Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/02—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/04—Payment circuits
  • G06Q20/06—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
  • G06Q20/065—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/04—Payment circuits
  • G06Q20/06—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
  • G06Q20/065—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
  • G06Q20/0655—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash e-cash managed centrally
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/08—Payment architectures
  • G06Q20/10—Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
  • G06Q20/327—Short range or proximity payments by means of M-devices
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
  • G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
  • G06Q20/3678—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes e-cash details, e.g. blinded, divisible or detecting double spending
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
  • G06Q20/3823—Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
  • G06Q20/3825—Use of electronic signatures
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
  • G06Q20/3827—Use of message hashing
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
  • G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q2220/00—Business processing using cryptography

Definitions

• the invention relates to a method for the direct transmission of electronic coin data sets between terminals.
• the invention also relates to a payment system for exchanging monetary amounts and a currency system.
• the security of payment transactions and the associated payment transaction data means both protection of the confidentiality of the data exchanged; as well as protecting the integrity of the data exchanged; as well as protection of the availability of the exchanged data.
• WO 2016/200885 A1 describes a method for encrypting an amount made in a blockchain ledger, the verifiability of the transaction being retained.
• a concealment amount is added to an input value.
• an output value is generated and encrypted.
• Both the input value and the output value lie within a value range, with a sum of any two values within the range not exceeding a threshold value.
• the sum of the encrypted input value and the encrypted output value can be zero.
• Range tests so-called range proofs, are assigned to each of the input values and the output value. These range checks prove that the input value and output value fall within the range of values.
• Each public key can be signed with a ring signature based on a public key of a recipient in the transaction. This process requires blockchain technology that must be called after receiving a coin data record in order to validate the coin data record.
• the object of the present invention is to create a method and a system in which a payment transaction is designed to be secure but nevertheless simple.
• direct payment between devices such as tokens, smartphones, but also machines such as point-of-sale terminals or vending machines, should be created that is anonymous.
• the coin data records should be able to be used immediately after receipt in order to enable payment even without a connection to a DLT.
• Several coin data sets should be able to be combined with one another and / or divided as desired by the user in order to enable flexible exchange.
• the exchanged coin data sets should on the one hand be confidential to other system participants, but on the other hand allow every system participant to carry out basic monitoring tests, in particular the recognition of multiple dispensing attempts and the recognition of attempts to pay with non-existent amounts. In the future, it should be possible to do without cash (banknotes and analog coins), or at least analog coins.
• the verification of the modification should be able to be carried out safely without complex proof of corresponding validity (range proofs) in order to increase the degree of flexibility and thus user-friendliness.
• the object is achieved in particular by a method for the direct transmission of electronic coin data sets between terminals, with a first terminal at least one electronic coin data record, the at least one electronic coin data record having a monetary amount and a concealment amount, with the steps of: setting a masking mode from at least two masking modes, a first masking mode comprising: masking the electronic coin data record, preferably in the first terminal, by using a one-way function which is homomorphic, for example, to the electronic coin data record, preferably to its concealment amount, for obtaining a completely masked electronic coin data record and registering a masked electronic coin data record in a monitoring entity.
• a second masking mode comprises: masking the electronic coin data record, preferably in the first terminal, by applying the one-way function to the electronic coin data record and adding a coin data record element, preferably the monetary amount, of the electronic coin data record to obtain an incompletely masked electronic coin data record
• the added coin data record element is the monetary amount of the electronic coin data record.
• a masked electronic coin data record that is affected by the amount is obtained as the incompletely masked electronic coin data record.
• the monetary amount can be read out and interpreted.
• parts of the masked coin data set are also openly transmitted and registered.
• the payment process is still anonymous, although the amount transfers are transparent.
• a third masking mode comprises: masking the concealment amount of the electronic coin dataset, preferably in the first terminal, by applying cryptographic function to one of the dataset elements, preferably the concealment amount, of the electronic coin dataset and adding a coin dataset element, preferably the monetary amount, of the electronic one Coin data set for obtaining a quasi-masked electronic coin data set.
• the cryptographic function can be a cryptographic concealment function or a cryptographic masking function.
• a fourth masking mode comprises: dividing the monetary amount of the electronic coin dataset into a first monetary part and a second monetary part, the basis of the value being arbitrary; Replacing the monetary amount with the first monetary amount part in the electronic coin data record; Masking of the electronic coin data record, preferably in the first terminal, by applying the one-way function to the electronic one Coin data set and adding the second monetary amount part to obtain a partially masked electronic coin data set.
• the selection of the priority is made either on the basis of a default value specified throughout the process or on a random basis or in accordance with a choice of the terminal device.
• the added coin data record element can be a higher-value amount portion of the monetary amount of the electronic coin data record, which is partially divided into the higher-value and a lower-value portion of the amount, whereby an electronic coin data record which is only open to the amount with regard to the higher-value portion of the amount is obtained than the incompletely masked electronic coin data record.
• the higher-value portion of the amount can be read out and interpreted. This means that parts of the masked coin data set are also openly transmitted and registered. This means that the process remains anonymous, but the transferred monetary amounts can be tracked and registered at any time. The payment process is still anonymous, although the amount transfers are transparent.
• the incompletely masked electronic coin data record is then preferably masked only with regard to the lower value portion.
• the higher-value portion of the amount represents a portion of the monetary amount that is greater than the portion of the monetary amount that represents the lower-value portion of the amount.
• higher-value digits of a data element representing the monetary amount for example one or more “most-significant bits, MSB”, can be transmitted transparently. Remaining, low-order digits of the data element representing the monetary amount are masked.
• the step of registering is either registering the fully masked electronic coin data set (for the first masking mode) or the incompletely masked electronic coin data set (for the second masking mode) or the quasi-masked electronic coin data set (for the third masking mode) ) or the partially masked electronic coin data set in the monitoring instance (for the fourth masking mode).
• the setting or the selection of the masking mode can be permanently specified in the method, for example by the monitoring entity or a third party provider (wallet provider).
• a method would thus be provided in which the masking mode is permanently specified.
• the step of determining could take place by selecting the masking mode in the first terminal. This would provide an agile method in which the respective end device determines or selects the masking mode itself or provides a user of the end device with an option for selection.
• a parameter for defining the masking mode is specified by the monitoring entity or a service provider.
• the terminal then preferably selects the masking mode on the basis of this parameter.
• a terminal device is thus set up to decide on the basis of the parameter, depending on the situation, which masking module is selected or established.
• a parameter for specifying the masking mode could, for example, be a minimum computing power of the terminal or a maximum period of time for masking and registering the coin data record or a degree of secrecy for the coin data record.
• a different terminal device different from the first terminal device can thereby possibly select a different masking mode in order to adhere to the default parameter.
• the terminal device switches from one masking mode to another masking mode for an electronic coin data record.
• an incompletely masked coin data set can be connected to a partially masked coin data set after switching the incompletely masked coin data set or connecting it to a coin data set of monetary value 0 and thereby creating a partially masked electronic coin data set and then connecting two partially masked electronic coin data sets; For “toggling” or “connecting”, see the explanations given below with regard to modifying an electronic coin data set.
• An electronic coin record is an electronic record that is represented by coin record elements.
• it is an electronic data record which represents a monetary amount and is also known colloquially as “digital coin” or “electronic coin”, English “digital / electronic coin”.
• this monetary amount changes from a first terminal to another terminal.
• a monetary amount as a data record element is understood below to mean a digital amount that can be credited, for example, to an account of a financial institution, or against another means of payment can be exchanged.
• An electronic coin data record therefore represents cash in electronic form.
• the terminal device can have a large number of electronic coin data records; for example, the large number of coin data records can be stored in a data memory of the terminal device.
• the data memory then represents, for example, an electronic wallet.
• the data memory can be internal, external or virtual, for example.
• a “connection” can take place automatically, so that preferably only one (or a certain number of) electronic data records are in the terminal.
• the terminal can, for example, be a passive device, such as. B. a token, a mobile device such as a smartphone, a tablet computer, a computer, a server or a machine.
• a passive device such as. B. a token
• a mobile device such as a smartphone, a tablet computer, a computer, a server or a machine.
• An electronic coin data record for transferring monetary amounts differs significantly from an electronic data record for data exchange or data transfer, since, for example, a classic data transaction takes place on the basis of a question-answer principle or on intercommunication between the data transfer partners.
• An electronic coin data record is unique, unambiguous and is in the context of a security concept that can include signatures or encryptions, for example.
• an electronic coin data record contains all data that are required for a receiving entity with regard to verification, authentication and forwarding to other entities. Intercommunication between the end devices during the exchange is therefore basically not necessary with this type of data record.
• the electronic coin data record is preferably transmitted from the first terminal to a second terminal.
• an electronic coin dataset used for transmission between two terminals has a monetary amount as a dataset element representing a monetary value of the electronic coin dataset and a concealment amount as a dataset element, for example a random number.
• the electronic coin data record can have further data record elements, such as metadata, which, for example, represent the currency and the monetary amount.
• An electronic coin dataset is uniquely represented by these at least two dataset elements (monetary amount and obfuscation amount).
• An electronic coin dataset is uniquely represented by these at least two dataset elements (monetary amount and obfuscation amount).
• An electronic coin dataset is uniquely represented by these at least two dataset elements (monetary amount and obfuscation amount).
• anyone who has access to these at least two data record elements of a valid electronic coin data record can use this electronic coin data record for payment. Knowing these two data record elements (monetary amount and obfuscation amount) is therefore equivalent to owning digital money.
• This electronic coin data record is transmitted directly between two terminals.
• an electronic coin data record
• a corresponding masked electronic coin data record is assigned to each electronic coin data record.
• This masked electronic coin data record can be a completely masked electronic coin data record (first masking mode) or an incompletely masked electronic coin data record (second masking mode) or a quasi-masked electronic coin data record (third masking mode) or a partially masked electronic coin data record (fourth masking mode).
• a completely masked electronic coin data record (first masking mode) is a masked electronic coin data record, the entirety of which is masked by data record elements.
• the completely masked electronic coin data record does not include any unmasked data record element.
• No (unmasked) data record element of the electronic coin data record can be taken / read directly from the fully masked electronic coin data record.
• An incompletely masked electronic coin data record is a masked electronic coin data record in which at least one data record element is (also) contained unmasked. At least one (unmasked) data record element of the electronic coin data record can be taken directly from the incompletely masked electronic coin data record. The unmasked data record element can be added to a corresponding fully masked electronic coin data record in order to obtain the incompletely masked coin data record. In this preferred case, the data record element is then contained in unmasked form and in masked form in the incompletely masked coin data record.
• a quasi-masked electronic coin data record (third masking mode) is a masked electronic coin data record in which at least one data record element of the (unmasked) electronic coin data record is contained in cryptographically encrypted form.
• the quasi-masked electronic coin data record is applied by applying a cryptographic encryption function to at least one of the data record elements, preferably the concealment amount.
• the quasi-masked electronic coin data record also includes, in particular, at least one unmasked data record element, in particular the monetary amount.
• At least one (unmasked) data record element of the electronic coin data record can be taken directly from the quasi-masked electronic coin data record.
• the unmasked data record element can be added to the encrypted data record element in order to obtain the quasi-masked coin data record.
• a partially masked electronic coin data record (fourth masking mode) is a masked electronic coin data record in which at least one data record element and a first monetary amount part of the electronic coin data record is contained in cryptographically encrypted form.
• the partially masked electronic coin data record also includes an unmasked data record element, in particular the second monetary amount part.
• the first monetary amount part and the second monetary amount part were obtained by dividing the monetary amount of the electronic coin data record by place value, see further explanations on the value and the basis given below.
• the first monetary amount part obtained in this way replaces the monetary amount in the electronic coin data record for the masking step.
• the second monetary amount part is then added unmasked to the masked electronic coin data record. Accordingly, at least the second monetary amount part of the electronic coin data record can be taken directly from the partially masked electronic coin data record.
• masked electronic coin data record is always used below if a statement applies to both a fully masked electronic coin data record and an incompletely masked electronic coin data record, i.e. also to a quasi-masked electronic coin data record and a partially masked electronic coin data record.
• the masked electronic coin data record is unique and can be clearly assigned to an electronic coin data record, so there is a 1-to-1 relationship between the (non-masked) electronic coin data record and the masked electronic coin data record.
• the electronic coin data record is preferably masked by a computing unit of the terminal within the terminal which also has the at least one electronic coin data record. Alternatively, the masking can be carried out by a computing unit of the terminal which receives the electronic coin data record.
• the masked electronic coin data set is obtained by applying a one-way function, for example a homomorphic one-way function, for example a cryptographic function.
• This function is a one-way function, that is, a mathematical function which, in terms of complexity theory, is “easy” to calculate, but “difficult” to practically impossible to reverse.
• a one-way function is also referred to as a function for which no reversal has been practically carried out in a reasonable time and with reasonable effort is known.
• the calculation of a masked electronic coin data record from an electronic coin data record is thus comparable with or corresponds to the generation of a public key in an encryption method using a residual class group.
• a one-way function which operates on a group in which the discrete logarithm problem is difficult to solve, such as e.g. B. a cryptographic process analogous to an elliptical curve encryption, ECC for short, from a private key of a corresponding cryptography process.
• the reverse function i.e. the generation of an electronic coin data record from a masked electronic coin data record (or part of the electronic coin data record) is very time-consuming - equivalent to generating the private key from a public key in an encryption process using a residual class group.
• the respective operations on the corresponding mathematical group are to be understood in the mathematical sense, for example the group of points on an elliptical curve.
• the one-way function is homomorphic, that is to say a cryptographic method which has homomorphism properties.
• mathematical operations can be carried out with the masked electronic coin dataset, which can also be carried out in parallel on the (unmasked) electronic coin dataset and can therefore be reproduced.
• calculations with masked electronic coin data records can be reproduced in the monitoring instance without the corresponding (unmasked) electronic coin data records being known there. Therefore, certain calculations with electronic coin data sets, for example for modifying the (unmasked) electronic coin data set (e.g. splitting or combining), can also be verified in parallel with the associated masked electronic coin data sets, for example for validation checks or for monitoring the legality of the respective electronic coin data set .
• the homomorphism property therefore makes it possible to enter valid and invalid electronic coin data records on the basis of their masked electronic coin data records in a monitoring instance without knowledge of the electronic coin data records, even if these electronic coin data records are modified (divided, connected, switched). This ensures that no additional monetary amount has been created or that an identity of the terminal is recorded in the monitoring instance.
• Masking enables a high level of security without giving any insight into the monetary amount or the end device. This results in a two-tier payment system.
• there is the processing layer in which masked electronic data records are checked, and, on the other hand, there is the direct transaction layer, in which at least two terminals are transmitted electronic coin data records.
• the one-way function is a cryptographic encryption function.
• Applying the one-way function to the electronic coin data record also includes applying the one-way function to part of the electronic coin data record, in particular to the concealment amount, in one embodiment only to the concealment amount.
• the quasi-masked electronic coin data record is obtained using a cryptographic concealment function on a data record element (preferably the concealment amount) of the (unmasked) electronic coin data record.
• the data record element can be converted into a disguised data record element (secret element) using an obfuscation method.
• the amount of obfuscation can be used as a dynamic key for encryption.
• the obfuscation amount cannot be used as a key for decryption.
• an electronic coin data record When an electronic coin data record is transmitted from the first terminal to the second terminal, two terminals have knowledge of the electronic coin data record. In order to prevent the sending first terminal device from also using the electronic coin data record on another (third) terminal device for payment (so-called double spending), it is preferred to switch the transmitted electronic coin data record from the first terminal device to the second terminal device executed. Switching can preferably take place automatically when an electronic coin data record is received in the second terminal. In addition, it can also take place on request, for example a command from the first and / or second terminal. In addition, an electronic coin data record can also be divided into at least two coin partial data records (“split”). In addition, two electronic coin data sets can be combined to form one coin data set ("merge").
• Switching, splitting, and linking are various modifications to an electronic coin record. These modifications require the masked coin data set to be registered in a monitoring entity. This registration in the course of the modifications has the result that the electronic coin data set sent by the first terminal becomes invalid and is recognized as correspondingly invalid on a second dispensing attempt by the first terminal will. The coin data set to be registered by the second terminal becomes valid when it is registered in the monitoring entity.
• the concrete implementation of the individual modifications will be explained later.
• the switchover also takes place when an electronic coin data record has been modified, for example divided or linked to other electronic coin data records, in particular in order to be able to settle a monetary amount to be paid appropriately.
• the monitoring instance checks whether the (masked) electronic coin data set has a valid range.
• so-called “zero knowledge range proofs” are used as proof of range. Proof of the range enables, on the one hand, that a changed monetary amount (splitting, combining) is within a predefined range of valid monetary amounts and, on the other hand, that ownership of the monetary amounts to be changed is proven.
• This verification requires a not insignificant volume of data to be exchanged between the terminal and the monitoring entity and a computational effort. It is desirable that such verifications can be carried out in a significantly simplified manner.
• an improved masking of the at least one electronic coin data record is therefore provided in order to simplify the area verifications.
• a selection of a masking mode is made or a masking mode is established before the transferring step and / or before the registration step.
• the selection is made, for example, by a user of the first terminal via a corresponding menu control on the terminal.
• the selection is made, for example, on the basis of a system specification in the payment system or a system specification by a third party provider.
• the performance of the payment system can thus be optimally used, so that the effort involved in the verification check on the basis of a current registration request volume in the monitoring instance can be controlled by appropriate selection of the masking mode.
• the selection can also be made on the basis of a terminal property. For example, if one of the masking modes is not supported, a corresponding preselection can be made.
• a range check is created when registering in the monitoring instance. This also includes the Place value representation of the monetary amount on any basis, for example on base 2 (binary) or base 3 (ternary), etc.
• simplification shortening of the area verification if this option is not implemented in the system, in the monitoring instance or in the end device. This is followed by proof of the entire range of the monetary amount.
• the area verification simplification according to a fixed default value is mandatory in the system when modifying (switching, dividing, connecting) a coin data record.
• the shortening of the area verification is optionally provided with a fixed default value.
• the monitoring instance can determine whether a fully masked electronic coin data record or an incompletely masked electronic coin data record or a quasi-masked electronic coin data record or a partially masked electronic coin data record is to be generated and whether a change from one masking type to another masking type is to be made.
• the area verification shortening is optional with a variable default value.
• the user can specify within the permitted system specifications how much of the masked coin data record is to be disclosed.
• the variable default value can be changed again with every modification to the coin data record.
• the area detection is shortened in the fourth masking mode by applying a ring signature only to the first monetary amount that corresponds to a default value (system default or terminal selection).
• the decision as to the extent to which data elements are transmitted unmasked i.e. to what extent, for example, information about the electronic coin dataset is transparent or hidden for a monitoring instance, could be based on a decision by the terminals transmitting the respective coin datasets.
• the terms “completely masked coin data record” and “incompletely masked coin data record” are used.
• the completely masked coin data record is assigned an (unmasked) private electronic coin data record, which contains all data elements, in particular the monetary amount, hidden from the supervisory authority.
• the first masking mode should be selected for such private electronic coin data records.
• the incompletely masked coin data record is assigned an (unmasked) semi-private electronic coin data record which reveals at least one data element, for example the monetary amount, to the verification level (monitoring instance).
• the first or the second masking mode can be selected for such semi-private electronic coin data records.
• the partially masked coin data record is assigned an (unmasked) semi-private electronic coin data record which reveals the second monetary amount to the verification level (monitoring authority).
• the fourth masking mode can be selected for such semi-private electronic coin data records.
• a private electronic zero coin data record is used which has a monetary amount of zero but a concealment amount, that is to say does not represent an amount with monetary value.
• This private zero coin data record can be created at any time from a single existing private electronic coin data record with a splitting step. In this special splitting step, a first private coin part data record is generated which has the same monetary amount as the only private electronic coin data record present, and a second coin part data record is generated which is a zero electronic coin data record.
• This splitting to obtain the private electronic zero coin data set is carried out prior to the conversion of the semi-private electronic data set into the private electronic coin data set and is stored for later use.
• the monetary amount or a monetary amount part is transmitted unmasked.
• the corresponding masking modes are not limited to the unmasked transmission of the monetary amount (part); any other data record element (part) could alternatively or additionally be transmitted unmasked.
• the area verification is simplified to just two test steps, namely (1) whether the monetary amount added to the incompletely masked electronic coin data record belongs to this masked electronic coin data record and ( 2) whether the ownership of the modified (unmasked) electronic coin record is proven.
• the fourth mask mode only a shortened range detection needs to be checked.
• the adding step in the second, third or fourth masking mode is preferably a simple logical operation, for example an OR link.
• the further process steps are provided in the second terminal after the transfer: switching over the electronic coin data set with generation of an electronic coin data set to be switched in the terminal device from the electronic coin data set, a concealment amount for the electronic coin data set to be switched using the concealment amount of the electronic coin data set is generated in the second terminal; and the monetary amount of the electronic coin record is used as a monetary amount for the electronic coin record to be switched.
• a division of the electronic coin data set into a first electronic coin part data set and a second electronic coin part data set in the first terminal the monetary amount being divided into at least a first monetary amount and a second monetary amount.
• the following is provided: connecting a first and a second electronic coin data record to a connected electronic coin data record in the first terminal with the following steps: calculating a concealment amount for the electronic coin data record to be connected by forming the sum from the respective Obfuscation amounts of the first and second electronic coin records; and calculating the monetary amount for the electronic coin data set to be linked by forming the sum from the respective monetary amounts of the first and second electronic coin data sets.
• masking the electronic coin data set in the masking step of the first or second masking mode includes masking the coin data set to be switched over, the first and / or second coin part data set and / or the connected coin data set.
• a data record element for example the concealment amount of the respective electronic coin data record, is used as a dynamic private key, with which, however, no decryption is possible.
• the fully masked electronic coin data record or the incompletely masked electronic coin data record or the quasi-masked electronic coin data record or the partially masked electronic coin data record are sent to the monitoring entity to check the validity of the electronic coin data record by the monitoring entity. Checking the validity is explained in detail below.
• the method has the further method steps: generating a signature using the concealment amount of the electronic coin data set; Adding the signature to the masked electronic coin data set, in particular the incompletely masked electronic coin data set or the quasi-masked electronic coin data set, the fully masked electronic coin data set or the incompletely masked electronic coin data set or the quasi-masked electronic coin data set being registered with the signature in the monitoring instance.
• the registering step in the monitoring entity for the first, second and / or fourth masking mode comprises: receiving the incompletely masked electronic coin data set to be switched or the fully masked electronic coin data record to be switched or the partially masked electronic coin data record to be switched over in the monitoring entity; Checking the masked electronic coin data record for validity in the monitoring entity; Calculation of the difference from the incompletely masked coin data record to be switched over or the completely masked coin data record to be switched over or the partially masked electronic coin data record and the masked electronic one Coin data record and checking with the aid of a signature added to the incompletely masked electronic coin data record or the fully masked electronic coin data record, which signature was created by generating a public verification key; Checking a complete or abbreviated proof of area; and registering the masked electronic coin data set to be switched over in the monitoring instance if all checking steps are successful and a simplified area detection has been carried out, whereby the electronic coin data record to be switched over is
• the method comprises: receiving the quasi-masked electronic coin data set to be switched over in the monitoring instance; Checking the quasi-masked electronic coin data record for validity in the monitoring instance; Check whether the monetary amount of the electronic coin data set is equal to the monetary amount of the electronic coin data set to be switched over; Calculating the difference between the quasi-masked coin data set to be switched and the quasi-masked electronic coin data set; Checking using an added signature created by generating a public verification key; and registering the quasi-masked electronic coin data set to be switched over in the monitoring entity if all checking steps are successful, as a result of which the electronic coin data record to be switched over is considered valid.
• the registering step in the monitoring entity for the first, second and / or fourth masking mode comprises: receiving the incompletely masked electronic coin component data sets or the fully masked electronic coin component data sets or the partially masked electronic coin component data sets in the monitoring entity; Checking the masked electronic coin data set to be switched over for validity in the monitoring instance; Checking a ring signature added to the incompletely masked electronic coin part data records or the partially masked electronic coin part data records using the monetary amount of the electronic coin data record in the monitoring entity; Calculation of the difference from the sum of the fully masked electronic coin data sets or the sum of the incompletely masked electronic coin part data sets or the sum of the partially masked electronic coin part data sets and the masked coin data set to check whether the monetary amount of the electronic coin data set is equal to the sum of the first and second monetary amount of the the respective electronic coin part data records is to check whether the monetary amount of the electronic coin data record is equal to the monetary amount of the electronic coin data record is equal to the monetary amount
• the method comprises: receiving the incompletely masked electronic coin part data records in the monitoring entity; Checking the masked electronic coin data set to be switched over for validity in the monitoring instance; Checking a signature added to the incompletely masked electronic coin data record by generating a public verification key; Calculating the sum of the monetary values of the coin component records to check whether the monetary amount of the electronic coin record is equal to the sum of the first and second monetary amounts of the electronic coin component records; and registering the masked electronic coin component data sets in the monitoring entity if all checking steps are successful and a simplified range detection has been carried out, whereby the electronic coin component data sets are considered valid.
• the registering step in the monitoring entity for the first, second and / or fourth masking mode comprises: receiving the incompletely masked connected electronic coin data record or the completely masked connected electronic coin data record in the monitoring entity; Checking the masked first and second electronic coin data records for validity in the monitoring entity; Checking a first ring signature added to the incompletely masked electronic coin data record or the fully masked electronic coin data record using the first monetary amount of the first electronic coin data record in the monitoring instance; Checking a second ring signature added to the incompletely masked electronic coin data record or the completely masked electronic coin data record using the second monetary amount of the second electronic coin data record in the monitoring instance; Calculating the difference between the incompletely masked connected electronic coin data set or the fully masked connected electronic coin data set and the sum of the masked first electronic coin data set and the masked second electronic coin data set to check whether the monetary amount of the connected electronic coin data set is equal to the sum of the first and second is monetary amount
• the method comprises the registering step in the monitoring entity for the second and / or the third masking mode: receiving the incompletely masked connected electronic coin data record in the Supervisory authority; Checking the masked first and second electronic coin data records for validity in the monitoring entity; Checking a first signature added to the incompletely masked electronic coin data record by generating a first public verification key in the monitoring entity; Checking a second signature added to the incompletely masked electronic coin data record by generating a second public verification key in the monitoring entity; Calculating the difference between the monetary value of the coin data set to be valid and the sum of the monetary values of the first electronic coin data set to be connected and the second electronic coin data set; Registering the masked, connected electronic coin data set in the monitoring instance, if all checking steps are successful and a simplified range verification has been carried out, whereby the connected electronic coin data set is considered valid.
• the method preferably includes a step of creating a proof in the first terminal, the proof comprising information that the monetary amount of the electronic coin data record is positive and known to the creator of the proof, hereinafter also referred to as simplified area proof, with: splitting the electronic coin data set in the first terminal according to a fixed or variable default value, into a first electronic coin part data set and a second electronic coin part data set; dividing the second electronic coin part data set in places in the first terminal, a place value of the split second electronic coin part data set representing a place value of the second monetary amount of the electronic coin data set and the sum of all obfuscation amounts of the second electronic coin data set split up in places giving the obfuscation amount of the electronic coin data set Is arbitrary.
• the terminal Based on the division of the second electronic coin data set by value, the terminal creates a ring signature that is sent to the monitoring unit together with the partially masked electronic coin data set and checked there.
• the base of the priority is preferably two or three.
• Place value is a power of the basis of a place value system. So is a binary system, a place value system with the base 2, a temporary system is a place value system with the base 3 and a decimal system is a place value system with the base 10.
• the value of the base is not specified in order to allow the most flexible place value-based division for a simplified To enable verification testing.
• the division into places takes place on the basis of a default value.
• This default value specifies, for example, the point at which the monetary amount is to be divided. It then corresponds, for example, to a number of “least significant bits, LSB” if the significance has base 2. This number of LSB is then used as the second monetary part of the amount partially masked coin data set added. The remaining digits of the monetary amount form the first monetary amount part and replace the monetary amount for the masking step.
• this default value corresponds, for example, to a number of “most significant bits, MSB” if the value has base 2. This number of MSB is then added to the partially masked coin data set as a second monetary amount part. The remaining digits of the monetary amount form the first monetary amount part and replace the monetary amount for the masking step.
• this default value corresponds, for example, to a random number of bits if the place value has the base 2. This number of bits is then added to the partially masked coin data set as a second monetary amount part. The remaining digits of the monetary amount form the first monetary amount part and replace the monetary amount for the masking step.
• this default value corresponds, for example, to a specific selection of bits if the place value has base 2. This selection of bits is then added to the partially masked coin data set as a second monetary amount part. The remaining digits of the monetary amount form the first monetary amount part and replace the monetary amount for the masking step.
• the checks are preferably based on ring signatures, the parameters of which require the generation of random numbers and the derivation of scatter values (hash) in the end devices.
• a default value defined for verification can - as described above - be system-related parameters or the result of a negotiation between two system participants (end devices or monitoring instance).
• the prerequisite for selecting the third masking mode is that there is no need in the system to mask (hide) a data element, for example the monetary amount.
• This lack of necessity greatly simplifies the entire payment system and the process for the direct exchange of coin data sets between end devices.
• An electronic coin data set, as described above and comprising at least a monetary amount and a concealment amount as data elements, can then be assigned a quasi-masked electronic coin data set, which consists, for example, of the unmasked monetary amount and the encrypted concealment amount.
• the registration step in the monitoring instance for the third masking mode takes place with: receiving the quasi-masked electronic coin data set to be switched over in the monitoring instance; Checking the quasi-masked electronic coin data record for validity in the monitoring instance; Checking a signature added to the quasi-masked electronic coin data record using the encrypted concealment amount of the electronic coin data record in the monitoring instance; and registering the quasi-masked electronic coin data set to be switched over in the monitoring instance if the two checking steps are successful, as a result of which the electronic coin data record to be switched over is considered valid.
• the registration step in the monitoring instance for the third masking mode preferably takes place with: receiving the quasi-masked electronic coin part data sets in the monitoring instance; Checking the quasi-masked electronic coin data record for validity in the monitoring instance; Checking a signature added to the quasi-masked electronic coin data record using the masked obfuscation amount in the monitoring instance; Checking whether the monetary amount of the electronic coin data set is equal to the sum of the first and second monetary amount of the electronic coin part data sets; Registering the quasi-masked electronic coin component data sets in the monitoring instance if the three checking steps are successful, whereby the electronic coin component data sets are considered valid and the electronic coin data record to be divided is invalid.
• the registering step in the monitoring instance for the third masking mode takes place with: receiving the quasi-masked connected electronic coin data set in the monitoring instance; Checking the quasi-masked first and second electronic coin data sets for validity in the monitoring entity; Checking two signatures added to the quasi-masked connected electronic coin data records to be connected using the masked obfuscation amounts in the monitoring instance; Checking whether the monetary amount of the associated electronic coin record is equal to the sum of the first and second monetary amounts of the first and second electronic coin records; Registering the quasi-masked connected electronic coin data set in the monitoring instance, if the three checking steps are successful, whereby the linked electronic coin data set is considered valid and the two electronic coin data sets to be linked are invalid.
• the step of checking the quasi-masked coin data records in the switching, dividing, or connecting step takes place in accordance with the checking of the validity.
• a signature is preferably created for each quasi-masked electronic coin data record.
• the private signature key is preferably the (unmasked) concealment amount of the (unmasked) coin data set.
• the signature is preferably created over the quasi-masked electronic coin data record and the encrypted concealment amount of the quasi-masked electronic coin data record to be switched.
• the signature is preferably created using the quasi-masked electronic coin data set, the quasi-masked first electronic coin part data set and the quasi-masked second electronic coin part data set.
• the signature is preferably created using the quasi-masked first electronic coin data set, the quasi-masked second electronic coin data set and the quasi-masked connected electronic coin data set.
• a signature of the issuer is stored in the monitoring instance via the quasi-masked electronic coin data record.
• a quasi-masked electronic coin data record is deleted when the monitoring authority has checked the signature of an issuer authority.
• the signature generated in this method replaces any additional information that would otherwise be required to provide evidence of an area using the masked electronic coin data set to be divided or an area detection using the respective masked electronic coin part data sets.
• an asymmetrical cryptosystem is preferred, in which the terminal uses a secret signature key, hereinafter also referred to as private signature key or “private key”, to calculate a value for a data record.
• a secret signature key hereinafter also referred to as private signature key or “private key”
• This value enables anyone to use a public verification key, the public key, to check the authorship and integrity of the data record.
• the signature added in this method for the second and the third masking mode is, for example, a first signature and a private signature key for generating the first signature is the concealment amount of the corresponding electronic coin data record.
• the signature added in this method is, for example, a second signature and a private signature key for generating the second signature is formed from a difference between the concealment amount of the electronic coin data record and the concealment amount for the electronic coin data record to be switched.
• a public verification key for checking the first signature is preferably formed from a difference between the masked electronic coin data record and an application of the cryptographic encryption function to the monetary amount of the electronic coin data record.
• a public verification key for checking the second signature is preferably formed from a difference between the masked electronic coin data record to be switched and the masked electronic coin data record.
• the method preferably has the following further steps: switching over the transmitted electronic coin part data set; and / or connecting the transmitted electronic coin data record with a second electronic coin data record to form a further electronic coin data record, namely connected electronic coin data record.
• the electronic coin data record received from the first terminal results in a new electronic coin data record, preferably with the same monetary amount, the so-called electronic coin data record to be switched.
• the new electronic coin dataset is generated by the second terminal, preferably by using the monetary amount of the received electronic coin dataset as the monetary amount of the electronic coin dataset to be switched.
• a new concealment amount for example a random number, is generated.
• the new concealment amount is added, for example, to the concealment amount of the electronic coin data record obtained so that the sum of both concealment amounts (new and received) serves as the concealment amount of the electronic coin data record to be switched.
• the received electronic coin part data record and the electronic coin part data record After switching is preferred the received electronic coin part data record and the electronic coin part data record to be switched over masked in the terminal by applying the one-way function to the received electronic coin part data record and the electronic coin part data record to be switched over, in order to obtain a masked received electronic coin part data record and a masked electronic coin part data record to be switched over accordingly.
• Newly created obfuscation amounts must have a high entropy, since they are used as a glare factor for the corresponding masked electronic coin part data records.
• a random number generator is preferably used on the terminal for this purpose.
• the additional information preferably contains an area record for the masked electronic coin data record to be switched over and a region record for the masked electronic coin data record received.
• the area evidence is evidence that the monetary amount of the electronic coin data record is not negative, the electronic coin data record is validly created and / or the monetary amount and the concealment amount of the electronic coin data record are known to the creator of the area evidence.
• the area verification serves to provide this verification (s) without revealing the monetary value and / or the concealment amount of the masked electronic coin data record. These proofs of range are also called “zero knowledge range proofs”. Ring signatures are preferably used as area evidence. The switchover of the masked electronic coin data record is then registered in the remote monitoring entity.
• the switchover is thus secured by adding a new concealment amount to the concealment amount of the electronic coin data record obtained, as a result of which a concealment amount is obtained that only the second terminal device knows.
• newly created concealment amounts must have a high entropy, since they are used as a concealment factor for the corresponding masked electronic coin part data records.
• a random number generator is preferably used on the terminal for this purpose. This protection can be tracked in the monitoring instance.
• the method further comprises the following steps: masking the electronic coin part data set to be switched in the second terminal by applying the, for example, homomorphic one-way function to the electronic coin part data record to be switched over to obtain a masked electronic coin data record; and registering the masked electronic coin record with a remote supervisor.
• the steps described here do not have to be carried out in the order described. However, the sequence described here is a preferred embodiment.
• the step of registering is preferably carried out when the second terminal is connected to the monitoring entity. While the electronic coin data records are used for direct payment between two terminals, the masked coin data records are registered in the monitoring entity, which means that modifications to the masked electronic coin data records can be registered in the monitoring entity.
• a further electronic coin data set (connected electronic coin data set) is determined from a first and a second electronic coin part data set for connecting electronic coin part data sets.
• the concealment amount for the electronic coin data set to be linked is calculated by forming the sum from the respective concealment amounts of the first and the second electronic coin data set.
• the monetary amount for the connected electronic coin dataset is preferably calculated by forming the sum from the respective monetary amounts of the first and the second electronic coin dataset.
• the first electronic coin part data set, the second electronic coin part data set and the electronic coin data set to be connected are saved in the (first and / or second) terminal by applying the, for example, homomorphic one-way function to the first electronic coin part data set, the second electronic coin part data set and the to be connected electronic coin data record masked in order to obtain a masked first electronic coin part data record, a masked second electronic coin part data record, and a masked electronic coin data record to be connected accordingly. Furthermore, additional information that is required for registering the connection of the masked electronic coin data records in the remote monitoring entity is calculated in the terminal.
• the additional information preferably contains a range verification via the masked first electronic coin part data record and a range verification via the masked second electronic coin part data record.
• the area evidence is evidence that the monetary amount of the electronic coin data record is not negative, the electronic coin data record is validly created and / or the monetary amount and the concealment amount of the electronic coin data record are known to the creator of the area evidence.
• the area verification serves to provide this verification without revealing the monetary value and / or the concealment amount of the masked electronic coin data record.
• proofs of range are also called “zero knowledge range proofs”. Preference is given as proof of area Ring signatures used. The connection of the two masked electronic coin part data records is then registered in the remote monitoring entity.
• two electronic coin data sets or two electronic coin part data sets can be combined.
• the monetary amounts as well as the obfuscation amounts are added up.
• splitting the two original coin data records can also be validated when combining.
• the registering step comprises receiving the masked electronic coin part data set to be switched over in the monitoring instance, checking the masked electronic coin part data record to be switched over for validity; and the registration of the masked electronic coin data set to be switched over in the monitoring entity if the checking step is successful, whereby the electronic coin part data record to be switched over is considered checked.
• the checking step it is preferably determined whether the difference between the masked electronic coin data record and the masked electronic coin part data record to be switched is equal to a public verification key of the signature. This enables the validity of the coin part data set to be checked easily without the need for complex zero-knowledge verification. However, the zero-knowledge proof is still required to prove possession of the electronic coin data record (except in the third masking mode).
• a main distinguishing feature of this inventive concept compared to known solutions is that the monitoring instance only (i.e. exclusively) maintains knowledge of the masked electronic coin data records / coin part data records and a list of processing or changes to the masked electronic coin data record / coin part data record.
• the actual payment transactions with the (unmasked) coin data records / coin part data records are not registered in the monitoring instance and take place in a direct transaction layer directly between terminals.
• a two-layer payment system consisting of a direct payment transaction layer for the direct exchange of (unmasked) electronic coin data records and a monitoring layer, which can also be referred to as a “veiled electronic data record ledger”, is provided.
• the monitoring layer no payment transactions are recorded, only masked electronic coin data records and their processing for the purpose of verifying the validity of (unmasked) electronic coin data records. This guarantees the anonymity of the participants in the payment system.
• the monitoring instance provides information about valid and invalid electronic coin data records, for example a To avoid multiple issuance of the same electronic coin dataset or to verify the authenticity of the electronic coin dataset as validly issued electronic money.
• the terminal can therefore transmit electronic coin data records to another terminal in the direct payment transaction layer without a connection to the monitoring entity, in particular when the terminal is offline, that is to say there is no communication connection to the monitoring entity.
• the terminal device can have a security element in which the electronic coin data records are securely stored.
• a security element is preferably a special computer program product, in particular in the form of a secured runtime environment within an operating system of a terminal, English Trusted Execution Environments, TEE, stored on a data memory, for example a mobile terminal, a machine, preferably an ATM.
• the security element is designed, for example, as special hardware, in particular in the form of a secured hardware platform module, English Trusted Platform Module, TPM or as an embedded security module, eUICC, eSIM.
• the security element provides a trustworthy environment.
• the communication between two terminals can be wireless or wired, or, for example, also optically, preferably via QR code or barcode, and can be designed as a secure channel.
• the optical path can include, for example, the steps of generating an optical coding, in particular a 2D coding, preferably a QR code, and reading in the optical coding.
• the exchange of the electronic coin data record is thus secured, for example, by cryptographic keys, for example a session key negotiated for an electronic coin data record exchange or a symmetrical or asymmetrical key pair.
• the exchanged electronic coin data sets are protected from theft or manipulation.
• the security element level thus complements the security of established blockchain technology.
• the coin data records are transmitted as APDU commands.
• the coin data set is preferably stored in an (embedded) UICC as a security element and is managed there.
• An APDU is a combined command / data block of a connection protocol between the UICC and a device.
• the structure of the APDU is defined by the ISO-7816-4 standard.
• APDUs represent an information element of the application level (layer 7 of the OSI layer model).
• it is advantageous that the electronic coin data records can be transmitted in any format. This implies that it communicates on any channel, i.e. that it can be transmitted. They do not need to be saved in a specific format or in a specific program.
• a mobile telecommunication terminal for example a smartphone
• the terminal can also be a device such as a wearable, smart card, machine, tool, machine or container or vehicle.
• a terminal according to the invention is therefore either stationary or mobile.
• the terminal is preferably designed to use the Internet and / or other public or private networks.
• the terminal uses a suitable connection technology, for example Bluetooth, Lora, NFC and / or WiFi, and has at least one corresponding interface.
• the terminal can also be designed to be connected to the Internet and / or other networks by means of access to a cellular network.
• the first and / or second terminal in the method shown processes the received electronic coin data records in the presence or receipt of several electronic coin data records according to their monetary value. It can thus be provided that electronic coin data sets with a higher monetary value are processed before electronic coin data sets with a lower monetary value.
• the first and / or second terminal device can be designed to connect the electronic coin data record already in the second terminal device to the electronic coin data record already present in the second terminal device, depending on the attached information, for example a currency or denomination, and to carry out a connection step accordingly.
• the second terminal can also be designed to automatically carry out a switchover after receiving the electronic coin data record from the first terminal.
• further information is transmitted from the first terminal to the second terminal during transmission, for example a currency.
• this information can be included in the electronic coin data record.
• the method has the following further steps: masking the transmitted electronic coin data record in the second terminal by applying the, for example, homomorphic one-way function to the transmitted electronic coin data record; and sending the masked transmitted electronic coin data set to the remote monitoring entity for checking the validity of the transmitted electronic coin data set by the remote monitoring entity.
• the entire monetary amount is transferred to the second terminal as part of the electronic coin data record.
• the second terminal Before a payee accepts this electronic coin data record, he / she checks its validity if necessary.
• the second terminal generates the masked, transmitted electronic coin data record, sends it to the monitoring entity and in doing so asks the monitoring entity about the validity of the electronic coin data record.
• the monitoring instance now checks whether the masked, transmitted electronic coin data record is even present and whether it is still valid, i.e. has not already been used by another terminal, in order to avoid double spending.
• evidence is created in the second terminal.
• the evidence includes information about the correspondence of the monetary amount of the transmitted electronic coin dataset with the monetary amount of the electronic coin dataset to be switched.
• the proof preferably only includes information about the match, but not one of the monetary amounts.
• the electronic coin data records of the first and / or second terminal are preferably verified in or by the monitoring entity during the registration step.
• the check takes place as a function of the steps preceding the verification, for example whether a step of switching, connecting and / or dividing has taken place.
• the monitoring entity can, for example, check the validity of the (masked) transmitted and / or to be divided and / or first and second electronic coin data records. This makes it possible to determine whether the electronic coin records are being processed for the first time. If the (masked) electronic coin data sets are not valid (i.e. in particular if they are not present in the monitoring instance) the registration cannot be carried out successfully, for example because the terminal tries to issue an electronic coin data set several times.
• the registering step after the switching step has been carried out, comprises, for example, sending the switching command prepared by the terminal to the monitoring entity.
• the monitoring instance preferably notifies the result of executing the switchover command to the "commanding" terminal, i.e. which of the masked electronic coin data sets involved are valid after the switchover command has been executed.
• the monitoring entity is a remote entity.
• the establishment of a communication connection to the monitoring entity is provided for registering the electronic coin data record.
• the monitoring instance is designed as a superordinate instance.
• the monitoring instance is therefore not necessarily arranged in the level or in the layer of the terminals (direct transaction layer).
• the monitoring entity is preferably provided for managing and checking masked electronic coin data records and is arranged in an issuing layer, in which an issuing entity is also arranged, and / or a monitoring layer. It is conceivable that the monitoring instance also manages and checks transactions between terminals.
• the monitoring instance is preferably a decentrally controlled database, English Distributed Ledger Technology, DLT, in which the masked electronic coin data sets are registered with corresponding processing of the masked electronic coin data set.
• a validity status of the (masked) electronic coin data record can be derived from this.
• the validity of the (masked) electronic coin data records is preferably noted in and by the monitoring entity.
• the registration of the processing or the processing steps can also relate to the registration of test results and intermediate test results relating to the validity of an electronic coin data record. If processing is final, this is indicated, for example, by appropriate markings or a derived overall mark. Final processing then decides whether an electronic coin dataset is valid or invalid.
• This database is further preferably a non-public database, but can also be implemented as a public database.
• This database makes it possible to check coin data records for their validity in a simple manner and to prevent “double-spending”, ie multiple spending, without the payment transaction itself being registered or logged.
• the DLT describes a technology for networked computers that come to an agreement about the sequence of certain transactions and that these transactions update data. It corresponds to a decentralized management system or a decentralized database.
• the database can also be designed as a public database.
• the monitoring instance is a centrally managed database, for example in the form of a publicly accessible data memory or as a mixed form of central and decentralized database.
• the at least one initial electronic coin data record is preferably created exclusively by the issuer, whereby the divided electronic coin data records, in particular electronic coin data records can also be generated by a terminal. Creating and choosing a monetary amount also preferably includes choosing a concealment amount with high entropy.
• the issuing entity is a computing system which is preferably remote from the first and / or second terminal. After the creation of the new electronic coin data record, the new electronic coin data record is masked in the issuer instance by applying the, for example, homomorphic one-way function to the new electronic coin data record, in order to obtain a masked new electronic coin data record accordingly. Furthermore, additional information that is required for registering the creation of the masked new electronic coin data record in the remote monitoring entity is calculated in the issuer entity.
• This additional information is preferably proof that the (masked) new electronic coin data record originates from the issuer, for example by signing the masked new electronic coin data record.
• the issuer instance signs a masked electronic coin data record with its signature when generating the electronic coin data record.
• the signature of the issuing authority is stored in the monitoring authority for this purpose.
• the signature of the issuing entity is different from the signature generated by the first terminal.
• the issuer can deactivate an electronic coin data record that is in its possession (i.e. of which it knows the monetary amount and the concealment amount) by masking the electronic coin data record to be deactivated with the homomorphic one-way function, for example, and issuing a deactivation command for the Monitoring instance prepared.
• Part of the deactivation command is preferably, in addition to the masked electronic coin data record to be deactivated, also the proof that the deactivation step was initiated by the issuer, for example in the form of the signed, masked electronic coin data record to be deactivated. Area checks for the masked electronic coin data record to be deactivated could be contained as additional information in the deactivation command.
• the deactivation of the masked electronic coin data record is then registered in the remote monitoring entity. The deactivation step is triggered by the deactivation command.
• the creation and deactivation steps are preferably carried out in secure locations, in particular not in the end devices.
• the creation and deactivation steps are only carried out or initiated by the issuing entity. These steps preferably take place in a secure location, for example in a hardware and software architecture that was developed for processing sensitive data material in insecure networks. Deactivating the corresponding masked electronic coin data record has the effect that the corresponding masked electronic coin data record is no longer available for further processing, in particular transactions, since it is in and from the Monitor instance has been marked as invalid. However, in one embodiment it can be provided that the deactivated, masked electronic coin data record remains archived at the issuer.
• the deactivated, masked electronic coin data record is no longer valid can be identified, for example, with the aid of a flag or some other coding, or the deactivated, masked electronic coin data record can be destroyed and / or deleted. Of course, the deactivated, masked electronic coin data record can also be physically removed from the terminal.
• the method according to the invention enables various processing operations for the electronic coin data records and the corresponding masked electronic coin data records.
• Each of the processing operations (in particular creating, deactivating, splitting, connecting and switching) is registered in the monitoring instance and appended there in unchangeable form to the list of previous processing operations for the respective masked electronic coin data record.
• the registration is independent of the payment process between the terminals, both in terms of time and location (spatial).
• Processing in the direct transaction layer only affects the ownership structure and / or the assignment of the coin data records to terminals of the respective electronic coin data records.
• the respective processing in the monitoring instance is registered, for example, by means of corresponding list entries in a database which comprises a series of markings that must be carried out by the monitoring instance.
• One possible structure for a list entry includes, for example, column (s) for a previous coin data record, column (s) for a successor coin data record, a signature column for the issuer instance, a signature column for coin division processes and at least one marking column.
• a change in the status of the marking requires the approval of the monitoring authority and must then be saved unchangeably.
• a change is final if and only if the required markings have been validated by the monitoring instance, ie after the corresponding check, for example, have been changed from status "0" to status "1". If a test fails or takes too long, it is instead, for example, of the status changed to status "0". Further status values are conceivable and / or the status values mentioned here are interchangeable.
• the validity of the respective (masked) electronic coin data records from the status values of the markings is preferred summarized in each case in a column for each masked electronic coin data record that is involved in registering the processing.
• At least two, preferably three, or even all of the aforementioned markings can also be replaced by a single mark, which is set when all the tests have been successfully completed.
• the two columns for predecessor data records and successor data records can be combined into one each, in which all coin data records are listed together. In this way, more than two electronic coin data records could be managed per field entry, and thus, for example, a split into more than two coins could be implemented.
• a masked electronic coin data record is invalid if one of the following tests applies, i.e. if:
• the masked electronic coin record is not the successor to a valid masked electronic record unless it is signed by the issuer
• a payment system for exchanging monetary amounts is provided with a monitoring layer with a preferably decentrally controlled database, English Distributed Ledger Technology, DLT, in which masked electronic coin data records are stored; and a direct transaction layer with at least two terminals in which the method described above can be carried out; and / or an issuer entity for generating an electronic coin data record.
• the issuer instance can prove that the masked, generated electronic coin data record was generated by it, and that it is preferred the publisher can identify itself by signing and the monitoring authority can check the signature of the publisher.
• the payment system comprises an issuer instance for generating an electronic coin data record.
• the issuer entity can prove that the masked generated electronic coin data record was generated by it, the issuer entity can preferably identify itself through the signing and the monitoring entity can check the signature of the issuer entity.
• the payment system is preferably designed to carry out the above-mentioned method and / or at least one of the embodiment variants.
• Another aspect of the invention relates to a currency system comprising an issuer entity, a monitoring entity, a first terminal and a second terminal, the issuer entity being designed to create an electronic coin data record.
• the masked electronic coin data record is designed to be verifiably created by the issuing entity.
• the monitoring entity is designed to carry out a registration step as described in the above-mentioned method.
• the terminals i.e. at least the first and second terminals, are suitable for carrying out one of the above-mentioned methods for transmitting.
• only the issuer entity is authorized to initially create an electronic coin data record.
• Processing for example the step of connecting, dividing and / or switching, can and is preferably carried out by a terminal.
• the processing step of deactivation can preferably only be carried out by the issuing entity.
• only the issuer instance would be entitled to invalidate the electronic coin data record and / or the masked electronic coin data record.
• the monitoring instance and the issuing instance are preferably arranged in a server instance or are available as a computer program product on a server and / or a computer.
• An electronic coin data record can exist in a large number of different forms and can thus be exchanged via various communication channels, also referred to below as interfaces. This creates a very flexible exchange of electronic coin data records.
• the electronic coin data record can be displayed in the form of a file, for example.
• a file consists of related data that is stored on a data carrier, data storage medium or storage medium. Each file is initially a one-dimensional sequence of bits, which are usually interpreted in byte blocks. An application program (application) or an operating system itself interpret this bit or byte sequence, for example, as a text, an image or a sound recording.
• the file format used here can be different, for example it can be a pure text file that represents the electronic coin data record. In particular, the monetary amount and the blind signature are shown as a file.
• the electronic coin data record is, for example, a sequence of American Standard Code for Information Interchange, ASCII for short, characters.
• ASCII American Standard Code for Information Interchange
• the monetary amount and the blind signature are shown as this sequence.
• the electronic coin data record can also be converted from one form of representation to another form of representation in a device.
• the electronic coin data record can be received in the device as a QR code and output by the device as a file or character string.
• the form of representation of the electronic coin data records is preferably selected automatically, for example on the basis of recognized or negotiated transmission media and device components.
• the object is achieved by a device which is set up for the direct transmission of electronic coin data sets to another device.
• the device comprises means for accessing a data memory, at least one electronic coin data set being stored in the data memory; an interface at least for outputting the at least one electronic coin data record to the other device; and an arithmetic unit which is responsible for masking the electronic coin data record in the device by applying the, for example, homomorphic (encryption) one-way function to the electronic coin data record to obtain a masked electronic coin data record for registering the masked electronic coin data record in a monitoring entity; and is set up to output the electronic coin data record by means of the interface.
• a device is a previously described terminal or a previously described machine.
• the data memory is an internal data memory of the device.
• the electronic coin data records are stored here. This guarantees easy access to electronic coin data sets.
• the data memory is in particular an external data memory, also called online memory.
• the device only has one means of access to the externally and thus securely stored coin data sets.
• the electronic coin data sets are not lost. Since the possession of the (unmasked) electronic coin data records corresponds to the possession of the monetary amount, money can be stored more securely by using external data storage devices.
• the device preferably has an interface for communication by means of a customary Internet communication protocol, for example TCP, IP, UDP or HTTP.
• a customary Internet communication protocol for example TCP, IP, UDP or HTTP.
• the transmission can include communication via the cellular network.
• the device is set up to carry out the processing operations already described, in particular dividing, connecting and switching, on an electronic coin data record.
• the computing unit is set up to mask an electronic coin data record to be switched over as the electronic coin data record which the monitoring entity needs as a masked electronic coin data record for registering the switchover command or in the switchover step. In this way, an electronic coin data record can be switched over, as described above.
• the arithmetic unit is preferably set up to mask an electronic coin data set divided into a number of coin part data records in order to obtain a masked electronic coin data record and possibly masked electronic coin part data records which can be registered in the monitoring instance. In this way, an electronic coin data record can be split up - as described above.
• the computing unit is preferably set up to mask one of a first and a second electronic coin dataset to be linked as the electronic coin dataset in order to obtain a masked coin dataset to be linked as the masked electronic coin dataset that is registered in the monitoring instance.
• an electronic coin data record - as described above - can be linked.
• the interface for outputting the at least one electronic coin data record is an electronic display unit of the device which is set up to display the electronic coin data record and thereby (also) output the electronic coin data record in visual form.
• the electronic coin data record can then be exchanged between devices, for example in the form of an optoelectronically detectable code, an image, etc.
• the interface for outputting the at least one electronic coin data record is a protocol interface for wireless transmission of the electronic coin data record to the other device by means of a communication protocol for wireless communication.
• a communication protocol for wireless communication for wireless communication.
• near-field communication is provided, for example by means of the Bluetooth protocol or NFC protocol or IR protocol; alternatively or additionally, WL AN connections or mobile radio connections are conceivable.
• the electronic coin data set is then adapted and transmitted in accordance with the protocol properties.
• the interface for outputting the at least one electronic coin data record is a data interface for providing the electronic coin data record to the other device by means of an application.
• the electronic coin data set is transmitted by means of an application.
• This application then transmits the coin data set in a corresponding file format.
• a file format specific to electronic coin data sets can be used.
• the coin data set is transmitted as an ASCII character string or as a text message, e.g. SMS, MMS, instant messenger message (such as Threema or WhatsApp).
• the coin data record is transmitted as an APDU character string.
• a wallet application can also be provided.
• the exchanging devices preferably ensure that an exchange by means of the application is possible, that is to say that both devices have the application and are ready for exchange.
• the device also has an interface for receiving electronic coin data records.
• the interface for receiving the at least one electronic coin dataset is an electronic detection module of the device, set up to detect an electronic coin dataset presented in visual form.
• the acquisition module is then, for example, a camera or a barcode or QR code scanner.
• the interface for receiving the at least one electronic coin data record is a protocol interface for wirelessly receiving the electronic coin data record from another device by means of a Communication protocol for wireless communication.
• a Communication protocol for wireless communication for wireless communication.
• near-field communication is provided, for example using the Bluetooth protocol or NFC protocol or IR protocol.
• WLAN connections or cellular connections are conceivable.
• the interface for receiving the at least one electronic coin data record is a data interface for receiving the electronic coin data record from the other device by means of an application.
• This application then receives the coin data set in a corresponding file format.
• a file format specific to coin data sets can be used.
• the coin data set is transmitted as an ASCII character string or as a text message, for example SMS, MMS, Threema or WhatsApp.
• the coin data record is transmitted as an APDU character string.
• the transfer can take place using a wallet application.
• the interface for receiving the at least one electronic coin data record is also the interface for outputting the electronic coin data record, so that an interface is provided for both sending and receiving the coin data record.
• the device comprises at least one security element reading device, set up to read a security element; a random number generator; and / or a communication interface to a safe module and / or bank with authorized access to a bank account.
• the data memory is a shared data memory that can be accessed by at least one other device, each of the terminals having an application, this application being set up to communicate with the monitoring instance for the corresponding registration of electronic coin part data records.
• masked electronic coin data sets are held in the monitoring instance as a unique, corresponding public representation of the electronic coin data set.
• the knowledge or the possession of a masked electronic coin data record does not represent the possession of money. Rather, this is like checking the authenticity of the analog means of payment.
• the monitoring instance also contains markings about executed and planned processing of the masked electronic coin data record.
• a status of the respective masked electronic coin data record is derived from the markings relating to the processing, which indicates whether the corresponding (unmasked) electronic coin data record is valid, i.e. ready to pay. Therefore, a recipient of an electronic coin data record will first generate a masked electronic coin data record and have the monitoring entity authenticate the validity of the masked electronic coin data record.
• a great advantage of this inventive solution is that the digital money is distributed to terminals, dealers, banks and other users of the system, but no digital money or other metadata is stored in the monitoring instance - that is, a common instance.
• the proposed solution can be integrated into existing payment systems and infrastructures.
• a payment process can take place with banknotes and / or coins, but the change or change is available as an electronic coin data record.
• ATMs with a corresponding configuration, in particular with a suitable communication interface, and / or mobile terminals can be provided.
• An exchange of electronic coin data sets for banknotes or coins is also conceivable.
• the object is also achieved by a monitoring unit which is set up to receive a masked electronic coin data record and to register the masked electronic coin data record.
• the masked electronic coin data record is masked in a first masking mode or a second masking mode or a third masking mode or a fourth masking mode.
• the masked electronic coin data record is preferably masked in accordance with a masking step from the method described above.
• the monitoring unit is also set up for Registering a modification of a coin data set according to the method described above.
• FIG. 1 shows an embodiment of a payment system according to the invention
• FIG. 2 shows an exemplary embodiment of a monitoring instance
• FIG. 3 shows an embodiment of a payment system according to the invention for splitting and switching over electronic coin data sets
• FIG. 4 shows an embodiment of a payment system according to the invention for connecting electronic coin data sets
• FIG. 5 shows an exemplary embodiment of a process flow diagram of a method according to the invention and corresponding processing steps of a coin data set
• FIG. 6 shows an exemplary embodiment of a process flow diagram of a method according to the invention and corresponding processing steps of a coin data set
• FIG. 7 shows a further exemplary embodiment of a method flow diagram of a method according to the invention.
• FIG. 8 shows an embodiment of a device according to the invention
• FIG. 9 shows a further exemplary embodiment of a method flow diagram of a method according to the invention in accordance with the second masking mode
• FIG. 10 shows a schematic illustration of the method according to FIG. 9; 11 shows a further exemplary embodiment of a method flow diagram of a method according to the invention;
• FIG. 13 shows a process flow diagram of the method according to the invention shown in FIG. 12.
• Fig.l shows an embodiment of a payment system with terminals Ml and M2 according to the invention.
• the terminals M1 and M2 can also be devices.
• an electronic coin data record Ci is generated in an issuer instance 1, for example a central bank.
• a masked electronic coin data record Zi is generated for the electronic coin data record Ci and registered in a “veiled electronic data record ledger”.
• a ledger is understood to be a list, a directory, preferably a database structure.
• the electronic coin data record Ci is output to a first terminal Ml.
• This concealment amount n is linked to a monetary amount Ui and then forms an i-th electronic coin data record according to the invention:
• Ci ⁇ ,; r, ⁇ (1)
• a valid electronic coin data record can be used for payment.
• the owner of the two values Ui and r is therefore in possession of the digital money.
• the digital money is defined by a pair consisting of a valid electronic coin data record and a corresponding masked electronic coin data record Zi.
• the masked electronic coin data record Zi is obtained by applying a one-way function f (Ci) according to equation (2):
• the one-way function f (Ci) is homomorphic, for example.
• the masked electronic coin data record is, for example, a completely electronic masked coin data record, an incompletely masked electronic coin data record, a quasi-masked electronic one Coin data set or a partially masked electronic coin data set, as will be explained in more detail with reference to FIG. 12 and the following.
• This function f (Ci) is public, in particular for a fully masked electronic coin data record, an incompletely masked electronic coin data record and a partially masked electronic coin data record, i.e. every system participant can call up and use this function.
• This function f (Ci) is defined according to equation (3) or equation (3a), for example:
• H and G are generator points of a group G, in which the discrete logarithm problem is difficult, with the generators G and H, for which the discrete logarithm of the respective other base is unknown.
• G (equation (3), (3a)) and H (equation (3)) are each a generator point of an elliptical curve encryption, ECC, i.e. private keys of the ECC.
• ECC elliptical curve encryption
• Equation (3) is a “Pederson commitment for ECC” which ensures that the monetary amount Ui can be granted, ie “committed”, to a monitoring instance 2 without revealing it to the monitoring instance 2.
• the public and remote monitoring instance 2 is therefore only sent (disclosed) the masked coin data set Zi.
• Equation (3) through the entropy of the concealment amount n, enables a cryptographically strong Zi to be obtained even with a small value range for monetary amounts Ui. Consequently a simple brute force attack simply by estimating monetary amounts Ui is practically impossible.
• Equations (3) and (3a) use one-way functions, which means that the computation of Zi from Ci is easy because an efficient algorithm exists, whereas the computation of Ci from Zi is very difficult because there is no algorithm that can be solved in polynomial time exists.
• equation (3) is homomorphic for addition and subtraction, i.e. the following applies:
• the coin data set Ci can be divided according to equation (1) into:
• equation (9) for example, a “splitting” processing or a “splitting” processing step of a coin data set according to FIG. 3 can be checked in a simple manner without the monitoring instance 2 having knowledge of Ci, Q, C k .
• the condition of equation (9) is checked to validate split coin data sets Q and C k and invalidate coin data set Ci.
• Such a division of an electronic coin data set Ci is shown in FIG.
• electronic coin data records can also be put together (connected), see FIG. 4 and the explanations for this.
• a ring signature is preferably included for each bit
• Cij-aj H (9d) carried out, it being possible in one embodiment to carry out a ring signature only for certain bits.
• an electronic coin data set Ci is generated by the issuer instance 1 and a masked electronic coin data set Zi is calculated by the issuer instance 1 using equation (3) or equation (3a) and this is registered in the monitoring instance 2.
• the first terminal M1 then transmits, which can transmit the electronic coin data record Ci to a second terminal M2 or can carry out one of the processing steps (switching, connecting, splitting).
• the transmission takes place wirelessly via WLAN, NFC or Bluetooth, for example.
• the transmission can be additionally secured by cryptographic encryption methods, for example by negotiating a session key or using a PKI infrastructure.
• the transmitted electronic coin data record Ci is received as Ci * in the second terminal M2.
• the second terminal M2 When the electronic coin data set Ci * is received, the second terminal M2 is in possession of the digital money represented by the electronic coin data set Ci *. If both terminals trust each other, no further steps are necessary to end the process. However, the terminal M2 does not know whether the electronic coin data record Ci * is actually valid. In addition, the terminal M1 could also transmit the electronic coin data record Ci to a third terminal (not shown). In order to prevent this, further preferred steps are provided in the method.
• the masked, transmitted electronic coin data set Zi * is calculated in the second terminal M2 with the - public - one-way function from equation (3) or equation (3a).
• the masked transmitted electronic coin data set Zi * is then transmitted to the monitoring instance 2 and searched there. If there is a match with a registered and valid masked electronic coin data record, the second terminal M2 is shown the validity of the received coin data record Ci * and it applies that the received electronic coin data record Ci * is equal to the registered electronic coin data record Ci.
• the received electronic coin data record Ci * is still valid, i.e. that it has not already been used by another processing step or in another transaction and / or was subject to a further change.
• the electronic coin data record obtained is then preferably switched over.
• the sole knowledge of a masked electronic coin data set Zi does not entitle the holder to spend the digital money.
• the sole knowledge of the electronic coin data set Ci authorizes payment, i.e. to successfully carry out a transaction, in particular if the coin data set Ci is valid.
• the masked electronic coin data records Zi are registered in the monitoring instance 2, for example a public decentralized database. This registration first makes it possible to check the validity of the electronic coin data record, for example whether new monetary amounts have been created (illegally).
• a main differentiating feature compared to conventional solutions is that the masked electronic coin data sets Zi are stored in a monitoring layer 4 and all processing operations on the electronic coin data set Zi are registered there, whereas the actual transfer of the digital money in a (secret, i.e. one not known to the public) Direct transaction layer 3 takes place.
• the electronic coin data records can now be processed in the method according to the invention.
• the following table 1 lists the individual operations, with the specified command also executing a corresponding processing step:
• Table 1 shows that for each coin data record, each of the processing operations “Create”, “Deactivate”, “Split”, “Connect” and “Switch” different operations “Create signature”; “Create random number”; “Create Mask”; “Area checking” can be provided, each of the processing operations being registered in the monitoring instance 2 and appended there in unchangeable form to a list of previous processing operations for masked electronic coin data records Zi.
• the operations of processing “creating” and “deactivating” an electronic coin data set are only carried out in secure locations and / or only by selected entities, for example issuer entity 1, while the operations of all other processing operations can be carried out on terminals M1 to M3.
• the number of operations for the individual processing is marked in table 1 with "0", "1" or "2".
• the number “0” indicates that the terminal or issuer instance 1 does not have to carry out this operation for this processing of the electronic coin data record.
• the number “1” indicates that the terminal or issuer instance 1 must be able to carry out this operation once for this processing of the electronic coin data record.
• the number “2” indicates that the terminal or issuer instance 1 must be able to carry out this operation twice for this processing of the electronic coin data record.
• an area check is also carried out by the issuer instance 1 when creating and / or deleting.
• the following table 2 lists the operations required for the monitoring instance 2 for the individual processing operations:
• Table 2 Number of operations that can be carried out per processing of a coin data record in the monitoring instance
• Table 2 Other operations not listed in Table 2 may be required. Instead of the implementation mentioned, other implementations that imply other operations are conceivable. All operations of table 2 can be carried out in the monitoring instance 2, which as a trustworthy instance, for example as a decentralized server, in particular a distributed trusted server, ensures sufficient integrity of the electronic coin data records.
• Table 3 shows the components to be preferably installed for the system subscribers in the payment system of FIG. 1:
• Table 3 shows an overview of the components to be preferably used in each system subscriber, i.e. the issuer instance 1, a terminal Ml and the monitoring instance 2.
• the terminal Ml can be used as a wallet for electronic coin data records Ci, ie as an electronic purse, i.e. a data storage device for the terminal Ml, in which a large number of coin data sets Ci can be stored, be designed and implemented, for example, in the form of an application on a smartphone or IT system of a retailer, a commercial bank or another market participant and send or receive an electronic coin data set.
• the components in the terminal as shown in Table 3 are implemented as software. It is assumed that the monitoring instance 2 is based on a DLT and is operated by a number of trustworthy market participants.
• FIG. 2 shows an exemplary embodiment of a monitoring instance 2 from FIG. 1.
• FIG. 2 shows an exemplary database in the form of a table in which the masked electronic coin data sets Zi and, if applicable, their processing operations are registered.
• the monitoring instance 2 is preferably arranged locally remotely from the terminals M1 to M3 and is accommodated, for example, in a server architecture.
• Each processing operation for processing (creating, deactivating, splitting, connecting and switching) is registered in the monitoring instance 2 and is attached there in unchangeable form to a list of previous processing operations for masked electronic coin data records Zi.
• the other processing operations split, connecting, switching
• do not require any authorization by the issuing instance 1 or by the command initiator ( payer, for example the first terminal M1).
• the respective processing in the monitoring instance 2 is registered, for example, by means of corresponding list entries in the database according to FIG. 2.
• Each list entry has further markings 25 to 28 that document the intermediate results of the respective processing that must be carried out by the monitoring instance 2.
• the markings 25 to 28 are preferably used as an aid and are discarded by the monitoring entity after the commands have been completed. What remains are markings 29 to 32 about the validity of the (masked) electronic coin data records from columns 22a, 22b, 23a and / or 23b. These markings are in the state when a processing command is received, for example, and are set to the state “1” after all tests have been successfully completed and are set to the state “0” if at least one test has failed.
• a possible structure for a list entry of a coin data record includes, for example, two columns 22a, 22b for a previous coin data record (Ol, 02), two columns 23a, 23b for a successor coin data record (S1, S2), a signature column 24 for the issuer instance ( en) 1, and four marking columns 25 to 28.
• Each of the entries in columns 25 to 28 has three alternative states “1” or “0”.
• Column 25 indicates whether a validity check with regard to an electronic coin data record in column 22a / b was successful, with status “1” meaning that a validity check showed that the electronic coin data record in column 22a / b is valid and the status “0” indicates that a validity check showed that the electronic coin data record in column 22a / b is invalid and the status indicates that a validity check has not yet been completed.
• Column 26 shows whether the calculation of the masked electronic coin data record was successful, with status “1” meaning that a calculation was successful and status “0” indicates that calculation was unsuccessful and the status indicates that a validity check has not yet been completed.
• Column 28 indicates whether a signature of the electronic coin data record matches the signature in column 24, with the status “1” meaning that a validity check showed that the signature could be identified as that of the issuing authority and the status "0" indicates that a validity check showed that the signature could not be identified as that of the issuing authority and the status indicates that a validity check has not yet been completed.
• a change in the status of one of the markings requires approval by the monitoring instance 2 and must then be stored in the monitoring instance 2 in an unchangeable manner. Processing is final if and only if the required markings 25 to 28 have been validated by the monitoring instance 2, ie they have changed from status “0” to status “1” or status “1” after the corresponding test.
• the monitoring instance 2 searches for the last change that affects the masked electronic coin data set Z. It applies that the masked electronic coin data set Z is valid if and only if the masked electronic coin data set Z is listed for its last processing in one of the successor columns 23a, 23b and this last processing has the corresponding final marking 25 to 28. It also applies that the masked electronic coin data set Z is valid if and only if the masked electronic coin data set Z is listed for its last processing in one of the predecessor columns 22a, 22b and this last processing failed, i.e. at least one of the correspondingly requested States of the markings 25 to 28 is set to "0".
• the masked electronic coin data set Z is not valid for all other cases, for example if the masked electronic coin data set Z is not found in the monitoring instance 2 or if the last processing of the masked electronic coin data set Z is in one of the successor columns 23a , 23b is listed, but this last processing never became final or if the last processing of the masked electronic coin data set Z is in one of the preceding columns 22a, 22b and this last processing is final.
• the checks by the monitoring instance 2 to check whether processing is final are shown in columns 25 to 28:
• the status in column 25 indicates whether the masked electronic coin data record (s) according to predecessor columns 22a, 22b are valid are.
• the status in column 26 indicates whether the calculation of the masked electronic coin data record according to equation (10) is correct.
• the status in column 27 indicates whether the area evidence for the masked electronic coin data records Z could be checked successfully.
• the status in column 28 indicates whether the signature in column 24 of the masked electronic coin data record Z is a valid signature of the issuer instance 1.
• the status "0" in a column 25 to 28 indicates that the test was not successful.
• the status "1" in a column 25 to 28 indicates that the test was successful.
• the status in a column 25 to 28 indicates that no test has taken place.
• the states can also have a different value, as long as it is possible to clearly differentiate between success / failure of a test and it is clear whether a certain test was carried out. As an example, five different processing operations are defined, which are explained in detail here. Reference is made to the corresponding list entry in FIG. 2.
• One processing is, for example, “generating” an electronic coin data set Ci.
• the generation in the direct transaction layer 3 by the issuer instance 1 includes the selection of a monetary amount Ui and the creation of a concealment amount n, as has already been described with equation (1).
• no entries / markings are required in columns 22a, 22b, 23b and 25 to 27 during the “create” processing.
• the masked electronic coin data set Zi is registered in the successor column 23a. This registration is preferably carried out before the transmission to a terminal M1 to M3, in particular or already during generation by the issuing entity 1, in which case equation (3) or equation (3a) must be carried out in both cases.
• the masked electronic coin dataset Zi is signed by the issuer instance 1 when it is created; this signature is entered in column 24 to ensure that the electronic coin dataset Ci was actually created by an issuer instance 1, although other methods can also be used for this. If the signature of a received Zi matches the signature in column 24, the marking is set in column 28 (from “0” to “1”). The markings according to Columns 25 to 27 do not require a status change and can be ignored. The proof of area is not required because the monitoring instance 2 trusts that the issuing instance 1 does not issue any negative monetary amounts. In an alternative embodiment, however, it can be sent by the issuer instance 1 in the create command and checked by the monitoring instance 2.
• Processing is, for example, “deactivate”.
• the deactivation that is to say the destruction of money (DESTROY)
• DESTROY destruction of money
• the (masked) electronic coin data record to be deactivated can therefore no longer be processed further in the monitoring layer 4.
• the corresponding (unmasked) electronic coin data records Ci should also be deactivated in the direct transaction layer 3.
• the masked electronic coin data set Zi When deactivated, the masked electronic coin data set Zi must be checked to see whether the signature matches the signature according to column 24 in order to ensure that the electronic coin data set Ci was actually created by an issuer instance 1, although other means can be used for this check. If the signed Zi, which is sent with the deactivation command, can be confirmed as signed by the issuing instance 1 or confirmed as validly signed, the marker 28 is set (from “0” to “1”). The markings according to columns 26 to 27 do not require a status change and can be ignored. The markings according to columns 25 and 28 are set after appropriate testing. One processing is, for example, “splitting”.
• the division that is, the division of an electronic coin data set Zi into a number n, for example 2, of electronic coin part data sets Z j and Z k is initially carried out in the direct transaction layer 3, as shown in FIGS. 3, 5 to 7 and also FIGS 11 is shown, the monetary amounts U j and the concealment amount h being generated.
• V k and r k result from equations (7) and (8).
• the markings 25 to 27 are set, the previous column 22a is written with the electronic coin data set Zi, the next column 23a is written with Z j and the next column 23b is written with Z k .
• the status changes required in accordance with columns 25 to 27 are made after the corresponding check by the monitoring instance 2 and document the respective check result.
• the marking according to column 28 is ignored.
• a signature of the divided coin data set - masked with equation (3a) - can be entered
• One processing is, for example, “Connect”.
• the connection i.e. the merging of two electronic coin data sets Zi and Z j to form one electronic coin data set Z m, is initially carried out in the direct transaction layer 3, as shown in FIG. 4, the monetary amount u m and the concealment amount r m being calculated .
• the markings 25 to 27 are set, the previous column 22a is written with the electronic coin data set Zi, the previous column 22b is written with Z j and the next column 23b is written with Z m .
• the markings in columns 25 to 27 require status changes and monitoring instance 2 carries out the corresponding checks. Proof of area must be provided to show that no new money has been generated.
• the marking according to column 28 is ignored.
• a first signature and a second signature of the coin data records to be connected - masked with equation (3a) - can be entered.
• One processing is, for example, “toggle”. Switching is necessary if an electronic coin data record has been transmitted to another terminal and a renewed issue by the transmitting terminal (here Ml) is to be excluded.
• switching also called “switch”
• the electronic coin data record C k received from the first terminal Ml is exchanged for a new electronic coin data record Ci with the same monetary amount.
• the new electronic coin data record Ci is generated by the second terminal M2. This switching is necessary in order to invalidate (invalidate) the electronic coin data set C k received from the first terminal Ml, which avoids reissuing the same electronic coin data set C k .
• the first terminal Ml can forward this electronic coin data record C k to a third terminal M3, since the first terminal Ml is aware of the electronic coin data record C k. Switching takes place for example by adding a new obfuscation amount r add to the obfuscation amount r k of the obtained electronic coin record C k , thereby obtaining an obfuscation amount n which only the second terminal M2 knows. This can also take place in the monitoring instance 2.
• the “splitting” and “connecting” modifications to an electronic coin data record can also be delegated from a terminal M1 to another terminal M2, M3, for example if a communication link to the monitoring instance 2 is not available.
• Fig. 3 an embodiment of a payment system according to the invention for “splitting”, “connecting” and “switching” of electronic coin data sets C is shown.
• the first terminal Ml has received the coin data record Ci and would now like to carry out a payment transaction not with the entire monetary amount Ui, but only with a partial amount Vk.
• the coin data record Ci is divided. To do this, the monetary amount is first divided:
• Each of the received amounts U j , U k must be greater than 0, because negative monetary amounts are not permitted.
• masked coin data sets Z j and Z k are obtained from the coin data sets Q and C k according to equation (3) and registered in the monitoring instance 2.
• the markings in columns 25 to 27 require a status change and monitoring instance 2 carries out the corresponding checks. The marking according to column 28 is ignored.
• a coin part data set here C k
• C k a coin part data set
• a switchover operation is useful in order to exchange the electronic coin data record C k received from the first terminal M1 for a new electronic coin data record Ci with the same monetary amount.
• the new electronic coin data record Ci is generated by the second terminal M2.
• the monetary amount of the coin data set Ci is adopted and not changed, see equation (11).
• the coin data set Ci to be switched is masked by means of the equation (3) or the equation (3a) to obtain the masked coin data set Z ⁇ .
• a signature is generated over the monetary amount vu, the concealment amount r k and the masked coin data set Z (also referred to as R).
• the signature can be validated by recalculating the masking in the monitoring instance 4 in order to be able to prove the authenticity and the presence / possession of the coin data record C.
• Fig. 4 shows an embodiment of a payment system according to the invention for connecting electronic coin data sets.
• the two coin data sets Ci and Q are received in the second terminal M2.
• a new coin data set Z m is now obtained in that both the monetary amounts and the concealment amount of the two coin data sets Ci and Q are added.
• the obtained coin data set C m to be connected is masked by means of equation (3) or equation (3a) and the masked coin data set Z m is registered in the monitoring entity.
• a first signature is generated for the monetary amount Oi, the concealment amount r, and the masked coin data set Zi
• a second signature is generated for the monetary amount Vj, the concealment amount r, and the masked coin data set Z j generated.
• Both signatures can be validated by recalculating the masking in the monitoring instance 4 in order to be able to prove the authenticity and the presence / possession of the coin data record C.
• the first signature can also be linked to the second signature in order to form a common signature.
• FIGS. 5 to 7 are each an exemplary embodiment of a process flow diagram of a method 100 according to the invention.
• FIGS. 5 to 7 are explained jointly below.
• a coin data record is requested and provided by the issuer instance 1 to the first terminal M1 after the electronic coin data record has been created.
• a signed, masked electronic coin data record is sent to the monitoring instance 2 in step 103.
• the electronic coin data set Ci obtained is masked in accordance with equation (3) and as explained in FIG. 1.
• step 104 the masked electronic coin data set Zi is registered in the monitoring instance 2.
• Ml can switch the received electronic coin data record.
• the coin data record Ci is transmitted in the direct transaction layer 3 to the second terminal M2.
• a validity check with previous masking takes place, in which, if the case is good, the monitoring instance 2 confirms the validity of the coin data set Zi or Ci.
• a received coin data record C k is switched over (the received coin data record Ci could of course also be switched over) to a new coin data record Ci, whereby the coin data record C k becomes invalid and double dispensing is prevented.
• the monetary amount vu of the transferred coin data set C k is used as the “new” monetary amount Oi.
• the concealment amount n is created.
• the additional concealment amount r add is used to prove that no new money (in the form of a higher monetary amount) was generated by the second terminal M2. Then, among other things, the masked coin data set Zi to be switched is sent to the monitoring instance 2 and the switchover from C k to Ci is instructed.
• step 108 the appropriate test is performed in the monitoring entity 2.
• Z is k in the gaps 22a as shown in Table in Fig. Recorded 2 and in column 23b of the rewritten Münz Scheme Zi.
• Z k is (still) valid, i.e. whether the last processing of Z k is entered in one of the columns 23a / b (as proof that Z k was not further divided or deactivated or connected) and whether a check for the last processing failed .
• Ziin is entered in column 23b and the markings in columns 25, 26, 27 are initially set to “0”.
• step 109 two coin data sets C k and Ci are combined to form a new coin data set C m , as a result of which the coin data sets C k , Ci become invalid and double dispensing is prevented.
• the monetary amount u m is formed from the two monetary amounts U k and Ui.
• the concealment amount r m is formed from the two concealment amounts r k and n.
• the masked coin data set to be connected is obtained by means of equation (3) and this (together with other information) is sent to the monitoring instance 2 and the connection is requested as processing.
• step 109 ' the corresponding check is carried out in the monitoring instance 2.
• Z m is entered in column 23b according to the table in FIG. 2, which is also like a paraphrase.
• a check then takes place in the monitoring instance 2 as to whether Z k and Zi are (still) valid, that is whether the last processing of Z k or Zi is entered in one of the columns 23a / b (as evidence that Z k and Zi were not further divided or deactivated or connected) and whether a check for the last processing failed.
• the markings in columns 25, 26, 27 are initially set to "0".
• a check now takes place as to whether Z m is valid, in which case the check according to equations (16) and (17) can be used.
• the marking in column 25 is set to “1”, otherwise to “0”.
• step 110 ' the corresponding check takes place in the monitoring instance 2.
• Z j and Z k are entered in columns 23a / b according to the table in FIG.
• the monitoring instance 2 checks whether Zi is (still) valid, i.e. whether the last processing of Zi is entered in one of the columns 23a / b (as proof that Zi has not been further divided or deactivated or connected) and whether a check for the last processing failed.
• the markings in columns 25, 26, 27 are initially set to "0".
• a check now takes place as to whether Z j and Z k are valid, in which case the check according to equations (16) and (17) can be used. If the case is good, the marking in column 25 is set to "1".
• a check is now carried out, the calculation according to equation (10) shows that Zi is equal to Z k plus Z j and the marking in column 26 is set accordingly. It is also checked whether the areas are conclusive, then the marking in column 27 is set.
• a device Ml can store electronic coin data sets Ci in a data memory 10, 10 '.
• the electronic coin data sets Ci can be on the data memory 10 of the device Ml or be available in an external data memory 10 '. If an external data memory 10 'is used, the electronic coin data sets Ci could be stored in an online memory, for example a data memory 10' from a provider for digital purses.
• private data storage media for example network-attached storage, NAS could also be used in a private network.
• the electronic coin record Ci is shown as a printout on paper.
• the electronic coin data record can be represented by a QR code, an image of a QR code, or a file or a character string (ASCII).
• the device Ml has at least one interface 12 available as a communication channel for outputting the coin data set Ci.
• This interface 12 is, for example, an optical interface, for example for displaying the coin data set Ci on a display unit (display), or a printer for printing out the electronic coin data set Ci as a paper Expression.
• This interface 12 can also be a digital communication interface, for example for near-field communication, such as NFC, Bluetooth, or an Internet-compatible interface, such as TCP, IP, UDP, HTTP or access to a chip card as a security element.
• This interface 12 is, for example, a data interface so that the coin data set Ci is transmitted between devices via an application, for example an instant messenger service, or as a file or as a character string.
• the interface 12 or a further interface (not shown) of the device M1 is set up to interact with the monitoring instance 2 according to the description in FIGS. 1 to 6.
• the device M1 is preferably online capable for this purpose.
• the device Ml can also have an interface for receiving electronic coin data sets.
• This interface is set up to receive visually presented coin data sets, for example using a detection module such as a camera or scanner, or digitally presented coin data sets, received via NFC, Bluetooth, TCP, IP, UDP, HTTP or to receive coin data sets presented by means of an application.
• the device Ml also includes a computing unit 13 which can carry out the above-described method for masking coin data sets and the processing on coin data sets.
• the device M1 is online capable and can preferably recognize by means of a location recognition module 15 when it is connected to a WLAN.
• the location recognition module 15 recognizes when the device M1 is in predefined GPS coordinates including a defined radius and carries out the special functions in accordance with the location zone thus defined. This location zone can either be introduced manually into the device M1 or into the device M1 via other units / modules.
• the special functions that the device Ml performs when the location zone is recognized are, in particular, the transmission of electronic coin data sets from / to the external data memory 10 from / to a safe module 14 and, if necessary, the transmission of masked coin data sets Z to the monitoring instance 2, for example in the context of the above processing on a coin data record.
• all coin data records Ci are automatically linked to form a coin data record in the terminal M1 after receipt (see linking processing or linking step). That is, as soon as a new electronic coin data record is received, a connect or switch command is sent to the monitoring instance 2.
• the device Ml can also prepare electronic coin data sets in algorithmically determined denominations and in the Data memory 10, 10 'in reserve so that a payment process is possible even without a data connection to the monitoring instance 2.
• FIGS. 9 and 10 each show an exemplary embodiment of a method flow diagram of a method 200 according to the invention.
• FIGS. 9 and 10 are explained jointly below. The statements made previously from the method 100 and the individual method steps 101 to 110 also apply to this method 200, unless other statements are made here.
• a coin dataset is requested and provided by the issuer instance 1 to the first terminal M1 after the electronic coin dataset has been created, see also FIGS. 5 to 7.
• the first terminal M1 transmits the coin C to the second terminal in step 105 .
• the method steps 201 to 208 shown here are explained with reference to the second terminal M2, but could also be carried out in the first terminal M1.
• the first terminal Ml transmits the coin C k to the second terminal in step 105.
• a masking mode is selected.
• a switch is provided in order to exchange the electronic coin data record C k received from the first terminal Ml for a new electronic coin data record Ci with the same monetary amount.
• the new electronic coin data record Ci is generated by the second terminal M2.
• the monetary amount v /, - of the coin data set C k is adopted and is not changed to the new monetary amount, see equation (11).
• a new obfuscation amount r add is added to the obfuscation amount r k of the obtained electronic coin record C k , thereby obtaining an obfuscation amount n which only the second terminal M2 knows.
• the selection is made, for example, by a user of the first terminal Ml via a corresponding menu control on the terminal Ml.
• the selection is made, for example, on the basis of a system specification x in the payment system. For example, it is possible to optimally utilize the performance of the payment system so that the effort of the verification check (step 207) can be controlled on the basis of a current registration request volume in the monitoring instance 2 by appropriate selection of the masking mode.
• the selection can also be made on the basis of a terminal property, for example if one of the masking modes is not supported, a corresponding preselection can be made.
• step 201 the second masking mode is now selected in step 201 in accordance with FIG. 9. Then will in step 202 the electronic coin data set Ci is masked according to equation (3) in order to obtain the masked electronic coin data set Z ⁇ .
• step 203 a first signature with the concealment amount n is created as the signature key according to equation (17):
• step 203 a second signature is created with the difference between the concealment amounts n and n as a signature key according to equation (18):
• Switching (modifying) is preferably carried out before sending step 204.
• the corresponding incompletely masked electronic coin data set Zi sent to monitoring instance 2 in step 204 is sent together with at least also the unmasked data element from equation (19) and the second signature from equation (18) :
• a simplified area check can be carried out in the monitoring instance by selecting the second masking mode. This includes four tests.
• the first check is to check the validity of the incompletely masked coin data set to be switched. This is done in accordance with the type described above.
• the second check according to step 206 is used to verify the first signature.
• the public verification key of the first signature is created from the unmasked monetary amount V k, with:
• the third check according to step 207 serves to verify the second signature.
• the difference between the masked electronic coin data set Zi to be switched and the masked received coin data set Z k is formed:
• the second signature is checked with the public verification key generated in equation (23). If the third check is successful, it is proven that the difference between the monetary amounts V k results in zero and thus it is proven that no new / additional money was generated.
• the fourth check is then a very simple area check by the monitoring authority 2:
• the checking of the division (as modification) of a coin data set Ci takes place in a manner comparable to that of switching.
• the first terminal M1 transmits the coin Ci to the second terminal M2 in step 105, for example.
• step 201 the selection of the masking mode takes place.
• the second masking mode is now selected in step 201 in accordance with FIG. 9.
• step 202 the electronic coin data set Ci is divided according to equations (6) and (7) in order to obtain a first coin part data set Cj and a second coin part data set Ck.
• step 203 three separate first signatures are then created using the concealment amounts r h r and r k in accordance with equation (17).
• each of the monetary amounts v l v, V k is added to the corresponding first signature, for example logically ORed according to equation (19), so that the following three first signatures are obtained:
• the splitting (modification) is preferably carried out before the sending step 204.
• the corresponding incomplete masked electronic data sent to the monitoring instance 2 in step 204 Coin part data sets Z k Z j are sent together with the unmasked data elements from equations (19a), (19b), (19c): v k 11 sig (r k ); » 11 sig (r); » ⁇ 11 sig (h); Z j; Z k (25)
• a simplified area check can be carried out in the monitoring instance 2 by selecting the second masking mode. This also includes four tests.
• the first check is to check the validity of the incompletely masked coin data set to be switched. This is done in accordance with the type described above.
• the second check according to step 206 serves to verify the first signature above the concealment amount n of the undivided coin data set Ci.
• the second test is carried out according to equations (21) and (22). If the second check is successful, it is proven that the monetary amount v 1 belongs to the masked coin data set Zi and the second terminal M2 knows the concealment amount n.
• the fourth check is then a calculation of the respective public verification key to check the remaining first signatures with:
• step 201 the selection of the masking mode takes place.
• step 202 the linked electronic coin data set C m is formed in accordance with equations (6) and (7).
• step 203 the three separate first are then again formed according to equations (19a) to (19c)
• connection (modification) is preferably carried out before the sending step 204.
• the corresponding incomplete masked connected electronic coin data set Z m sent to the monitoring instance 2 in step 204 is used together with the unmasked data elements from equations (19a), (19b), (19c) sent: v k 11 sig (n); t>, ⁇ ⁇ sig (r,); u, ⁇ ⁇ sig (h); Z m (31)
• a simplified area check can be carried out in the monitoring instance 2 by selecting the second masking mode. This also includes four tests.
• the first check is to check the validity of the incompletely masked coin data set to be switched. This is done in accordance with the type described above.
• the second check serves to verify the first signature above the concealment amount n of the undivided coin data record Ci.
• the second test is carried out according to equations (21) and (22). If the second check is successful, it is proven that the monetary amount v 1 belongs to the masked coin data set Zi and the second terminal M2 knows the concealment amount r.
• the third check is carried out analogously to equation (26) and serves as proof that no additional money has been generated.
• FIG. 11 shows a further exemplary embodiment of a method flow diagram of a method 300 according to the invention.
• the method presented in FIG. 11 can be fully applied to any of the methods described above. It can be used for all three masking modes as part of the simplified verification test.
• the second terminal M2 is in possession of the electronic coin data set Ci, for example by transmission in step 105.
• the second terminal can now process the coin data set Ci according to one of the previously described modification steps, splitting, connecting, switching. To simplify a scope check for a monitor, the following steps are performed:
• the masked electronic coin data record is divided into:
• the default value x is predetermined, for example, due to the system or is obtained through negotiation between two participants in the payment system.
• the default value x as a payment system parameter can be fixed or variable, for example negotiated between terminals.
• the second masked coin part data set Z k is then:
• the second terminal M2 sends the monetary amount U k and the list of Z k, d from equation (34) for y ⁇ d ⁇ n to the monitoring entity 2 in step 302.
• the monitoring entity 2 checks in step 303 whether:
• the command is rejected. If the check fails, the command is rejected. If the test is successful, the monitoring authority 2 proves that there is a corresponding a d with “0” or “1” for each Z k, d, without the values being disclosed. A range check is successful if there is a value of "0" or "1" for each a d. A ring signature is used for this. With a ring signature, anyone can prove for two or more public keys that the corresponding private keys are known, namely:
• the terminal M2 then creates a second random number pound calculated:
• the terminal M2 sends the ring signature (eo, po, pi ⁇ to the monitoring entity 2 in step 308.
• Example 2 is not shown in the figures and shows an example in which the place value has any base, i.e., contrary to example 1, it has no base 2. Assuming equation (34) then applies:
• the concealment amount r is chosen with:
• the second masked coin part data set Z k is then:
• the verification check is then as follows.
• the second terminal M2 sends (in analogy to step 302) the monetary amount ui, and the list of Z k, d from equation (34) for y ⁇ d ⁇ n to the monitoring instance 2.
• the monitoring instance 2 checks (in analogy to step 303 ) according to equation (37).
• the monitoring authority 2 proves that there is a corresponding a d with “0 or n” in the range of “0 ⁇ n ⁇ b” for each Z k, d, without the values being disclosed.
• a range check is successful if each a d has a value of 0 ⁇ n ⁇ b.
• a ring signature is used for this. With a ring signature, anyone can prove for two or more public keys that one of the corresponding private keys is known, namely. Ring signatures are in MAXWELL et.al.
• FIGS. Figures 12 and 13 A further exemplary embodiment of a method 400 according to the invention is shown in FIGS. Figures 12 and 13 are described together. The statements made previously from method 100, 200 and 300 and the individual method steps also apply to this method 400, unless other statements are made here.
• a coin dataset is requested and provided by the issuer instance 1 to the first terminal M1 after the electronic coin dataset has been created, see also FIGS. 5 to 7.
• the electronic coin dataset Ci has, for example, the structure according to equation (1).
• the issuer instance 1 calculates for the electronic coin data record Ci a quasi-masked coin data record Zi according to equation (3a), which has the structure according to equation (63):
• G is - like G in equation (3) - a generator point of an elliptical curve encryption, ECC, - thus a private key of the ECC.
• the issuer instance 1 creates a signature according to equation (65) using a private signature key PKi of the issuer instance 1:
• a signed, quasi-masked electronic coin data record is sent to the monitoring instance 2 in step 103.
• the procedure for switching a coin data record C k is as follows.
• the first terminal M1 transmits the coin C k to the second terminal M2 in step 105.
• the method steps 401 to 407 shown here are explained with reference to the second terminal M2, but could also be carried out in the first terminal M1.
• step 401 which corresponds to step 201 of method 200, a masking mode is (optionally) selected.
• a switch is provided in order to exchange the electronic coin data record C k received from the first terminal Ml for a new electronic coin data record Ci with the same monetary amount.
• the new electronic coin data record Ci is generated by the second terminal M2.
• the selection according to step 401 is made, for example, by a user of the first terminal M1 via a corresponding menu control on the terminal M1.
• the selection is made, for example, on the basis of a system specification based on the default value x in the payment system. For example, it is possible to optimally utilize the performance of the payment system so that the effort of the verification check (see also step 207) can be controlled on the basis of a current registration request volume in the monitoring instance 2 by appropriate selection of the masking mode.
• the selection can also be made on the basis of a terminal property, for example if one of the masking modes is not supported, a corresponding preselection can be made.
• step 401 the third masking mode is now selected in step 401 in accordance with FIG. 12.
• step 402 the electronic coin data set C k is masked in accordance with equations (63), (64) in order to obtain the masked electronic coin data set Z k .
• equation (64) the amount of obfuscation is encoded with equation (64).
• step 403 a first signature is created according to equation (66):
• This first signature is generated using the quasi-masked electronic coin data set Z k created in step 402 and the encrypted concealment amount Ri created in step 402 with the concealment amount n as the signature key of the first signature.
• the switchover (as modification) is preferably carried out before the sending step 204.
• the quasi-masked electronic coin data set Zi sent to the monitoring instance 2 in step 404 is sent together with the signature generated in equation (66).
• a simplified area check can take place. This includes two exams.
• the first check according to step 405 is the checking of the validity of the quasi-masked coin data set to be switched. This is done in accordance with the type described above.
• the second check according to step 406 serves to verify the first signature.
• the encrypted concealment amount Ri of the quasi-masked coin data set Zial's public verification key of the first signature is used and it is checked whether the first signature transmitted in step 404 is valid according to equation (66). If both checks are successful, the coin data set ci is considered valid and a registration by the monitoring instance 2 takes place in step 407.
• the checking of the division (as modification) of a coin data set Ci takes place in a manner comparable to that of switching.
• the first terminal M1 transmits the coin Ci to the second terminal M2 in step 105, for example.
• step 401 the selection of the masking mode takes place.
• the third masking mode is now selected in step 401.
• the electronic coin data set Ci is divided according to equations (6) and (7) in order to obtain a first coin part data set Q and a second coin part data set C k .
• the concealment amounts n, r k , n are coded into Ri, R k and Ri using equation (64).
• step 403 a first signature is created according to equation (67):
• the division (modification) is preferably carried out before the sending step 404.
• the quasi-masked electronic coin part data sets Z k Z j sent to the monitoring instance 2 in step 404 are sent together with the first signature from equation (67):
• a simplified area check can now be carried out in the monitoring instance 2. This includes four tests.
• the first check is to check the validity of the incompletely masked coin data set to be switched. This is done in accordance with the type described above.
• the second check according to step 406 serves to verify the first signature.
• the encrypted concealment amount Ri of the quasi-masked coin data set Z is used as the public verification key of the first signature and a check is made to determine whether the first signature transmitted in step 404 is valid according to equation (67).
• the fourth check is then an area check in the monitoring instance 2 with:
• the quasi-masked coin data set Zi becomes invalid and the coin part data sets Z k and Zi are valid and the corresponding registers in the monitoring instance.
• step 401 The checking of the connection (as modification) of two coin data sets Ci and Q to form a connected coin data set C m takes place in a comparable manner.
• step 401 the selection of the masking mode takes place.
• the third masking mode is selected in step 401.
• step 403 a first signature is created according to equation (72):
• step 403 the first signature is signed again according to equation (72):
• connection (modification) is preferably carried out before the sending step 404.
• the quasi-masked electronic coin part data set Z m sent to the monitoring instance 2 in step 404 is sent together with the signature from equation (74):
• a simplified area check can now be carried out in the monitoring instance 2. This includes four tests.
• the first check is to check the validity of the incompletely masked coin data set to be switched. This is done in accordance with the type described above.
• the second check according to step 406 serves to verify the signature from equation (73) and the first signature from equation (72).
• the encrypted concealment amount Ri of the quasi-masked coin data set Zi is used as a public verification key and checked whether the signature (s) transmitted in step 404 according to equations (72) and (73) are valid.
• the third check according to equation (75) serves to prove that no additional money was generated with:
• the fourth check is then an area check in the monitoring instance 2 with:
• the deletion of a coin data record in the method 400 is not shown in FIGS.
• To delete the terminal sends a corresponding delete command to the
• Monitoring instance 2 the signature of the issuing instance 1 created according to equation (65) is checked and, if they match, it is invalidated in the monitoring instance 2.
• all elements described and / or drawn and / or claimed can be combined with one another as desired will.
• Uj Uj Divided monetary amount ui , monetary amount of an electr.
• Coin data set Um Monetary amount of an electr.

Landscapes

• Business, Economics & Management (AREA)
• Engineering & Computer Science (AREA)
• Accounting & Taxation (AREA)
• Theoretical Computer Science (AREA)
• Finance (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Strategic Management (AREA)
• General Business, Economics & Management (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• General Health & Medical Sciences (AREA)
• Bioethics (AREA)
• Health & Medical Sciences (AREA)
• General Engineering & Computer Science (AREA)
• Computer Hardware Design (AREA)
• Software Systems (AREA)
• Development Economics (AREA)
• Economics (AREA)
• Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
• Control Of Vending Devices And Auxiliary Devices For Vending Devices (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=74732935

Family Applications (2)

Family Applications After (1)

Country Status (5)

Families Citing this family (5)

Family Cites Families (4)

• 2020
  • 2020-02-25 DE DE102020104906.4A patent/DE102020104906A1/de not_active Withdrawn
• 2021
  • 2021-02-24 US US17/802,246 patent/US20230093581A1/en active Pending
  • 2021-02-24 CN CN202180030576.0A patent/CN115427959A/zh active Pending
  • 2021-02-24 EP EP21707979.7A patent/EP4111349A1/de active Pending
  • 2021-02-24 WO PCT/EP2021/054544 patent/WO2021170646A1/de unknown
  • 2021-02-24 US US17/801,973 patent/US20230103038A1/en active Pending
  • 2021-02-24 WO PCT/EP2021/054543 patent/WO2021170645A1/de unknown
  • 2021-02-24 EP EP21707978.9A patent/EP4111348B1/de active Active

Also Published As

Similar Documents

Legal Events