Electronic money

    Although “ electronic money ” is far from a new term, it just so happened that they have not yet found wide practical application. Research in this direction has been ongoing since 1989, but it has still not been possible to develop an ideal system that meets all the requirements for it. And so, relatively recently, in the open publications appeared article (and here ), describing the idea of building new ones - " compact electronic money ". It seemed very interesting to us, and we would like to tell a little about it. In order not to burden the presentation with many technical details, we will try to briefly describe the device, system features and indicate the risks.

    What is it?

    Immediately, we note that electronic money is not a payment order - it is an impersonal means of payment , as well as paper money. They do not indicate the personal data of the owner or his account number, that is, nothing but the face value. They have their own value.

    In any electronic money, the atomic unit of payment is an electronic coin . It, like a paper bill, contains the serial number and EDS of the bank, certifying its authenticity. Also, a coin may contain some additional information, depending on the system. For example, a different denomination, if the system uses coins of various denominations. The "electronic weight" of the coin is 200 bytes.

    One of the features of this system is "compactness". Electronic coins are combined into small "wallets", for example, 100 coins. The wallet contains initialization values ​​for its hundreds of coins. And it weighs about 250 bytes. This allows not only to store coins more efficiently, but also to make payments: you can pay with a whole ("unopened") wallet instead of paying 100 coins in succession . The target device for storing electronic money of this system can be considered not only a PDA or communicator, but also smart cards.

    How it works.

    The user has a personal bank account.
    1. Having connected to the bank via the Internet or the terminal, the user authenticates to access the account and asks for the required amount.
    2. The user himself generates the necessary electronic wallets containing initialization values ​​for future serial numbers (for 100 coins), encrypts the wallets using the “ blind signature ” algorithm and sends them to the bank.
    3. The Bank makes sure that the wallet is correctly (legitimately) compiled.
    4. The bank cannot find out the initialization value of the wallet for serial numbers, but it can introduce an accident in it so that the user does not “pick up” serial numbers. After that, the bank signs the accepted wallet, certifying its authenticity, and sends it back to the user.
    From this moment, the user has cash in electronic form stored on the medium. It is worth noting that the wallet is “tied” to the user's private key, without knowing which it will not be possible to spend this money. The bank does not know what serial numbers went to the user.

    The seller , knowing only the public key of the bank, can independently verify the authenticity of electronic coins. Thus, the payment can be made without connecting to the bank. In each step of the payout protocol:
    1. The seller sends each time a different “ question ” (random number) to the buyer.
    2. Using this “ question ”, the seller’s public key, his private key, bank signature and the generated serial number, the buyer forms a coin from the wallet and sends it to the seller. Only now the coin is assigned its serial number and becomes open, which ensures the anonymity of the user.
    3. The seller makes sure that the coin was formed correctly, and if successful, accepts it.
    In fact, three lower-level protocols are used for efficiency: payment of 1 coin, payment of N coins and payment of an “unopened” wallet (100 coins). But they are identical. In the case of online settlement, the seller simply acts as a proxy, i.e. redirects coins to the bank and receives a notification of the result of their transfer.

    It is imperative that in these protocols the user does not forward his public key, i.e. the seller does not know anything about the identity of the buyer. Also, the accepted coins are “tied” to the seller’s private key, and only he can deposit them into his account:
    1. The seller sends the received electronic coins to the bank along with the corresponding “ questions ” (random numbers of payment protocols).
    2. The bank, making sure that the seller has not used this random number before, checks the coins in the same way as the seller did.
    3. Next, the bank scans the database for the presence of coins with the same serial number. If a coin is discovered, then ... due to the fact that the coins were formed in response to different "questions" - they have a different idea. It is guaranteed that if there was an illegal copying, the fact of re-paying with a used coin will allow the bank to identify the owner of this coin. Although, if a coin falls into the bank in a single copy, the bank will not know absolutely anything about who spent it, as well as the seller. This ensures complete anonymity for law-abiding users and the identification of fraudsters (those responsible for copying) is inevitable.

    System Features

    1. The compact storage of coins allows you to have enough cash with you for everyday expenses. Even on smart cards.
    2. At the same time, the possibility of online / offline payment is achieved , while cryptographic methods ensure complete anonymity of the system users.
    3. Even when interacting via open communication channels, the cash intercepted from the user or seller cannot be spent or deposited into one’s account without knowing the secret key.
    4. In the implementation on the PDA, the user controls the amount of money paid, unlike a credit card.
    5. Digital storage of cash allows you to make backup copies of electronic money in case of loss of media.
    6. Public-key cryptography requires significantly more computing resources and time-consuming hacking / counterfeiting compared to falsification of paper cash.


    It is clear that a bank account can always be blocked, thus, preventing the possibility of withdrawal from the account. But a more serious risk is anonymous copying and payment, being offline. Even worse, if an unknown person somehow takes possession of someone else's smart card with a PIN code. Such at the current stage of development of electronic money is the price paid for efficiency. Suggested solutions:
    1. Since the database of coins should not grow indefinitely, the need to add a time parameter to the wallet is obvious. Coins withdrawn from the account more than a year ago require updating or depositing back to the account, and coins withdrawn more than a month (another period chosen by the user) are not accepted back for offline payments. In an online payment, a bank in the database can, regardless of the past month, determine whether a copy of the coin was made or not, and accept it. And the attacker will have a strictly limited time period to take advantage of the situation.
    2. The risks for offline mode are quite difficult to calculate at the moment. Therefore, while it is expected that payments in this mode will be made in a limited segment of payments: public transport, newsstands, places of small cafes, etc.
    A small remark. The identification of the user who made the copy is not only a scam calculation mechanism, but also the basis for backing up cash. Suppose a user made a backup copy of the entire wallet of 600 coins, and then spent 47. Returning home after another mobile phone, the user will restore the same 600 coins. Obviously, 47 coins are superfluous. In subsequent payments, the bank will easily determine these copies and write them off from the user's account. Balance restored.

    For live experiments , we implemented a test prototype of such a payment system with the parameters of “ combat ” cryptography in order to take a look at it in the work. Paying out 4999 coins with a PDA via Bluetooth takes about 10 seconds .


    The system is not perfect, but already offers new functionality. Do you think anonymous electronic money is needed? Will this happen in the future? Or is everyday paper money more reliable for everyday payments? We would be grateful to hear your opinion.

    PS If the "multi-book" is excusable, and it will be interesting, then with pleasure we will cover the points of interest in detail ...

    Also popular now: