Efficient electronic money
First Claim
1. A method for performing an electronic cash transaction comprising the step oftransmitting via a communications link from a first electronic coin processing unit to a second electronic coin processing unit an electronic coin comprising a linkage of a public key of a party and a random element, said linkage being signed using a secret operation of a public key cryptographic system, wherein said public key has the form
where Pi is a public El Gamal Key of a party i, Si is a secret El Gamal Key of the party i which includes an identity Ii of the party i, and p and α
.sup.Si mod p
are publicly known numbers, andwherein said random element has the form u.tbd.α
r mod p, where r is a random number chosen by the party i.
10 Assignments
0 Petitions
Accused Products
Abstract
A unique electronic cash system protects the privacy of users in legitimate transactions while at the same time enabling the detection of a double spender of the same electronic coin. The electronic cash system takes advantage of a unique property of El Gamal signatures to achieve these results.
-
Citations
51 Claims
- 1. A method for performing an electronic cash transaction comprising the step of
transmitting via a communications link from a first electronic coin processing unit to a second electronic coin processing unit an electronic coin comprising a linkage of a public key of a party and a random element, said linkage being signed using a secret operation of a public key cryptographic system, wherein said public key has the form - space="preserve" listing-type="equation">P.sub.i =α
.sup.Si mod p
where Pi is a public El Gamal Key of a party i, Si is a secret El Gamal Key of the party i which includes an identity Ii of the party i, and p and α
are publicly known numbers, andwherein said random element has the form u.tbd.α
r mod p, where r is a random number chosen by the party i.- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- space="preserve" listing-type="equation">P.sub.i =α
-
17. A method for detecting the double spending of a particular electronic coin in an electronic coin system where each of the coins comprises a certified linkage of a public key of a user and a random element,
said method comprising the steps of a) storing in a memory a list of coins and El Gamal family signatures on messages obtained using the public keys and random elements in the coins, b) using an electronic processor, comparing said particular coin to the coins on the list, and c) if said particular coin and a coin on said list match, using a particular El Gamal family signature of said particular coin on a particular message and the El Gamal family signature and message of said coin on said list to identify a double spender.
-
20. A method for performing a payment using an electronic coin system comprising the steps of
a) transmitting an electronic coin from a money module belonging to user i to a money module belonging to user j, said electronic coin comprising a certified linkage of a public key Pi of the user i in which there is embedded the identity Ii of the user i and a random value u chosen by the user i, b) transmitting a message m from said money module of said user j to the money module of the user i, c) utilizing a processor in the money module of the user i, generating an El Gamal family signature s of the message m using Pi and u, d) transmitting the signature s to the money module of the party j, and e) verifying said signature s at the money module of the party j and storing the coin at a memory in the money module of the party j.
-
28. A method for processing an electronic coin at a bank station containing a processing unit and a memory comprising the steps of:
-
a) receiving at said bank station a particular electronic coin comprising a certified linkage of a public key Pi of a party i, and a random value u chosen by the party i, b) using said processing unit at said bank station, comparing said particular coin to a list of electronic coins maintained by said bank in said memory, and c) if said coin matches a coin in said list, using a message m and an El Gamal family signature s on the message m obtained using Pi and u of said particular coin, and an El Gamal family signature and corresponding message associated with said coin on said list to identify a double spender. - View Dependent Claims (29, 30, 31, 32)
-
- 33. A method for electronically withdrawing an electronic coin from a bank comprising the steps of
a) using a processor of a user, performing a blinding operation to blind a candidate linkage, which blinded candidate linkage includes a public key of the user and a random element, b) transmitting via a communication link from the user to the bank the identity of the user and the blinded candidate linkage, c) transmitting from the user to the bank an indication to said bank that the public key of the user has an identity of the user embedded therein without revealing the public key of the user to the bank, d) utilizing a processor at said bank, signing said blinded candidate linkage using a secret key of said bank and transmitting the signed blinded candidate linkage to said user, and e) at said user, generating a coin from the signed blinded candidate linkage, wherein said public key is of the form - space="preserve" listing-type="equation">P.sub.i .tbd.α
.sup.Si mod p,
where Si is a secret key of the user i and includes the identity Ii of the user i, α and
p are publicly known numbers and said random element is of the form u=α
r mod p where r is a random chosen number. - space="preserve" listing-type="equation">P.sub.i .tbd.α
-
34. A method for certifying a public key of a user of an electronic cash system comprising the steps of
a) utilizing an electronic processor of a user, performing a blinding operation on a candidate certificate to generate a blinded candidate certificate, said blinded candidate certificate including a public key of a user i of the form Pi .tbd.α -
Si mod p, where Si is a secret key of the user i containing an identity Ii of the user i, and α and
p are publicly known numbers,b) transmitting via a communication link, said blinded candidate certificate to a certificate authority, c) transmitting via said communication link an indication to said certificate authority that Pi contains Ii without revealing Pi to the certificate authority, d) utilizing a processor at said certificate authority, signing said blinded candidate certificate using a secret key of said certificate authority and transmitting the signed blinded candidate certificate to said user i, and e) at said user i, generating a certificate from said signed blinded candidate certificate. - View Dependent Claims (35)
-
Si mod p, where Si is a secret key of the user i containing an identity Ii of the user i, and α and
-
36. A method for refreshing a certificate of a public key of a user in an electronic cash system comprising the steps of:
-
(a) transmitting from a user i to a certificate authority an old certificate of an old public key Pi that includes an identity Ii of the user i, (b) at the user i, using an electronic processor, selecting a new public key Pi '"'"' including the identity Ii, and forming a blinded candidate refresh certificate including said new key Pi '"'"', (c) transmitting from said user i to said certificate authority said blinded candidate refresh certificate, (d) transmitting to said certificate authority an indication that Pi '"'"' contains the same Ii as Pi without revealing Pi to said certificate authority, (e) utilizing an electronic processor at said certificate authority, signing said blinded candidate refresh certificate using a secret key of the certificate authority and transmitting the signed blinded candidate refresh certificate to the user i, and (f) at said user i, generating a refresh certificate from said signed blinded candidate refresh certificate. - View Dependent Claims (37)
-
- 38. An electronic coin that can be transmitted via a communications link and stored in an electronic memory and comprising a certified linkage between a public key Pi of a party i and a random element chosen by the party i, the identity Ii of the party i being embedded in the discrete log of the public key and being exposed when there is double spending of the coin.
-
42. An electronic coin that can be transmitted via a communications link between a first electronic coin processing unit and a second electronic coin processing unit and comprising a certified linkage of a public key Pi .tbd.α
-
Si mod p of a user i, where Si is a secret key of the user i and includes the identity Ii of the user i and α and
p are public numbers, and a random element. - View Dependent Claims (43, 44)
-
Si mod p of a user i, where Si is a secret key of the user i and includes the identity Ii of the user i and α and
-
45. A public key cryptographic method comprising the steps of:
-
(a) selecting a cryptographic key for a user i, said cryptographic key containing specific predetermined information, (b) at a certificate authority, using an electronic processor, certifying that said cryptographic key contains said specific predetermined information, (c) transmitting via a communication link a certificate of said cryptographic key to said user i, and (d) utilizing said certified public key by said user i in a plurality of real time cryptographic transactions. - View Dependent Claims (46, 47, 48, 49)
-
-
50. An electronic money exchange transaction comprising the steps of
(a) transmitting an old electronic coin having a specific monetary value from a user j to a bank via a communications network, said user j having received said electronic coin from another user i, (b) verifying said coin using an electronic processor at said bank, (c) at said bank, using said electronic processor, generating a certified linkage of a public key of said user j and a random element known to said user j and transmitting said certified linkage to said user j via said communications network.
Specification