Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)

Published byElijah Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)"— Presentation transcript:

1 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT) Adi Shamir (Weizmann)

2 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 OutlineOutline Micropayments: Framework and Motivation Micropayments: Framework and Motivation PayWord: a credit-based scheme using chains of hash values (or paywords ): w 0 w 1 w 2 w 3... PayWord: a credit-based scheme using chains of hash values (or paywords ): w 0 w 1 w 2 w 3... MicroMint: digital coins as k -way hash function collisions: x 1 x 2 x 3 x 4 y MicroMint: digital coins as k -way hash function collisions: x 1 x 2 x 3 x 4 y Conclusions Conclusions

3 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 MicropaymentsMicropayments Payment scheme for low-value transactions, such as 1¢ per web page access Payment scheme for low-value transactions, such as 1¢ per web page access Too small for credit-card “macropayments” (which may incur fee of 29 ¢ + 2%) Too small for credit-card “macropayments” (which may incur fee of 29 ¢ + 2%) Public-key crypto relatively expensive: RSA sign (private key)2 / sec RSA verify (public key)200 / sec Hash function20000 / sec Public-key crypto relatively expensive: RSA sign (private key)2 / sec RSA verify (public key)200 / sec Hash function20000 / sec

4 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 MicropaymentsMicropayments Some advanced features, such as anonymity, are probably just too expensive to implement in a micropayment scheme. Some advanced features, such as anonymity, are probably just too expensive to implement in a micropayment scheme. With light-weight schemes, one must be pragmatic about fraud and abuse: the goal should be effective risk management, rather than total prevention. “Bad apples” can be detected and eliminated from the system. With light-weight schemes, one must be pragmatic about fraud and abuse: the goal should be effective risk management, rather than total prevention. “Bad apples” can be detected and eliminated from the system.

5 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 MicropaymentsMicropayments Introduce Broker to intermediate and aggregate: Introduce Broker to intermediate and aggregate: Broker Vendor User 1. Obtain authorization or coins 2. Purchase information from vendor; pay. 3. Redeem payments Banks and Credit-card companies (Inner loop)

6 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Efficiency Goals Try to minimize use of public-key operations. Try to minimize use of public-key operations. Try to keep Broker “off-line” as much as possible. Try to keep Broker “off-line” as much as possible. Make inner loop (purchase/payment) efficient, especially for repeated small purchases. Make inner loop (purchase/payment) efficient, especially for repeated small purchases.

7 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWordPayWord

8 PayWord Chains w 0 w 1 w 2 w 3... w n w 0 w 1 w 2 w 3... w n Easy for User to create a chain of length, say, n = 1000 for a vendor using h = MD5, by starting with w n. Easy for User to create a chain of length, say, n = 1000 for a vendor using h = MD5, by starting with w n. User commits (signs with RSA) “root” w 0 over to Vendor. User commits (signs with RSA) “root” w 0 over to Vendor. User makes successive 1¢ payments by revealing “paywords” w 1, w 2,... in turn. User makes successive 1¢ payments by revealing “paywords” w 1, w 2,... in turn. Vendor redeems commitment, and last payword received, with Broker. Vendor redeems commitment, and last payword received, with Broker. hhhhh

9 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord Certificate Broker gives User a signed “certificate” C U good for one month authorizing User to make PayWord chains. Broker is extending credit to User. Broker gives User a signed “certificate” C U good for one month authorizing User to make PayWord chains. Broker is extending credit to User. C U = {Broker, User, User’s IP Address, PK U, expiration-date, limits, etc.} SKB where PK U = User’s Public RSA Key. C U = {Broker, User, User’s IP Address, PK U, expiration-date, limits, etc.} SKB where PK U = User’s Public RSA Key. Certificate authorizes delivery of goods only to specified Internet address. Certificate authorizes delivery of goods only to specified Internet address.

10 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord Commitment User commits root w 0 to Vendor by signing a commitment message M UV : M UV = {User, Vendor, w 0, C U, expiration-date } SKU User commits root w 0 to Vendor by signing a commitment message M UV : M UV = {User, Vendor, w 0, C U, expiration-date } SKU Commitment contains User’s certificate C U. Commitment contains User’s certificate C U. User commits to PayWord chain for, say, one day. User commits to PayWord chain for, say, one day. Note that Broker is not directly involved. Note that Broker is not directly involved.

11 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWordPayWord Basic PayWord information flow. Note that Broker is off-line except for issuing monthly certificate and final redemption. Basic PayWord information flow. Note that Broker is off-line except for issuing monthly certificate and final redemption. Broker Vendor User (1) Certificate C U (2) Goods (2) Commitment M UV, w 1 (first payment) w 2 (second payment)... w 20 (20th payment) (3) M UV, w 20

12 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord Costs One signature by Broker / user / month ( C U ) One signature by Broker / user / month ( C U ) One signature by User / vendor / day ( M UV ) One signature by User / vendor / day ( M UV ) Two verifications by Vendor / user / day ( C U and M UV ) Two verifications by Vendor / user / day ( C U and M UV ) One verification by Broker / user / vendor /day (for M UV ) One verification by Broker / user / vendor /day (for M UV ) One hash function computation by each of User, Vendor, and Broker for each 1¢ payment. One hash function computation by each of User, Vendor, and Broker for each 1¢ payment.

13 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord Extensions Can pay for a 5¢ item by revealing w 10 after w 5 (like revealing five paywords at once). Can pay for a 5¢ item by revealing w 10 after w 5 (like revealing five paywords at once). Can have several payword chains per commitment, with different values per payword in each chain: e.g. a chain of 1¢ paywords, a chain of 25¢ paywords, and a chain of 1$ paywords. Can have several payword chains per commitment, with different values per payword in each chain: e.g. a chain of 1¢ paywords, a chain of 25¢ paywords, and a chain of 1$ paywords.

14 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 MicroMintMicroMint

15 MicroMintMicroMint A digital coin should be: A digital coin should be: Hard to produce [except by Broker] Hard to produce [except by Broker] Easy to verify [by anyone] Easy to verify [by anyone] Digital signatures “work,” but are relatively expensive. Digital signatures “work,” but are relatively expensive. MicroMint uses hash functions only (no public-key crypto). MicroMint uses hash functions only (no public-key crypto). Broker utilizes economy of scale to produce MicroMint coins cheaply (as with a regular mint). Broker utilizes economy of scale to produce MicroMint coins cheaply (as with a regular mint).

16 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Suppose hash function h : {0,1} 48 {0,1} 36 maps m = 48- bit strings to n = 36- bit strings. Suppose hash function h : {0,1} 48 {0,1} 36 maps m = 48- bit strings to n = 36- bit strings. A k-way collision is a k -tuple (x 1,x 2,...,x k ) of values such that h(x 1 ) = h(x 2 ) =... = h(x k ): A k-way collision is a k -tuple (x 1,x 2,...,x k ) of values such that h(x 1 ) = h(x 2 ) =... = h(x k ): A MicroMint coin is a k- way collision ( k=4). Verifying a coin is easy. A MicroMint coin is a k- way collision ( k=4). Verifying a coin is easy. MicroMint Coins x 1 x 2 x 3 x 4 y hhhh

17 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Minting Coins Producing coins is like tossing balls into 2 n bins; k balls in a bin makes one coin. Producing coins is like tossing balls into 2 n bins; k balls in a bin makes one coin. Producing first 2-way collision requires time 2 n/2 ; this is the “birthday paradox.” Producing first 2-way collision requires time 2 n/2 ; this is the “birthday paradox.” Producing first k- way collision requires time N k = 2 n(k-1)/k. (e.g. 2 27 for k=4, n = 36.) (It’s hard to forge even one coin.) Producing first k- way collision requires time N k = 2 n(k-1)/k. (e.g. 2 27 for k=4, n = 36.) (It’s hard to forge even one coin.) Time cN k yields c k coins; once threshold of N k is passed, coins are produced rapidly. (Mint has economy of scale). Time cN k yields c k coins; once threshold of N k is passed, coins are produced rapidly. (Mint has economy of scale).

18 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Flow of MicroMint Coins  Broker mints coins and sells them to User.  User spends coins with Vendor.  Vendor deposits coins back to Broker. Broker UserVendor 1. Purchase coins 2. Pay for goods 3. Redeem coins

19 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Security Concerns Forgery: Can an adversary forge MicroMint coins? (Economically?) Forgery: Can an adversary forge MicroMint coins? (Economically?) Double-spending: What if a user “double- spends” his MicroMint coins? Double-spending: What if a user “double- spends” his MicroMint coins? Vendor fraud: What if a vendor gives copies of coins received to an accomplice? Vendor fraud: What if a vendor gives copies of coins received to an accomplice? Framing: Can vendor “frame” user for double-spending, or user “frame” vendor for fraud? Framing: Can vendor “frame” user for double-spending, or user “frame” vendor for fraud?

20 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Protections against forgery Computational difficulty of minting coins. Computational difficulty of minting coins. Small-scale forgery not really a concern; large-scale forgers will get caught. Small-scale forgery not really a concern; large-scale forgers will get caught. Coins “expire” monthly. New hash function revealed each month, and old coins exchanged for newly minted ones. (Broker works during May to make coins good for June; forger only learns h June at beginning of June, and so starts out way behind.) Coins “expire” monthly. New hash function revealed each month, and old coins exchanged for newly minted ones. (Broker works during May to make coins good for June; forger only learns h June at beginning of June, and so starts out way behind.)

21 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Protection against double-spending There is no “anonymity” in MicroMint: the Broker keeps track of whom each coin was sold to, and notes when it is returned by vendor. There is no “anonymity” in MicroMint: the Broker keeps track of whom each coin was sold to, and notes when it is returned by vendor. Small-scale double-spending not a concern. Small-scale double-spending not a concern. A user whose coins are consistently double- spent (with many vendors) will be caught and black-listed; he will not be sold any more MicroMint coins. A user whose coins are consistently double- spent (with many vendors) will be caught and black-listed; he will not be sold any more MicroMint coins.

22 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Protection against vendor fraud Vendors who consistently redeem coins that are also redeemed by other vendors will be black-listed and refused further redemption service by the Broker. Vendors who consistently redeem coins that are also redeemed by other vendors will be black-listed and refused further redemption service by the Broker. Users can cooperate with Broker to identify bad vendors by identifying where coin was first spent. Users can cooperate with Broker to identify bad vendors by identifying where coin was first spent.

23 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Protection against framing It may be difficult for Broker to distinguish user double-spending from vendor fraud. It may be difficult for Broker to distinguish user double-spending from vendor fraud. Small-scale double-spending or fraud not a concern. Large-scale cheaters should be distinguishable by weight of evidence against them. Small-scale double-spending or fraud not a concern. Large-scale cheaters should be distinguishable by weight of evidence against them.

24 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Additional protection against forgery Coins may satisfy “hidden predicates” which are only announced if forgery is detected by Broker. Coins may satisfy “hidden predicates” which are only announced if forgery is detected by Broker. For example, legitimate coins may all satisfy condition that low-order bit of x i is equal to some complicated function of other bits. For example, legitimate coins may all satisfy condition that low-order bit of x i is equal to some complicated function of other bits. Forger’s coins will typically not pass this additional “verification condition”. Forger’s coins will typically not pass this additional “verification condition”. Broker can announce several such conditions (or even one each day of month). Broker can announce several such conditions (or even one each day of month).

25 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 Related Micropayment Schemes Millicent (Manasse et al. / DEC) Millicent (Manasse et al. / DEC) “Scrip” for each vendor, broker on-line. “Scrip” for each vendor, broker on-line. NetBill (Tygar / CMU) NetBill (Tygar / CMU) Heavy use of public-key crypto. Heavy use of public-key crypto. NetCard (Anderson / Cambridge) NetCard (Anderson / Cambridge) Similar to PayWord, but bank signs commitments. Similar to PayWord, but bank signs commitments. CAFE (Pederson and IBM Zurich) CAFE (Pederson and IBM Zurich) Similar to PayWord, but not credit-based. Similar to PayWord, but not credit-based.

26 Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 ConclusionsConclusions We have presented two new micropayment schemes, PayWord and MicroMint, that minimize or eliminate public-key operations. We have presented two new micropayment schemes, PayWord and MicroMint, that minimize or eliminate public-key operations. PayWord/ MicroMint paper available from: http://theory.lcs.mit.edu/~rivest PayWord/ MicroMint paper available from: http://theory.lcs.mit.edu/~rivest

Download ppt "Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)"

Similar presentations

Micropayments Revisited Ronald L. Rivest & Silvio Micali RSA Conference 2002 Seminar 89-957, CS Dept., Bar Ilan University By Sharon Haroni.

Micropayments Revisited Ronald L. Rivest & Silvio Micali RSA Conference 2002 Seminar , CS Dept., Bar Ilan University By Sharon Haroni.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
An Efficient, Secure & Delegable Micro-Payment System Vishwas Patil School of Technology and Computer.

An Efficient, Secure & Delegable Micro-Payment System Vishwas Patil School of Technology and Computer.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
PAYWORD, MICROMINT -TWO MICROPAYMENT SCHEMES PROJECT OF CS 265 SPRING, 2004 WRITTEN BY JIAN DAI.

PAYWORD, MICROMINT -TWO MICROPAYMENT SCHEMES PROJECT OF CS 265 SPRING, 2004 WRITTEN BY JIAN DAI.
Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.

Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Class 12 Anonymous Digital Currency CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Class 12 Anonymous Digital Currency CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
Chapter 6 E-commerce Payment Systems

Chapter 6 E-commerce Payment Systems
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 9: Micropayments I.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 9: Micropayments I.
Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:

Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:

Similar presentations

Ads by Google