1. Field of the Invention
The present invention relates to a digital payment transaction system.
2. Related Art
With the growth and commercialisation of the Internet, there has been an increasing need for technologies to allow payments to be made on-line. For transactions of relatively high financial value this need is adequately met, for example, by systems using electronic cheques issued by a trusted party such as a bank. Such electronic cheques are typically validated by a signature which is encrypted using a public key algorithm. There is however a significant computational overhead associated with the use of such algorithms. Therefore, just as in real life a cheque is unlikely to be acceptable for a purchase of small value because of the associated transaction costs, so also in electronic commerce, electronic cheques are not suitable for payments of low value.
A number of proposals have been made for alternative transaction systems suitable for making the so-called xe2x80x9cmicropaymentsxe2x80x9d required by low-value transactions. One promising approach uses a chain of hash functions to generate a series of digital payment tokens from a secret random or pseudo-random number. A series of digital payment tokens which is generated in this way is known as a coin stick. The hash function is a transformation which takes a variable size input m and returns a fixed length string h which is termed the hash value. When used for cryptographic purposes, such as the payment system of the present invention, the hash function is chosen to be a one-way function: that is to say, given a hash value h it is computationally infeasible to work out the input value m.
According to a first aspect of the present invention, there is provided a method of operating a digital payment transaction system comprising
a) at a first party, (xe2x80x9cthe brokerxe2x80x9d) generating a digitially encoded secret number
b) storing at the first party the secret number
c) communicating to a second party (xe2x80x9cthe userxe2x80x9d) the digitally encoded secret number, or a number derived therefrom
d) generating a hash chain of values which are derived from the secret number
e) communicating digitally encoded values from the hash chain from the second party to a third party (xe2x80x9cthe vendorxe2x80x9d) in payment, which third party is selected from a multiplicity of potential vendors.
The first aspect of the present invention provides for the first time a method of using a coin stick between three or more parties. This greatly increases the flexibility in operation of the transaction system, and makes it suitable, for example, for use in on-line trading with a multiplicity of vendors.
In operation, the user may be issued with the secret random number by a bank. This forms the beginning of the hash chain. The user then uses a publically known hash function to operate on the serial number to produce a first hash value, and then operates on the first hash value with the hash function to produce a second hash value, and so on. The process is repeated a set number of times, say ten times, to produce a number of hash values corresponding to a number of units, each having a predetermined value. To transfer a payment, for example to a vendor who operates an on-line service, the user communicates to the vendor the value at the end of the hash chain, that is in this example the result of the tenth hash operation. The vendor validates this value by returning it to the issuing bank. Using the hash function, the bank checks that the value is that expected for the tenth hash value generated from the relevant random secret number. The bank confirms to the vendor the validity of the value. Then if the user wants to transfer, for example, three units of value, it communicates to the vendor the hash value three steps back along the hash chain, that is, in this example, the result of the seventh of operation of the hash function. The vendor is now able to validate this hash value without further communication with the bank, simply by operating on the transferred hash value with the hash function. The one-way nature of the hash function ensures that the vendor, despite knowing the value at the end of the chain, is not able to generate values preceding those which have been transferred by the user.
According to a second aspect of the present invention, there is provided a method of operating a digital payment transaction system comprising
a) at a first party, (xe2x80x9cthe brokerxe2x80x9d) generating a secret number
b) storing at the first party the secret number
c) generating at the first party a first hash chain of values which are derived from the secret number by successive operations of a hash function
d) communicating to a second party (xe2x80x9cthe userxe2x80x9d) a digitally encoded value from the chain of hash values
e) generating at the second party a second hash chain of values which are derived from the value communicated by the first party in step (d)
f) communicating digitally encoded values from the said second hash chain to a third party (xe2x80x9cthe vendorxe2x80x9d) in payment
g) subsequently communicating to the second party from the first party a value in the said hash chain which precedes the value originally communicated in step (d).
This aspect of the present invention provides a transaction system in which, despite the one-way nature of the hash function, value can be transferred to the user of an existing coin stick, as well as value being transferred from the user. This makes it possible, for example, for a vendor to make a refund to the user, without it being necessary for the user to have a merchant relationship with a bank. Alternatively this capability can be used to top up a coin stick following further payment to the bank by the user without incurring the processing and communication overheads which would be associated with the generation of a new coin stick. The value potentially available to the user is effectively determined by the difference between two values held as two pointers, one at the party that issues the coin stick (termed xe2x80x9cthe brokerxe2x80x9d) and one at the user, rather than being determined by a single pointer which corresponds simply to the number of unspent values in the hash chain. The value actually available at any instant corresponds to the difference between the highest pointer held by the user and the highest sofar revealed to a vendor. To refund value to the user, the vendor agrees with the broker to forgo its right to some of the value it has revealed to the broker, the broker moves its pointer, which corresponds to the value revealed to the user back down the hash chain, and issues to the user a value which precedes the hash value which was originally communicated in step (d). This results in there being additional units of value which are available to the user for payment to the vendor.
Preferably the payment transaction system is a pre-paid system in which, in step (d), the value from the hash chain is issued in return for payment by the second party to the first party.
Preferably at least two of the first, second and third parties are all located remotely from each other, and digitally encoded hash values are communicated between the parties via a communications network which links the parties. Preferably the communications network uses Internet protocols.
As discussed in the introduction above, the present invention particularly addresses the needs of on-line trading, for example over the Internet. As a result of the reduced communication overheads which it offers, its use is particularly advantageous in this context. The invention is not however limited to use in this way and might also be used, for example, in transactions carried out with a payment card and an electronic terminal which reads the payment card.
According to a third aspect of the present invention there is provided a payment server for use in a digital payment transaction system, comprising:
a) means for generating a secret number;
b) a store for storing the secret number;
c) means for generating a chain of hash values from the secret number by successive operations of a hash function;
d) means for issuing to a user a value from the said chain of hash values; and
e) means responsive to a request from the user or from another party for issuing to the user another value from the said hash chain of values which precedes the value originally issued in step (d).
According to a fourth aspect of the present invention there is provided a method of operating a digital payment transaction system including issuing to a user a plurality of different hash chains corresponding to different monetary denominations. This aspect may advantageously be combined with the method of one or more of the other aspects of the invention, but may also be used independently of those other aspects.
According to a fifth aspect of the present invention, there is provided a method of operating a digital payment transaction system comprising
a) at a first party, (xe2x80x9cthe brokerxe2x80x9d) generating a digitially encoded secret number
b) storing at the first party the secret number
c) communicating to a second party (xe2x80x9cthe userxe2x80x9d) the digitally encoded secret number, or a number derived therefrom
d) generating a hash chain of values which are derived from the secret number
e) communicating digitally encoded values from the hash chain from the second party to a third party (xe2x80x9cthe vendorxe2x80x9d) in payment, which third party is selected from a multiplicity of potential vendors;
f) subsequently selecting another one of the multiplicity of potential vendors and communicating one or more further values from the hash chain generated in step (d) to the said other one of the multiplicity of potential vendors.
This aspect of the invention may be combined with the preceding aspects, but may also be used independently of them. It enhances the flexibility in use of the coin sticks by allowing the user to switch between different vendors. It is particularly preferred that when the switch between users takes place, that the responsibility for alerting the broker should lie with the new vendor.
Preferably the number of potential vendors available for selection is greater than or equal to 500, and more preferably is greater than or equal to 1000.
Another significant feature of the present invention is its scalabilty to large scale systems with many vendors.