whether the certificate has already been used before.
Known in the prior art is a method for effecting payments (Untraceable electronic cash, U.S. Pat. No. 5,768,385, 16 Jun. 1998) in which the payer receives in the bank digital signatures of payment certificates, called electronic coins, which he can use both for exchange for new electronic coins, and for payment. Here, the bank does not know which one of the two modes is used by the payer, which fact promotes untraceability of payments. Further, the multiple spending of electronic coins is prevented by the payee's online verification of the received electronic coins in the bank. However, the known method does not provide complete untraceability of a participant of the system if he is mostly a payer and not a payee, because the electronic coins given to such a participant and produced by the shop for exchange are evidence, generally speaking, that the participant made a payment to the shop.
Known in the prior art is a method for effecting payments (D. Chaum, Security Without Identification: Transaction Systems to Make Big Brother Obsolete, Communications of the ACM, vol. 28 no. 10, October 1985 p. 1035-1038) which is the closest analog of the present invention and is chosen by the applicant as the prototype. In the known method, a client pays with payment certificates, called electronic coins, whose signatures he receives in the bank. Here, the collection of possible nominal values is fixed in advance, and for each possible nominal value of an electronic coin the bank creates a secret and a public money key. To obtain an electronic coin the payer chooses the number of the coin with the help of a random number generator, obtains the blind digital signature on the chosen number in the bank willing to credit the payer with the corresponding amount of money, and takes said digital signature as the signature of the payment certificate, which can also be called the payment certificate signature. During the payment, the payer transfers to the payee a collection of electronic coins, after which the payee verifies their validity and sends the received coins to the bank for depositing to his account. The bank verifies the validity of the electronic coins and credits the payee's account with the corresponding amount if the coins have not been already used. To control the coins already used, the bank stores the list of the numbers of used coins, the expiration dates contained in the numbers of the coins allowing the bank to delete old numbers from the list. The deficiencies of the known method are in that the bank's reputation is not defended against dishonest clients, and a client's money is not defended against a dishonest bank, because a dishonest client having received the bank's refusal to acknowledge an already used certificate for the second time can accuse the bank of cheating. In turn, a dishonest bank having received a certificate for verification may claim that the certificate has already been used before. In addition, the bank has to store information on each of the used certificates in databases with sufficiently fast access, which leads to a rapid growth of the bank's databases and to the necessity of employing expiration dates for certificates. Furthermore, in the known method the payment amount is an integral combination of nominal values of coins, which fact either limits the range of payments, or leads to the growth of the number of the coins used in payments, which also leads to the growth of the bank's databases and slows down the payments.
Known in the prior art is an apparatus for effecting payments (T. Okamoto, K. Ohta, Method and apparatus for implementing electronic cash, U.S. Pat. No. 4,977,595, 11 December 1990), chosen by the applicant as the prototype.
The known apparatus for effecting payments consists of a payer device, a shop, and a bank, connected via telecommunication nets, the payer device having a means for replenishing the payer device by obtaining the blind money signature of the bank, and the bank having a means for producing the money signature. In addition, the shop contains a means for offline verification of payment certificates, and the bank contains means for exposure of a cheater if he multiple-spends the bank's obligation.
The deficiency of the known apparatus for effecting payments is that it does not prevent the multiple spending of payment certificates, and only allows one to detect such a spending and to make a certain payer responsible for it. Another deficiency of the known apparatus for effecting payments is that it works slowly, which is caused by the large size of the data transmitted via communication nets.