EP4179487A1

EP4179487A1 - Method, participating unit, transaction register, and payment system for managing transaction data sets

Info

Publication number: EP4179487A1
Application number: EP21739315.6A
Authority: EP
Inventors: Daniel Albert; Raoul-Thomas HERBORG
Original assignee: Giesecke and Devrient Advance52 GmbH
Current assignee: Giesecke and Devrient Advance52 GmbH
Priority date: 2020-07-08
Filing date: 2021-06-30
Publication date: 2023-05-17
Also published as: US20230259899A1; WO2022008322A1; DE102020004121A1; CA3184856A1; CN116057554A

Abstract

The invention relates to a method in a first participating unit, preferably a first security element, having an electronic coin data set which is registered in a coin register of a payment system. The method has the steps of: generating a transaction data set relating to the transmission of the electronic coin data set to a second participating unit, preferably a second security element, or relating to a modification of the electronic coin data set, said modification to be registered on the coin register; encrypting the generated transaction data set using a cryptographic key, wherein the cryptographic key is composed of at least two cryptographic sub-keys, preferably at least three cryptographic sub-keys, of different respective remote entities; and initiating a communication connection to a transaction register of the payment system in order to transmit the encrypted transaction data set to the transaction register. The invention additionally relates to a participating unit, to a method in a transaction register, to a transaction register, and to a payment system.

Description

PROCEDURE SUBSCRIBER UNIT· TRANSACTION REGISTER AND PAYMENT SYSTEM FOR ADMINISTRATION OF TRANSACTION RECORDS

TECHNICAL FIELD OF THE INVENTION

The invention relates to a method in a first subscriber unit, a method in a transaction register, a subscriber unit, a transaction register and a payment system for managing transaction data records when transmitting electronic coin data records.

BACKGROUND OF THE INVENTION Protection of privacy is an important value for society, especially when it comes to very sensitive data such as payment information. Security of payment transactions and the associated payment transaction data means protecting the confidentiality of the data exchanged; as well as protection of the integrity of the exchanged data; as well as protection of the availability of the exchanged data.

For electronic coin datasets, it must be possible to prove basic control functions, in particular (1) the detection of multiple issue procedures, also known as double spending, and (2) the detection of uncovered payments. In case (1) someone tries to spend the same coin data record several times and in case (2) someone tries to spend a coin data record although he/she has no credit (anymore).

In order to illustrate case (1), a payment system is shown in FIG. 1a and FIG. In the case of direct transmission between the terminals M, no central instance of the payment system, for example a coin register 2, is required. In FIG. 1a, a terminal M1 divides a coin data set C _a in order to obtain a partial coin data set C _b . The terminal Ml passes on the coin data set C _b in an unauthorized manner to the terminal M2 and M3 at the same time.

In the payment system of FIG. 1a, terminal M2 passes on coin data set C _b and receives coin data set C B , which is then forwarded directly to terminal M4. The terminal M4 forwards the coin data record C _c directly to the terminal M6. The terminal M6 forwards the coin data record C _c directly to the terminal M8. The unsuspecting participant with terminal M3 forwards the partial coin data set C _b directly to terminal M5. The terminal M3 is the Münzdatensatz C _b to the terminal M5 directly on. The terminal M5 gives Münzdatensatz C _b to the terminal M7 spur. Both coin data sets C _b and C _c thus frequently change hands without a coin register 2 of the payment system finding out about this.

If - as shown in Fig. Lb - the terminal M7 can register the coin data set C _b in a coin register 2 of the payment system (= switch over or switch), the Coin record C _b invalid (represented by crossing out the coin record) and one coin record C _d valid. If the terminal M8 now also _{wants to register the coin data record C c} as the coin data record C _e with the coin register 2, the coin register 2 determines that the coin data record C _{b is} already invalid. Ml's attack is only now being discovered. As a result, the coin register 2 accepts neither the coin data set C _c nor the coin data set C _e.

In addition, the risk of manipulation(s) being carried out on the electronic coin data set increases due to the large number of transactions in an electronic coin data set and also due to the increasing service life.

In the future, it should be possible to do without cash (banknotes and analogue coins) or at least without analogue coins.

In certain circumstances, it may be desirable to limit privacy following due process, for example where criminal activity is suspected. So far, the payment system has protected the privacy of the participants.

It is therefore the object of the present invention to create a method and a system in which a payment transaction between participants in a payment system is designed to be secure but nevertheless simple. In particular, direct and anonymous payment between subscriber units, such as devices, tokens, smartphones, security elements, but also machines, point-of-sale terminals or vending machines should be created. It should be possible for the participant (=user) to combine and/or divide several coin data sets as desired in order to enable flexible exchange (transfer). The exchanged coin records should be confidential to other system participants, but allow each system participant to perform basic checks on the coin record, namely (1) detecting multiple dispensing attempts; (2) recognizing attempts to pay with non-existent monetary amounts; and (3) recognizing return criteria for already dispensed coin records, such as that a coin record should expire.

In particular, it should be possible to de-anonymize transactions upon official request, for example to enable criminal prosecution.

SUMMARY OF THE INVENTION

The tasks are solved with the features of the independent patent claims. Further advantageous configurations are described in the dependent patent claims.

The object is achieved in particular by a method in a first subscriber unit, preferably a first security element, having an electronic coin data set in a coin register of a payment system is registered. The method has the following method steps: generating a transaction data record relating to a transmission of the electronic coin data record to a second subscriber unit, preferably a second security element, or relating to a modification of the electronic coin data record to be registered in the coin register; Encrypting the generated transaction data record with a cryptographic key, the cryptographic key being composed of at least two cryptographic part keys, preferably at least three cryptographic part keys, each from different remote entities; and initiating a communication connection setup to a trade repository to send the encrypted transaction record to the trade repository.

In certain circumstances, it may be desirable to limit privacy following due process, for example where criminal activity is suspected. The method according to the invention grants access to confidential information to a defined (specific) group of people, in particular enforcement authorities in criminal prosecution, in order to prevent or prosecute crimes. In order to gain access, i.e. to be able to decrypt encrypted transaction data sets, several (at least two) partial keys from different remote entities are required. This ensures the confidentiality and data integrity of the payment system.

In the following description, the communication process with transaction data records (=send) is conceptually separated from the communication process with coin data records (transmit).

An electronic coin data record is in particular an electronic data record that represents a monetary (=monetary) amount and is colloquially referred to as a “digital coin” or “electronic coin”. In the method, this monetary amount can change from a first terminal to another terminal. In the following, a monetary amount is understood to mean a digital amount that can be credited to an account at a financial institution, for example, or exchanged for another means of payment. An electronic coin record thus represents cash in electronic form.

An electronic coin data record for transferring monetary amounts differs significantly from the electronic data record, for example the transaction data record, for data exchange or data transfer, since, for example, a classic data transaction is based on a question-and-answer principle or on intercommunication between the data transfer partners, for example the subscriber unit and the trade repository. An electronic coin data record, on the other hand, is unique, unambiguous and stands in the context of a security concept which, for example, uses masks, signatures or may include encryption. In principle, an electronic coin data record contains all the data that is required for a receiving entity with regard to verification, authentication and forwarding to other entities. Intercommunication between the terminals when exchanging data is therefore generally not necessary with this type of data set.

In contrast to copying electronic data records, i.e. duplicating digital data, a valid electronic coin data record may only exist once in the payment system. This system requirement must be observed in particular when transferring electronic coin data sets.

In order to design a transmission protocol securely, the electronic coin data records are managed by the respective subscriber units, for example by security elements integrated there, and also transmitted by them. In a preferred embodiment, the security element is incorporated into the subscriber unit ready for operation. In this case, the subscriber unit can contain an application through which a user (=subscriber) controls a payment process and in this payment process accesses electronic coin data records of the security element.

The subscriber unit can be, for example, a mobile terminal such as a smartphone, a tablet computer, a computer, a server or a machine. The electronic coin data record is transmitted from the (first) security element of a first subscriber unit to the (second) security element of another subscriber unit, for example. In this case, a subscriber unit-to-subscriber unit transmission path can be set up, via which, for example, a secure channel is set up between the two security elements, via which the electronic coin data record is then transmitted. An application entered (installed) ready for operation on the subscriber unit can initiate and control the transmission of the coin data record by using input and/or output means of the respective subscriber unit. For example, amounts of electronic coin data records can be displayed and the transmission process can be monitored.

According to the invention, a transaction data record is generated by the first subscriber unit, ie the subscriber unit sending the (at least one) coin data record. The transaction data record includes the information that is required in order to be able to clearly identify the transmission of the coin data record between two subscriber units of the payment system in the totality of the transmissions (payment transactions). The transaction data record includes in particular the subscriber units participating in the transmission and information regarding the coin data record to be transmitted. With a (decrypted) transaction data record, the transmission of the electronic coin data record can be clearly reconstructed. In a preferred embodiment, the transaction data record has at least one identifier or address of the first subscriber unit (=transmitter), ie data with which this security element can be uniquely identified in the payment system. In addition, the transaction data record has at least one identifier or address of a second subscriber unit (=recipient), ie data with which this security element can be uniquely identified in the payment system. In addition, the transaction data record has a monetary value of the electronic coin data record.

In a further preferred refinement, the transaction data record has a transaction number. This transaction number is, for example, a random number generated before the generation step. A random number generator of the subscriber unit or of the security element is preferably used for this purpose. Alternatively or additionally, the transaction number is an identification number of the transaction that is unique for transmission from the first subscriber unit. In addition, the transaction number can identify the transaction in the payment system.

In a further preferred embodiment, the transaction data record also has a masked electronic coin data record corresponding to the electronic coin data record to be transmitted, preferably instead of the monetary amount of the electronic coin data record or instead of the electronic coin data record. The masking will be explained later. The non-inclusion of the electronic coin data record enables the retention of two system requirements, namely that the electronic coin data record only exists once in the system and (and is not a copy in the transaction data record), and secondly, the possession of the electronic coin data record entitles to payment, i.e. a still non-encrypted transaction data set (possibly after transmission to the second subscriber unit) or a decrypted transaction data set would potentially contain coin data sets that could be used for payment transactions, thereby increasing the risk of fraud.

In a further preferred embodiment, the transaction data record has a transaction time. For this purpose, a time stamp is generated and added to the transaction data record. The time stamp is preferably unique throughout the payment system.

The transaction record may contain additional data such as location of transaction (GPS). However, it preferably consists of the data mentioned.

In a preferred refinement, the first subscriber unit adds a transaction time to the encrypted transaction data record (in plain text), for example as metadata. This transaction time can be in the trade repository as an input parameter for calculating a deletion time of the encrypted transaction data record. So For example, as part of data retention, the encrypted transaction data record could be automatically deleted from the trade repository after a set storage time, for example X months or Y years, has expired. This is advantageous in the event that the transaction data record is not sent to the transaction register until much later after the transmission of the coin data record, in order not to extend the storage (possibly in an illegal manner).

An identifier or the identifiers of the transaction data record could also be added in plain text as further metadata.

In a further preferred refinement, the transaction data record has an acknowledgment of receipt from the second subscriber unit. The acknowledgment of receipt serves as proof or acknowledgment of proper receipt of the electronic coin data set in the second subscriber unit, and possession of the acknowledgment of receipt in the first subscriber unit proves proper transmission of the electronic coin data set.

First of all, this transaction record contradicts the requirement of anonymity for the payment system. For this reason, the transaction record is encrypted in a subsequent step. The transaction record is preferably encrypted immediately after it is created, more preferably the creation and the encryption occur as an atomic operation. Encryption is done with a cryptographic key. This means that the transaction data set cannot be viewed by an uninvolved third party and its content is hidden from this uninvolved third party. This ensures that an attack on the subscriber identity module to spy out unencrypted transaction data is unsuccessful.

This cryptographic key is composed of at least two partial keys. Each subkey comes from a (single) remote entity. The remote instances are independent of each other. A remote entity has knowledge and possession of only a (own) part of the key. In particular, a remote entity is unaware of and does not possess a partial key of another remote entity. The assembly of the cryptographic key also includes deriving a public key part of a PKI key infrastructure to be used for encryption, which may have been generated using an assembled private key part.

By remote entity is meant here that this entity is not a local entity of a subscriber unit. The remote entity is preferably not the coin register of the payment system, not the transaction register of the payment system and not the monitoring register of the payment system, so that anonymity and neutrality are maintained in the payment system, an independence that the register instances of the payment system cannot decrypt the encrypted transaction data record or cannot contribute a partial key for decryption.

This allows the transaction data record to be stored in encrypted form in a trustworthy location, the transaction repository. As a result of a court ruling, this encrypted transaction record can be decrypted by authorized parties as the remote entities. These authorized parties could be, for example, a law enforcement agency, a notary public, the Department of Justice, a central bank, a payment processing authority, a court of law, or others.

In a preferred embodiment, the cryptographic partial keys are each from a law enforcement agency; a notary authority; a Department of Justice entity; a central issuing authority of the payment system; or a commercial bank instance of the payment system.

In a preferred embodiment, the cryptographic key for encrypting the transaction data record is a public key part of an asymmetric

Key infrastructure (Public Key Infrastructure, PKI for short), the corresponding private key part for decrypting the encrypted transaction data record by an addition operation or a bitwise XOR operation from all cryptographic parts of the various remote entities is composed.

Key infrastructure (PKI), wherein the corresponding private key part for decrypting the encrypted transaction record is composed of a predefined number of cryptographic sub-keys from different remote entities, the predefined number being less than the total number of the different remote entities that have a sub-key.

All remote entities only have a partial key of the decryption key, i.e. all remote entities or a subset of the remote entities are always required to jointly decrypt the encrypted transaction data record. This improves security against misuse, as multiple instances are required to perform data access, which represents significant overhead in an attack scenario.

The partial keys are combined into a common (private) decryption key. This combining is done in the trade repository, for example. Alternatively the combining occurs in the first subscriber unit. This combining is done, for example, by addition or by bit-by-bit XOR operation, which no remote entity can obtain for itself merely by knowing the partial key(s). This shared (private) decryption key is then used to decrypt the encrypted transaction record.

The corresponding public key portion of this shared private decryption key is used in the first subscriber unit to encrypt the generated transaction record. This public key part can be sent from the trade repository to the subscriber unit and received there. However, the public key is preferably stored in the subscriber unit, in particular stored in advance, more preferably stored in a change-protected manner.

In an alternative embodiment, the cryptographic key for encryption is a symmetric key, with the corresponding private key part for decrypting the transaction data record being composed of at least two cryptographic partial keys by an addition operation or a bitwise XOR operation.

This key concept guarantees that no remote entity could bypass all others to decrypt data on its own. In one embodiment, threshold cryptography is applied to allow that not all remote entities are required to contribute their partial key, but that a subset of the entities is sufficient to compose the decryption key. The rule here is that at least the number of the subset must contribute its respective partial key. If the subset is smaller than a predefined minimum number of remote instances, decryption is not possible.

In a less preferred alternative embodiment, all remote entities (all authorized parties) have a complete set of decryption keys for decrypting the encrypted transaction record. Each remote entity then has a security element, for example a smart card, a TSM, an eUICC, in whose data memory all partial keys are stored. Each of these remote instances is then technically capable of decrypting the encrypted transaction dataset on its own, for example as soon as access to it has been authenticated by a trustworthy body, for example a court authority after a decision has been issued. This access will only be granted by the trusted entity (the trade repository) if that authority(ies) can provide a legally binding document reflecting a court decision in this regard. This refinement has the advantage that in urgent cases an analysis of possibly relevant transaction data records could be carried out more quickly with fewer remote entities involved. In an alternative embodiment, all remote entities generate their own PKI key pair consisting of a private key part and a public key part. The public key parts of the respective key pairs are provided and/or received by the first subscriber unit. The first subscriber unit encrypts the generated transaction record with a first public key portion of a first remote entity to obtain a first partially-encrypted transaction record. This first encrypted transaction record is encrypted by the first subscriber unit with a public key portion of a second remote entity to obtain a second encrypted transaction record. Preferably, this second encrypted transaction record is encrypted by the first subscriber unit with a public key portion of a third remote entity to obtain a third encrypted transaction record. The number and/or the order in which the public key parts of the respective remote entity are used is specified throughout the payment system, for example, in order to simplify subsequent decryption in the transaction register using the corresponding private key parts of the remote entities. Alternatively, at least the order, and in one embodiment also the number, of the use of the public keys of the respective instance is varied and decryption in the trade repository is carried out using "trial &error", i.e. a heuristic method in which a decryption order and key selection is sought/tried for as long as until the desired decryption takes place in order to better secure the process.

The encryption methods described here are transparent in order to ensure user acceptance.

In the subsequent step of the method, a communication link to a transaction register of the payment system is initiated in order to send the encrypted transaction data record to the transaction register. This will attempt to send the transaction record to the trade repository. A standard communication protocol, such as TCP/IP or mobile radio communication, can be used in this case. In the case of a security element, for example, a proactive command is sent to the subscriber unit.

Initiating represents an attempt to establish a connection or an initiation of establishing a connection, the termination of which is also a scenario of the method according to the invention. Initiating may also include the subscriber unit not attempting to establish a connection knowing that a connection to the trade repository is not possible, for example upon detecting an offline status of the first subscriber unit, such as "no reception" or "airplane mode" or "no credit". . Then the knowledge of the impossible connection to the trade repository, equated to initiating, for example, by previously querying or checking existing communication options.

Initiating also includes reading out a memory content of a first

Security element by the first subscriber unit and the sending of the read content by the first subscriber unit.

Initiating also includes reading out a memory content of a first

security element by the trade register and receiving the content read out in the T ransaktionsregister ster.

The transaction register of the payment system is used to archive the encrypted transaction data record. This encrypted transaction data record can be decrypted there, in particular after an official request, using composite (combined) partial keys from the remote authorities and can then be viewed by the requesting authority (court authority, etc.). An inspection for control verification purposes in each transmission of an electronic coin data record in the payment system and/or each modification to be registered or each registered modification of an electronic coin data record in the payment system is thus possible, but technically feasible only under very strict conditions.

The governmental request, such as a court order, includes a subscriber unit identifier and requests all transactions of that identifier within a specified time period or point in time. The metadata of the transaction data record then simplifies the answering of this request at the trade repository.

The trade repository can be a non-public database of the payment system, for example. The encrypted transaction records are stored in this database for possible later verification. The transaction register is designed, for example, as a centrally managed database in the form of a data store or service server of the payment system.

In a preferred embodiment, the first security element is installed ready for operation in the first subscriber unit. This ensures that the transaction data records are generated and encrypted and, if necessary, also sent without manipulation. In one embodiment, the transaction data record is created in the security element and then encrypted by the subscriber unit. A security element is a technical resource-limited facility. A security element is, for example, a special computer program product, in particular in the form of a secure runtime environment within an operating system of a terminal, English Trusted Execution Environments, TEE, or eSIM software, stored on a data memory, for example a subscriber unit, such as (mobile) terminal, a machine or an ATM. Alternatively or additionally, the security element is designed, for example, as special hardware, in particular in the form of a secure hardware platform module, English Trusted Platform Module, TPM or as a chip card or an embedded security module, eUICC, eSIM. The security element provides a trustworthy environment and thus has a higher level of trust than a terminal device in which the security element is possibly integrated ready for operation.

Transmission of an electronic coin record is preferably between two security elements to create a trusted environment. The logical transmission of the electronic coin data record is direct, whereas a physical transmission may involve one or more intermediary entities, for example one or more subscriber units for preparing the operational readiness of the security element(s) and/or a remote data storage service in which a wallet application with electronic Coin records are physically stored.

Security elements can transfer electronic coin data sets among themselves and then continue to use them directly - without checking the register - especially if the payment system requires that electronic coin data sets of security elements are to be regarded as valid per se.

One or more electronic coin data records can be stored securely in a subscriber unit or a security element, for example a large number of electronic coin data records can be stored securely in a data memory exclusively assigned to a subscriber unit or a security element. The data memory then represents an electronic purse application, for example. This data memory can, for example, be internal, external or virtual to the security element.

The first security element could also have received electronic coin data records from less trustworthy units, such as subscriber units, ie end device or machine, for example via an import/export function of the security element. Electronic coin records obtained in this way that are not obtained directly from another security element are considered less trustworthy. It could be a requirement of the payment system to have to check such electronic coin data sets for validity using the coin register or by an action (modification) by the receiving one Security element to transfer the electronic coin data record to the receiving security element before it can be passed on.

Transmission of the electronic coin data set between the first and the second security element can be integrated in a transmission protocol between two subscriber units and/or integrated in a secure channel between two applications of the respective subscriber unit. In addition, the transmission can include an Internet data connection to an external data store, for example an online store.

The electronic coin data record (to be transferred or modified) is registered in a coin register of the payment system. Thus, for example, the establishment of a communication link to the coin register is provided for registering the electronic coin data record. This communication link does not necessarily have to be present during the transmission process (payment process). The coin register is preferably provided for the administration and checking of masked electronic coin data sets. The coin register can also manage and check other (non-payment) transactions between subscriber units.

The coin register is a database in which masked electronic coin records are registered with corresponding processing of the masked electronic coin record. The masking will be explained later. In a preferred embodiment, a validity status of the (masked) electronic coin data set can be derived from this. The validity of the (masked) electronic coin data records is preferably noted in and by the coin register. Modifications, such as switching, dividing or combining, to the individual electronic coin data records are registered in the coin register. Modifications requested or carried out or to be carried out preferably also cause the above-described generation of a transaction data record, which is stored in encrypted form in the transaction register. In this way, the trade register is also used to archive modifications to a coin data set. This information in the payment system, which is possibly redundant to the information from the coin register or the monitoring register, increases the stability and security of the payment system.

In one embodiment of the payment system, the registration of the processing or the processing steps for a respective modification can also relate to the registration of test results and intermediate test results relating to the validity of an electronic coin data record, in particular the determination of test values and counter values of corresponding coin data records. If processing is final, this is indicated, for example, by corresponding markings or a derived total marking in the coin register. One final processing then decides whether an electronic coin record is valid or invalid.

In a preferred embodiment of the payment system, test results and intermediate test results relating to a respective modification or a transmission process between subscriber units or their security elements and relating to the validity (in particular for display) of an electronic coin data record are registered, in particular the determination of test values and counter values of corresponding electronic coin data records not in the coin register of the payment system, but in a monitoring register of the payment system.

In a preferred embodiment of the payment system, the monitoring register is set up to store anonymized and/or pseudonymized transaction data records in order to enable the transactions to be monitored during ongoing operation of the payment system. The monitoring register is a separate instance of the same payment system from the coin register. By dividing the coin register and monitoring register within a payment system, the coin register can be designed to be less complex and depict a simple validity check, while the correctness of transmission processes, any required de-anonymization of a subscriber unit and/or the checking of count values or check values of electronic Coin records are done. In addition, due to the division, the coin register contains (less or) no confidential or security-critical data. A communication--particularly by subscriber units--with the coin register can thus take place without (or only with weak--group keys/shared keys/...) authentication.

Both the coin register and the monitoring register can be decentralized public databases, for example. This database makes it easy to check electronic coin data records for their validity and to prevent "double spending", i.e. multiple issues, without the transmission itself being registered or logged. The database, for example a distributed ledger technology, DLT, describes a technique for networked computers that come to an agreement about the sequence of certain transactions and that these transactions update data. It corresponds to a decentralized management system or a decentralized database.

Alternatively, the coin register is a centrally managed database, for example in the form of a publicly accessible data store or as a hybrid of a central and decentralized database. For example, the coin register and the monitoring register are designed as a service server of the payment system. In a preferred embodiment, the first subscriber unit sends the encrypted transaction data record to the transaction register. In this case, after initiating, communication between the subscriber unit and trade repository could be successfully established and the encrypted transaction data record sent successfully. As a result, the first subscriber unit can locally delete the transaction record to save storage space.

In a preferred embodiment, the encrypted transaction data record is sent to the transaction register in a cryptographically secure manner for transport. In this case, for example, mutual authentication between subscriber unit and trade register is used. A key exchange is either negotiated in advance as a session key or issued in advance. This additional transport security prevents an attacker from learning that a transaction record is now being transmitted. This increases security when transferring the transaction data records.

In a preferred embodiment, the encrypted transaction data record is stored in the first subscriber unit if the establishment of a communication connection (after initiation) to the transaction register or the sending of the encrypted transaction data record fails. The storage can be an intermediate storage as long as the encrypted transaction record has not yet been successfully sent to the trade repository. The saved encrypted transaction data record is used for a necessary repetition (RETRY) of sending in the event of connection errors or authentication problems and then does not have to be recreated and encrypted.

In a preferred embodiment, the encrypted transaction data record is sent from the first security element to the transaction register as soon as the communication connection with the transaction register has been successfully established. Successful connection establishment means, for example, that communication of data is made possible via an established communication channel, ie the communication channel between the trade register and the subscriber unit has been established. This keeps the trade repository up to date with regard to completed/planned transfers and recent transactions are promptly archived in the trade repository. Sending is also prioritized in the event that no connection to the transaction register was available at the time the coin data record was transmitted, and the subscriber unit or its security element is required to promptly send the encrypted transaction data record to the transaction register if a (recognized) available communication connection is available. In a preferred embodiment, the electronic coin data set is transmitted from the first subscriber unit to the second subscriber unit. The transmission takes place, for example, immediately before the generating step, so that the transaction data record relates to a coin data record to be transmitted. For example, the transfer occurs immediately after the generate step but before the encrypt step, so the transfer could be part of the atomic operation described above and only the entire chain of generate-transfer-encrypt can be performed. This avoids differences between the generated transaction data record and the actually transmitted coin data record. The transmission takes place, for example, immediately after the encryption step and before the initiating step, so that the transaction data record relates to a coin data record to be transmitted. The transmission takes place, for example, immediately after the initiating step, so that the transaction data record relates to a coin data record that has already been transmitted

In order to transfer the electronic coin data record to the second subscriber unit, there is not necessarily a network data connection to the other instances of the payment system. In order to design a transmission protocol securely, the electronic coin data sets are managed, for example, by security elements within the respective subscriber units and are also transmitted by them. In an (offline) transmission environment, it is important that transmission errors or transmission conflicts can be resolved without intermediary central instances of a payment system, for example the coin register or the monitoring register. A transmission protocol can ensure that a transmission process (payment process), even though it is executed asynchronously, can be trusted by checking for the presence of a received message and using security elements. A two-stage transmission (sending, then deletion) is preferably to be ensured so that amounts of money are not destroyed nor are they duplicated in the active state.

In a preferred embodiment, the generated transaction data record is stored in the first subscriber unit, preferably in a non-volatile manner. The storage can be an intermediate storage as long as the electronic coin data set has not yet been successfully transmitted to the second subscriber unit. The storage takes place locally. In the event of an error in the transmission, the transaction record can be used to repeat the transmission process between the subscriber units. In this case, no changes need to be made to the coin data record or the transaction data record itself. The stored transaction data record is used for a necessary repetition (RETRY) of the transmission in the event of connection errors or authentication problems during transmission.

Additionally or alternatively, the stored transaction data set is used for reversal (ROLLBACK) if the transmission of the coin data set failed. The method thus provides both a settlement method and a repetition method in order to Transmission error case in which the transmission of the coin data set was not completed, the transaction can be reversed or repeated.

In this way, the transmission is completely terminated or completely undone in the event of a recurrence.

In a preferred embodiment, in the event of a transmission error, the electronic coin data record is sent again using the stored transaction data record. It is assumed that the transmission of the electronic coin data set has failed, but the transmission process is to be completed. The transmission of the electronic coin record is promptly repeated. The electronic coin data record to be resent corresponds to the electronic coin data record during the transmission of which a transmission error occurred. No changes are therefore required to the coin data record for resending. In one embodiment, a further transaction data record is generated for logging purposes

A transmission error case is assumed, for example, if an acknowledgment of receipt was not received in the first security element within a predefined period of time. For this purpose, a timer is started, for example; the timer is preferably started during the transmission step of the electronic coin data set.

Alternatively or additionally, the case of a transmission error can be indicated by an error message from the first or the second security element. The error case is thus explicitly displayed.

The transmission error case can also be assumed by a detected connection fault (connectivity failure). The error case is thus indicated implicitly.

The transmission error case can also occur due to failed authentication (authentication failure).

The transmission error can also occur when a terminal device (device shutdown) in which one of the security elements is installed ready for operation is switched off, or when the transmission range is exceeded (exceeded distance) due to a movement of a participant.

The transmission error can also occur due to an internal error in the first or second security element, in an application of the terminal device, or in the respective terminal device, for example due to a storage error or a lack of storage space. In a preferred embodiment, the first security element queries the second security element at predefined periodic time intervals and actively requests an acknowledgment of receipt, alternatively also when a time value of a timer has been exceeded.

In a preferred embodiment, after the transfer step, a successful transfer is indicated in the first subscriber unit. A user display can be updated or the monetary amount can be deleted from a list of available monetary amounts. A participant (user) in the payment system is visualized by this display that the transmission process was successful. In addition or as an alternative, an available monetary amount is updated, in particular reduced in accordance with the transmitted monetary amount.

In a preferred embodiment, the electronic coin data record is evaluated as an input parameter of an application of the first subscriber unit in the display step. The transaction data of this electronic coin data record thus actively controls the transmission process, regardless of an application that is executable in the first subscriber unit. Changes to the electronic coin data set are visualized for a user by the application on the first subscriber unit, and the user accordingly receives prompt feedback on the validity/status of the electronic coin data set to be/are transmitted.

In a preferred embodiment, the transmission step is only carried out when a checking step shows that a check value for a number of transmissions to the second subscriber unit or to one or more other subscriber units failed to establish a communication connection to the transaction register or failed to send the encrypted transaction data record to the trade repository is below or equal to a predefined threshold. The number of transmissions of coin data sets from the first subscriber unit is thus limited to a maximum value if the respective transaction data sets have not been or could not be sent to the transaction register in the meantime. This forces the first subscriber unit to always check whether a threshold value, for example 100, more preferably 50, more preferably 10 transmissions, ideally 5 transmissions, has been reached.

In a preferred refinement, if a predefined threshold value is exceeded, a check value must be passed for a number of transmissions to the second subscriber unit or to one or more further subscriber units if the transmission failed

Establishment of a communication connection to the trade repository or failed sending of the encrypted transaction data record to the trade repository encrypted transaction record and/or a stored transaction record to the transaction register prior to the transmission of the electronic coin record. The number of transmissions of coin data sets from the first subscriber unit is thus limited to a maximum value if the respective transaction data sets have not been or could not be sent to the transaction register in the meantime. This forces the first subscriber unit to send the encrypted transaction records. A transfer of coin data sets is prevented until the transaction data sets have been sent successfully. The threshold value is, for example, 100, more preferably 50, more preferably 10 transmissions, ideally 5 transmissions.

In a preferred embodiment, a test value is incremented in the first subscriber unit if the electronic coin data record was successfully transmitted and the communication connection to the transaction register failed or the encrypted transaction data record was not sent to the transaction register. In this way, the test value to be checked is always up-to-date in relation to transmitted coin data sets whose corresponding transaction data set has not yet been sent from the subscriber unit to the transaction register.

In a preferred embodiment, the method has the further steps: masking the electronic coin data set by applying a homomorphic one-way function to the electronic coin data set to obtain a masked electronic coin data set and registering the masked electronic coin data set in a coin register of the payment system, the registration preferably for switching , splitting or joining masked electronic coin records. In this way, modifications to the coin data record are tracked and documented in the coin register, without anonymity being removed in the payment system. The masking will be explained later.

The task is also solved by a previously described subscriber unit. The subscriber unit has a computing unit that is set up to execute the method described here. The subscriber unit also has means for accessing a data memory, with at least one electronic coin data record being stored in the data memory. The subscriber unit also has an interface that is set up to set up a communication link to a trade register in order to send an encrypted transaction data record to the trade register.

The object is also achieved by a method in a transaction register for storing encrypted transaction data records of a payment system with the method steps: receiving an encrypted transaction data record from a first subscriber unit, the received encrypted transaction data record being replaced by the previously procedure described was generated and encrypted; and storing the encrypted transaction data set in a memory area of the transaction register.

The object is also achieved by a method for storing encrypted transaction data records of a payment system with the method steps: generating, from a first subscriber unit, a transaction data record with regard to a transmission of the electronic coin data record to a second subscriber unit, preferably a second security element, or with regard to a coin register registering modification of the electronic coin record; Encryption, from the first subscriber unit, of the transaction data record generated with a cryptographic key, the cryptographic key being composed of at least two partial cryptographic keys, preferably at least three partial cryptographic keys, each from different remote entities, sending the encrypted transaction data record to a transaction register; Receiving an encrypted transaction data set, the received encrypted transaction data set being generated and encrypted in particular by the method described above; and storing the encrypted transaction data set in a memory area of the transaction register.

In a preferred embodiment, the filing in the trade repository is limited to a predefined period of time. This period begins, for example, at the time the encrypted transaction data record is received in the trade repository or is started by a transaction time that is attached to the encrypted transaction data record as metadata. This period is, for example, a legal requirement, ie a minimum or maximum period of time for storing the transaction data records, for example as part of data retention, for example X months or Y years.

In a preferred embodiment, the method includes the further step of decrypting the encrypted transaction data record with a cryptographic key, the key for decrypting the encrypted transaction data record being composed of at least two cryptographic partial keys of respective different remote entities in the transaction register.

In a preferred embodiment, the assembling takes place by means of an addition operation or a bitwise XOR operation.

In a preferred embodiment, the cryptographic key for decrypting the encrypted transaction data record is from a predefined number of cryptographic subkeys of different remote entities, where the predefined number is less than the total number of the different entities.

In a preferred embodiment, the decryption only takes place upon external request. This request may be the result of an investigation to verify that a transaction actually took place.

In a preferred embodiment, the transaction register has a hardware security module, HSM for short, with the hardware security module being a secure key memory in which different generations of the partial keys of the respective remote instances are stored. In this way, partial keys of individual remote instances can be renewed or exchanged without the encrypted transaction data records stored up to that point having to be re-encrypted or even having to remain undecrypted in the transaction register. The key generations are preferably tracked by an HSM of the transaction register.

In a preferred embodiment, the transaction register has a hardware security module against which the various instances authenticate themselves before decrypting the stored encrypted transaction data record. The HSM can therefore fulfill various functions, it is primarily a secure key store and a secure processing unit. The HSM module can contain, for example, different key generations of the partial keys, with the remote entities authenticating themselves to the HSM in order to enable decryption with all generations.

In a preferred refinement, after the encrypted transaction data record has been received by the first subscriber unit, the encrypted transaction data record is re-encrypted. This means that the encrypted transaction data is always re-encrypted (i.e. decrypted and re-encrypted) when it is received, thus avoiding transaction data records being stored in different encrypted formats in the transaction register. This simplifies the administration of the encrypted transaction data records in the trade repository.

Alternatively, after receiving an updated partial key from one of the entities, the encrypted transaction record is re-encrypted. This prevents transaction data records from being stored in different encrypted formats in the transaction register when the key of an instance is changed.

In a preferred embodiment, after receiving the encrypted transaction data record from the first subscriber unit, the encrypted Transaction record decrypted and an identifier of a (first and / or second) subscriber unit replaced by a pseudonym in the transaction record to obtain a decrypted pseudonymised transaction record. In one embodiment of the method, the storage of the received encrypted transaction data sets is unaffected by this.

In a preferred embodiment, an identifier of a subscriber unit (for example subscriber ID of a terminal device) is uniquely assigned to a natural person in the payment system. This person assignment is carried out, for example, by an issuing entity of the payment system or a bank entity of the payment system and possibly also managed there. This personal assignment can also be managed by a service entity, for example an entity that provides a purse application for the terminal device or that provides online access to a cloud purse. This assignment of person to identifier is only carried out by the respective instance after the person has been successfully identified, for example by presenting an official identification document such as an identity card or passport.

In a preferred embodiment, after receiving the encrypted transaction data record from the first subscriber unit, the encrypted transaction data record is decrypted and a monetary amount of an electronic coin data record is replaced by one or more amount categories in the transaction data record in order to obtain a decrypted amount-categorized transaction data record. An amount category is, for example, an amount range (from-to) in which the monetary amount of the coin data record lies. For example, an amount category is a rounded amount value of the monetary amount, either rounded up or down. In one embodiment of the method, the storage of the received encrypted transaction data sets is unaffected by this.

In a preferred embodiment, the decrypted, pseudonymised or decrypted amount-categorized transaction data record is sent to a monitoring register of the payment system and stored there. In this way, anonymized or pseudonymised transaction data records can be stored in the monitoring register, thereby enabling transactions to be monitored during ongoing operations

With the creation of pseudonymised transaction data records, an anonymity level for the respective transaction data record is changed. The pseudonymised transaction data record is always more anonymous than the (non-pseudonymised) transaction data record. With this higher level of anonymity, the pseudonymised transaction data record can also be stored unencrypted in the register instances (coin register, monitoring register, transaction register) - as required by the payment system - and used for further validity checks in the payment system. This could result in cases of fraud or manipulation in the payment system can be better detected by the payment system itself, an official request (judicial decision) may then not be necessary.

An anonymity level of a record reflects a degree of anonymity of the (coin or transaction) record, i.e. a possibility of assigning a constant identity, such as subscriber identifier, ID number, natural person, etc., to a record. A distinction is preferably made between several stages, for example 3 stages, in the method: completely anonymous (stage 1), pseudonymously (stage 2) or non-anonymously (stage 3). The aim of the payment system is to transfer monetary amounts anonymously (level 1), i.e. it should not be possible for a participant in the payment system - based on analogue cash - to deduce the constant identity of the participant based on a received coin data set. On the other hand, for criminal prosecution it is important to be able to unequivocally assign a constant identity to a coin data record. Therefore, the generated transaction data records are not anonymous (level 3), they are therefore clearly assigned to a constant identity, for example a subscriber ID, which can lead to a person attribution to a natural person.

A mixed form is a pseudonym (level 2). This is the temporary or permanent association of a derived identity with a record. The derivation is generated, for example, in a trusted entity such as an audit register.

A subscriber identifier in the encrypted transaction data record preferably has level 3 anonymity, so that decrypting the transaction data record shows the constant subscriber identifier.

A monetary amount in the encrypted transaction data record preferably has level 3 anonymity, so that decrypting the transaction data record shows the exact amount.

In a preferred embodiment, the anonymity level of a subscriber identifier in the transaction data record is different from an anonymity level of an amount category, so that mixed forms (different gradations) can be present in a pseudonymised transaction data record.

The task is also solved by a transaction register for a payment system. The trade repository has a processing unit that is set up to execute the method of the method described above in a trade repository. The transaction register also has means for accessing a data memory, with at least one encrypted transaction data record being stored in the data memory. The trade repository also has an interface that is set up for communication with a subscriber unit to receive an encrypted transaction record from the subscriber unit.

The system preferably has means for carrying out the generating step and the encrypting step of the method described above. The encrypted transaction record can be sent to a trade repository.

In a preferred embodiment, the transaction register also has: a hardware security module, set up for the secure storage of partial keys of different generations; and decrypting encrypted transaction records.

In a preferred embodiment, the HSM of the trade repository is set up to decrypt encrypted transaction data records; replacing a subscriber unit identifier with a pseudonym in the transaction record to obtain a decrypted pseudonymised transaction record.

In a preferred embodiment, the HSM of the trade repository is set up to decrypt encrypted transaction data records and to replace a monetary amount of an electronic coin data record with an amount category in the transaction data record in order to obtain a decrypted amount-categorized transaction data record.

In a preferred embodiment, the interface is set up to send the decrypted pseudonymised transaction data record or the decrypted amount-categorized transaction data record to a monitoring register of the payment system.

The object is also achieved by a payment system having at least one subscriber unit as described above, the subscriber unit being set up to carry out the method described above in a first subscriber unit; and a transaction repository as described above, wherein the transaction repository is set up in a transaction repository for performing the method described above.

In a preferred embodiment, the payment system also has an issuing entity that is designed to create an electronic coin data record for the payment system; and/or a coin register configured to register a masked electronic coin data record, the registering being preferential for switching, splitting or connecting masked electronic coin data records; and/or a monitoring register arranged to receive a pseudonymised masked electronic coin record from the subscriber unit or to receive a decrypted one pseudonymised or decrypted amount-categorized transaction data record from the trade repository.

The payment system is preferably also set up to manage electronic coin data sets from other issuing entities and/or monetary amounts as book money.

In an advantageous embodiment, the electronic coin data set has a monetary amount, ie a date that represents a monetary value of the electronic coin data set, and an obfuscation amount, for example a random number. In addition, the electronic coin data record can have further metadata, for example which currency the monetary amount represents. An electronic coin data record is uniquely represented by these at least two pieces of data (monetary amount, concealment amount). Anyone who has access to this data of an electronic coin record can use this electronic coin record for payment. Knowing these two pieces of data (monetary amount, concealment amount) is therefore equivalent to owning the digital money. This electronic coin record can be directly transmitted between two subscriber units. In one embodiment of the invention, only the transmission of the monetary amount and the obfuscation amount is necessary for exchanging digital money. In one embodiment, a status (active, inactive) of the electronic coin data record is also added to the coin data record, so that this then consists of three pieces of data (monetary amount, concealment amount, status). Alternatively, the status of a coin data record is not appended to the coin data record and is only managed in the security element itself and/or the coin register.

In a preferred embodiment, a corresponding masked electronic coin data record is assigned to each electronic coin data record in the respective method. Knowledge of a masked electronic coin record does not authorize spending the digital money represented by the electronic coin record. This represents a key difference between the masked Electronic Coin Records and the (non-masked) Electronic Coin Records. A Masked Electronic Coin Record is unique and also unique to an Electronic Coin Record, so there is a 1-to-1 relationship between a Masked Electronic Coin Record and a (non-masked) electronic coin record. The electronic coin data set is preferably masked by a processing unit of the subscriber unit. The subscriber unit has at least one electronic coin record. Alternatively, the masking can be performed by a processing unit of a subscriber unit receiving the electronic coin data set.

This masked electronic coin record is obtained by applying a one-way homomorphic function, specifically a cryptographic homomorphic function. This Function is a one-way function, i.e. a mathematical function that is “easily” calculable in terms of complexity theory, but is “difficult” to practically impossible to reverse. Here, a one-way function is also referred to as a function for which no reversal that can be carried out in practice within a reasonable time and with reasonable effort is known to date. Thus, the calculation of a masked electronic coin data set from an electronic coin data set is comparable to the generation of a public key in an encryption method using a residual class group. Preferably, a one-way function is used that operates on a group where the discrete logarithm problem is difficult to solve, such as B. a cryptographic method analogous to an elliptic curve encryption, ECC for short, from a private key of a corresponding cryptographic method. The reverse function, ie the generation of an electronic coin data record from a masked electronic coin data record, is very time-consuming—equivalent to generating the private key from a public key in an encryption method using a residual class group. Whenever sums and differences or other mathematical operations are discussed in the present document, the respective operations on the corresponding mathematical group are to be understood in the mathematical sense, for example the group of points on an elliptic curve.

The one-way function is homomorphic, i.e. a cryptographic method that has homomorphic properties. Mathematical operations can thus be carried out with the masked electronic coin data record, which can also be carried out in parallel on the (non-masked) electronic coin data record and can therefore be reproduced. With the help of the homomorphic one-way function, calculations with masked electronic coin data records in the coin register and/or the monitoring register can be reproduced without the corresponding (non-masked) electronic coin data records being known there. Therefore, certain calculations with electronic coin data sets, for example for processing the (non-masked) electronic coin data set (e.g. splitting or connecting), can also be verified in parallel with the associated masked electronic coin data sets in the coin register, for example for validation checks (= validity). In addition, the monitoring of the legality of the respective electronic coin dataset can be verified in the monitoring register. The homomorphic properties apply at least to addition and subtraction operations, so that switching (=switch), dividing (=split) or combining (=connecting) electronic coin data sets can also be done using the appropriately masked electronic coin data sets in the coin register or by checking whether returning (deleting) or converting the electronic coin data record is recorded in the monitoring register and by requesting subscriber units or their security elements and/or by the coin register and/or by the monitoring register can be understood without gaining knowledge of the monetary amount and the subscriber unit carrying out the transaction.

The homomorphic property thus makes it possible to keep a record of valid and invalid electronic coin records based on their masked electronic coin records in a coin register and a monitoring register without knowledge of the electronic coin records even if these electronic coin records are processed (split, merged, switched) or transmitted directly, i.e. an action is carried out with these electronic coin data sets. It is always ensured that no additional monetary amount was created or that an identity of the subscriber units or their security elements is recorded in the coin register or the monitoring register. Masking allows for a high level of security without giving any insight into the monetary amount or subscriber unit.

When an electronic coin data set is transmitted directly from the first subscriber unit to a second subscriber unit, two subscriber units simultaneously have knowledge of the electronic coin data set to be transmitted. It is important to prevent the sending first subscriber unit from also using the electronic coin data record for payment at another (third) subscriber unit (so-called double spending). Before the transmission, a status of the electronic coin data record can be set to inactive status in order to invalidate the electronic coin data record, then it is sent (as the first step of the transmission) to the second subscriber unit and, if there is an acknowledgment of receipt from the second subscriber unit, it is deleted of the electronic coin record in the first subscriber unit (as the second step of the transmission). A confirmation of erasure from the first subscriber unit may be sent to the coin register or the second subscriber unit to indicate a successful erasure (performed in the first subscriber unit) of the electronic coin record.

In addition, the transmitted electronic coin data record can be switched from the first subscriber unit to a second subscriber unit (=switch). The switching can preferably take place automatically upon receipt of the confirmation of deletion of an electronic coin data record in the second subscriber unit. In addition, it can also be done on request, for example by a command from the first subscriber unit and/or the second subscriber unit. In addition, an electronic coin data record can also be divided into at least two electronic partial coin data records (“split”). In addition, two electronic coin datasets can be combined into one electronic coin dataset (“merge”). Switching, splitting and connecting are various modifications to an electronic coin record, i.e. actions with the electronic coin record. These modifications require the masked coin data set to be registered in the coin register of the payment system. The concrete implementation of the individual modifications will be explained later.

Switching also takes place when an electronic coin dataset is changed, for example split up or connected to other electronic coin datasets, in particular in order to be able to settle a monetary amount to be paid appropriately.

This pseudonymization is explained in more detail below: The transmission of electronic coin data records in the payment system is anonymous unless the anonymity is to be explicitly canceled by additional measures. It could be a requirement in the payment system to remove anonymity depending on a value for monetary amounts. In other words: A typical requirement in the payment system could be to anonymously send monetary amounts below a certain limit. If this limit is exceeded, the transmission in the system is de-anonymized.

In a preferred embodiment, the method comprises the further steps of: masking the electronic coin data set by applying a homomorphic one-way function to the electronic coin data set to obtain a masked electronic coin data set; associating the masked electronic coin record with a pseudonym to obtain a pseudonymized masked electronic coin record; and sending the pseudonymized masked electronic coin record to a monitoring register of the payment system. Modifications to the electronic coin data record are thus tracked in the coin register and documented in the monitoring register under a pseudonym, without anonymity in the payment system being removed. The monitoring register can thus identify the outgoing transactions at the subscriber unit even if it knows the affiliation of the pseudonym and the subscriber unit.

In the method according to the invention mentioned above, the pseudonymized masked electronic coin data record is preferably included in the transaction data record in the generation step by the first subscriber unit, more preferably instead of the masked electronic coin data record, and thus sent in encrypted form to the transaction register. A later decryption reveals the pseudonym under which the transaction took place.

This procedure represents an alternative to the above-described provision of the pseudonymised transaction data of the trade repository and could be used in parallel or in addition to this procedure in the monitoring register. The selection of The respective pseudonymisation procedure can be set flexibly in the payment system and adapted to the actual requirements of the payment system, for example to the processing power of the trade repository or the monitoring register or a transmission capacity in the payment system.

Since a digital payment transaction (the transmission of electronic coin data records) of a large amount of money could also be divided into several digital payment transactions of smaller amounts of money, each of which can be below the limit value, the limit value must be subscriber unit-specific and/or time-dependent. Due to the non-transparent multiple (direct) transmission of a coin data record between a large number of different subscriber units, this requirement for deanonymization, also known as re-identification, is not aimed at individual transmissions (transactions) between two subscriber units, but usually relates to the total of all transactions within a certain unit of time (duration) received and/or sent by a subscriber unit. A mechanism is therefore provided for determining the sum of all monetary amounts sent or received by a subscriber unit within a given unit of time. For this purpose, a method is described which enables the anonymity of a transmitting subscriber unit to be revoked if a limit value per unit of time is exceeded.

In order to enable such a mechanism for deanonymization, pseudonymization is carried out in a preferred embodiment of the method. For this purpose, a linking step is carried out before the masking step in order to link a pseudonym of the first subscriber unit with the electronic coin data record. The pseudonym is preferably subscriber unit specific. A pseudonym is any type of disguised identity that makes it possible to draw conclusions about the subscriber unit and the transactions carried out with it without merely knowing the electronic coin data record.

The subscriber unit must perform a modification (split, switch, connect) for each received coin record in order to associate the pseudonym with the coin record. The registration in the coin register associated with each modification (for the validation of the modification) is sufficient in order to be able to unambiguously assign all coin data record transactions that were carried out with the subscriber unit to this subscriber unit on the basis of the linked pseudonym. A monitoring register can identify the incoming transactions at the subscriber unit if it knows the affiliation of the pseudonym and the subscriber unit. Thus, modifications to the electronic coin record are linked to a pseudonym stored on the subscriber unit. This pseudonym can either be permanent or only valid for a certain period of time.

Thus, the difference between an anonymous masked electronic coin record and a pseudonymized masked electronic coin record lies in the identifiability of the subscriber unit by the surveillance register when using the pseudonym. An anonymous masked electronic coin record does not contain any information about its origin, so it cannot be linked to a subscriber unit. In contrast, a pseudonymized masked electronic coin record has an association with a pseudonym of the subscriber unit, so that the subscriber unit that sent the pseudonymized masked electronic coin record to the monitoring register can be identified via the linked pseudonym.

The mechanism described is sufficient to determine whether the sum of the monetary amounts of all transactions in a subscriber unit is below a limit value, preferably within a specific time unit. If it is recognized that the limit value is exceeded by a desired modification, the monitoring register could promptly prevent such a modification by blocking or rejecting the registration of the corresponding electronic coin data set in the coin register. Alternatively or additionally, the subscriber unit could be informed that the modification (and thus the transaction) would only be carried out if the subscriber unit de-anonymizes itself, e.g. discloses personal access data, before the modification is registered and the electronic coin record is validated, thereby completing the transaction would be accepted.

In a preferred embodiment of the pseudonymization, the number of area confirmations or area verifications that the monitoring register requests from the first subscriber unit is reduced by sending the pseudonymized masked electronic coin data record instead of an anonymous masked electronic coin data record.

The monitoring register, the coin register and/or the first subscriber unit can process the masked electronic coin records in an anonymous or in a pseudonymous mode. In an anonymous mode, the monitoring register requests necessary and other (catch up) area proofs or area confirmations. In the pseudonymous mode, the monitoring register does not request at least one of the other area verifications or area confirmations, but checks for the pseudonym whether a (catch-up) criterion is met. An electronic coin record can already be treated as valid if the necessary checks have been carried out. Only when the (catch-up) criterion has been met will Area credentials or cumulative area credentials (or acknowledgment) requested from subscriber unit. For example, a period of time or a number of masked electronic coin data sets can be used as (catch-up) criteria for the pseudonym.

In a further preferred refinement of the pseudonymization, the first subscriber unit receives a request for a sum area confirmation or a sum area proof from the monitoring register and sends the requested sum area confirmation or the requested sum area proof to the monitoring register.

In an alternative embodiment, the first subscriber unit generates an unsolicited summary area confirmation or an unsolicited summary area proof, and sends the unsolicited summary area confirmation or the requested summary area proof to the monitoring register.

A sum range confirmation or a sum range proof is information from the subscriber unit about a sum of monetary amounts of a plurality of electronic coin data sets, preferably electronic coin data sets transmitted directly between subscriber units. This total information is compared in the monitoring register with an area information. If the specified range is exceeded, the electronic coin data records are de-anonymized in order to be able to secure and control the transfer of large monetary amounts.

For this purpose, the first subscriber unit preferably forms a sum of monetary amounts from a number of electronic coin data records, confirming with the sum range confirmation that the sum formed is within a range. The sum range confirmation is understood in the monitoring register as an indication of the subscriber unit and the subscriber unit is classified as trustworthy.

In an alternative embodiment of the pseudonymization, the first subscriber unit creates a sum range verification for a number of electronic coin data sets that can be checked by the monitoring register. The total range is then checked by the monitoring register and there is a confirmation that the total is in range (or not). The proof of total area is preferably also part of the transaction data record for the trade repository.

In a preferred embodiment of the pseudonymization, the multiple electronic coin data records only include selected electronic coin data records. Thus the Sum area confirmation or the sum area proof is not carried out for all electronic coin data sets of the subscriber units, but only for a specific selection. In one embodiment, the selection relates only to electronic coin data sets sent from pseudonymised, masked electronic coin data sets. In an alternative refinement of the pseudonymization, only electronic coin data records are affected by sent anonymous masked electronic coin data records or sent pseudonymized masked electronic coin data records. In an alternative refinement of pseudonymization, only electronic coin data records are affected by anonymous masked electronic coin data records sent, pseudonymised masked electronic coin data records sent and/or masked electronic coin data records not sent to the monitoring register. In a preferred embodiment of the pseudonymization, the several electronic coin data records are selected as a selection criterion after a preselected period of time. A day, a week or even a much shorter period can be selected as the period.

This selection is preferably masked and then sent to the trade repository in encrypted form as part of the transaction record.

In an alternative or additional embodiment of the pseudonymization, a list in the first subscriber unit or in the monitoring register is to be used as a selection criterion, based on which list the electronic coin data records are selected.

This list is preferably masked and then sent to the trade repository in encrypted form as part of the transaction record.

In a preferred embodiment of the pseudonymization, the monitoring register requests area confirmations or area verifications from subscriber units as part of a sum check. Preferably, the anonymous masked electronic coin record monitoring register employs a first sum checking mode. Preferably, for pseudonymised masked electronic coin records, the monitoring register applies a second sum checking mode.

In a preferred embodiment of the pseudonymization, the monitoring register checks a proof of area for each modified electronic coin data set received.

In a preferred embodiment of the pseudonymization, the monitoring register regularly or quasi-randomly requests area confirmations or area verifications from subscriber units. This takes place, for example, in the first sum check mode. In an alternative or additional embodiment of the pseudonymization, the monitoring register only requests an area confirmation or an area verification from the subscriber unit once a number of coin data sets have been received for a pseudonym. This takes place, for example, in the second sum check mode. This number is preferably dependent on subscriber unit type and/or coin denomination range. This means that the area proofs or area confirmations can be flexibly tailored to a specific user situation and thus increase the security of the payment system.

In principle, it is sufficient to identify the outgoing transactions or the incoming transactions, so that in one embodiment the masking of the electronic coin data record and linking the masked electronic coin data record in the second subscriber unit with a pseudonym of the second subscriber unit in the second subscriber unit and sending the pseudonymized masked electronic coin data record to the surveillance register is not carried out.

These identified outbound transactions are preferably sent to the trade repository in encrypted form as part of the transaction record.

The linking step of pseudonymizing is preferably performed by signing the respective masked electronic coin data record in the second subscriber unit with a private signature key of the second subscriber unit to obtain a signed masked electronic coin data record as a pseudonymized masked electronic coin data record or as a pseudonymized masked electronic coin data record transmitted.

Signing is done with a private signature key of the subscriber unit. This signature key is preferably subscriber-unit-specific, i.e. knowing the verification key, it can be traced who last modified (switched, divided, connected) the coin data record. The signed masked electronic coin record is registered in the audit register.

In the method according to the invention mentioned above, the signed, masked electronic coin data record is preferably included in the transaction data record in the generation step by the first subscriber unit, more preferably instead of the masked electronic coin data record, and is thus sent to the transaction register in encrypted form. Subsequent decryption then reveals the signature under which the transaction took place.

To generate a signature is therefore preferred an asymmetric cryptosystem in which the subscriber unit using a secret signature key, here as a private Signature key or "private key", calculates a value for a data set. This value enables anyone to check the authorship and integrity of the data set using a public verification key, the "public key".

The step of registering preferably involves checking the signature in the monitoring register, with the monitoring register having the public verification key of the signature for this purpose. The signature can now be checked by the monitoring register, in that a public verification key for the signature is known there.

The public verification key for checking the signature is preferably known only to the surveillance register, which means that the method remains anonymous to the subscriber units among themselves.

The coin register preferably registers any modification, i.e. switching, splitting and/or connecting together with the signature of the subscriber unit. In this way, the coin register and/or the monitoring register can monitor and determine the sum of monetary amounts for all transactions of a subscriber unit. The signature is, for example, part of the transaction data record and is sent to the trade repository either in encrypted form or in plain text and stored (archived) there.

The signature is preferably valid within a specific time unit, the specific time unit preferably being one day. In this way, the transaction volume (= sum of the monetary amounts for transactions) per subscriber unit can be checked for this specific time unit.

Each subscriber unit therefore has an asymmetric key pair in order to sign each modification with the private signature key. The public key is known to the surveillance registry (and also to the coin registry). Thus, the audit trail can link each transaction to the subscriber unit as the sender or recipient of the coin record.

The mechanism described is sufficient to record (measure) whether the sum of all monetary amounts per subscriber unit (=transactions) is within a limit value per time unit, for example a daily limit value.

The recognition of return criteria for coin data records that have already been issued, for example that a coin data record should expire, is explained below: The electronic coin data sets are issued by a central issuing authority, each electronic coin data set additionally having a test value. The check value is incremented when the electronic coin data set is transmitted directly between two subscriber units, or the check value is invariant in the case of an action (modification) carried out by subscriber units with the electronic coin data set. The method includes the following step: determining by the subscriber unit based on the check value of an electronic coin data record whether this electronic coin data record is displayed by the subscriber unit at the payment system or determining by the subscriber unit based on the check value of the electronic coin data record whether the electronic coin data record to the central issuing authority is returned. Thus, in a preferred embodiment for the recognition of return criteria, it is also determined on the basis of the above-mentioned test value for transaction data records that have not been sent or based on a further test value whether the electronic coin data record is displayed by the first subscriber unit in the payment system, in particular a coin register, and/or whether the electronic coin data record is returned to the central issuing authority.

Each test value of the electronic coin data record is used in the method to enable or improve a control function in the payment system. Each verification value is preferably a data element of the electronic coin record readable by the subscriber unit or a data element in the subscriber unit and its value can be determined by the subscriber unit. The check value for the return criteria is coupled to an electronic coin record.

In a first embodiment, the test value for the return criteria is incremented (=incrementally increased) when the electronic coin data record is transmitted directly between two subscriber units. The incrementing is either incremented by a sending subscriber unit immediately before the coin data record is sent to a receiving terminal. Or the incrementing occurs in a receiving subscriber unit immediately after receipt of the coin record. Thus, the number of direct transmissions between subscriber units is recorded for each coin record.

In a second embodiment (as an alternative to the first) the test value is invariant in the event of an action (invariant to action) carried out by subscriber units with the electronic coin data record. Action-invariant means that the test value remains unchanged during an action with the coin data set. The action-invariant test value is not specific to the electronic coin data set but is group-specific and therefore applies to a number of different coin data sets in order to maintain anonymity and prevent coin data set tracking. Any modification to the coin data record carried out by a terminal device, ie in particular switching, dividing, combining, as will be described later, is considered an action with a coin data record. In addition, an action means each transmission of the coin data record, for example to a (different) subscriber unit or also to an instance in the payment system. In addition, an action means redeeming the coin data set to credit a monetary amount of the coin data set or changing the currency system. These actions are performed by subscriber units and do not change the check value.

The subscriber unit uses the test value of the electronic coin data record to determine whether this electronic coin data record is displayed (=reported) to the payment system. For example, when the number of transmissions between subscriber units exceeds a predefined threshold, the electronic coin record is indicated to the payment system. In an exemplary embodiment of the method, the display corresponds to the sending of a switching command to a coin register of the payment system in order to cause the coin data set to be switched there to the subscriber unit sending the coin data set. In an alternative exemplary embodiment of the method, the display causes the coin data record to be marked in a monitoring register of the payment system. The check value and/or the coin data record can, but does not have to, be transmitted to the payment system for the purpose of display. The return of the electronic coin record by the subscriber unit entails either redeeming a monetary amount associated with the electronic coin record or issuing a new electronic coin record of an identical monetary amount.

The return of the electronic coin data set by the subscriber unit can trigger a resetting or deletion of all entries in the monitoring register in the payment system relating to the electronic coin data set. In this way, digital traces of the electronic coin data record are deleted and the anonymity of the procedure is secured.

Alternatively, the subscriber unit uses the check value of the electronic coin record to determine whether to return the electronic coin record to the central issuing authority. A criterion for the return of an electronic coin data record can thus be defined with the test value. In this way, electronic coin data sets can expire, for example due to their lifetime or the number of actions carried out with the coin data set, in order to increase the security of the payment system.

In a preferred embodiment, the electronic coin data set is sent to the central issuing authority as a result of the notification from the payment system (the monitoring register). returned. By displaying this in the payment system, it is thus determined in the payment system whether the coin data set is to be returned. In this embodiment, the determination as to whether a return must take place is carried out in the payment system instead of in the subscriber unit. The result of the determination is communicated to the subscriber unit and the subscriber unit is requested by the payment system to return the electronic coin data set.

In a preferred embodiment, the payment system (the monitoring register) requests the modification of the electronic coin data record as a result of the display. Modifying, for example splitting, combining or switching, requires the electronic coin data set to be registered in the payment system. In many configurations of the digital currency system, a return to the issuing authority is not necessary and sometimes also not sensible. This is especially true when the coin record was modified rapidly promptly after it was issued. In this embodiment, the coin record is not returned, but is considered returned.

In a preferred embodiment, a counter value in the payment system (the monitoring register) relating to this electronic coin data record is determined as a result of the display by the payment system using the check value of the electronic coin data record. The check value of the coin data record is preferably transmitted from the subscriber unit to the payment system (the monitoring register). The counter value is not part of the coin data set. The counter value is preferably managed in the payment system. The counter value is preferably incremented with each action (modification, transmission, redemption) relating to the electronic coin data set. The counter value is preferably increased with different weighting for different actions. This makes it possible to better control the return according to different actions. The check value is thus provided in the coin data record as a data element which is incremented in particular with each direct transmission between subscriber units. The counter value in the payment system includes the check value, for example by adding the previous counter value to the check value.

In a preferred embodiment, each electronic coin data record has a first check value and a second check value. The first check value is then correspondingly incremented when the electronic coin data record is transmitted directly between two subscriber units, the first check value of the electronic coin data record being used to determine whether the electronic coin data record is displayed by the subscriber unit in the payment system. Based on at least the second check value of the electronic coin data set, it is determined whether the electronic coin data set is returned to the central issuing authority. Thus, a display check value is provided separately from a return check value in the coin record. The second check value is preferably invariant in an action performed by subscriber units with the electronic coin data set, the second check value preferably being at least one value from the following list: return date of the electronic coin data set; issue date of the electronic coin record; electronic coin record registration date; and electronic coin record identification value. The action-invariant test value is not specific to the electronic coin data set but is group-specific and therefore applies to a number of different coin data sets in order to maintain anonymity and prevent coin data set tracking. The second action-invariant check value is not individual for the electronic coin data record, but applies to a number of different coin data records (group ID) in order to maintain anonymity and prevent coin data record tracking.

In an advantageous embodiment, the second check value is variable and includes the first check value to determine whether the electronic coin record is returned. A sum could be formed and this sum could be compared with a predefined threshold value. For example, the number of direct transmissions could be a return criterion, so that no infrastructure for evaluating the coin data sets with regard to the return of the coin data sets would have to be provided in the payment system, ie simpler and more secure management would be possible while creating the control functions.

In an advantageous embodiment, the exceeding of a threshold value of the check value of the electronic coin data record is determined by a first terminal device and an action with this electronic coin data record, in particular the direct transmission of this electronic coin data record from the first terminal device to a second terminal device, is only carried out if in first terminal it has been determined that no other electronic coin data set is present in the first terminal. This ensures that a payment transaction between two terminals can still be carried out and completed with the coin data set despite a large number of direct transmissions of this coin data set between terminals due to a lack of alternative coin data sets in the terminal.

In an advantageous embodiment, the exceeding of a blocking threshold value of the test value of the electronic coin data set is determined by a first subscriber unit and an action with this electronic coin data set, in particular the direct transmission of this electronic coin data set from the first subscriber unit to a second subscriber unit, is blocked, regardless of this whether or not there is another electronic coin record in the first subscriber unit. A threshold value is thus defined which, when it is reached, completely prevents (blocks) direct forwarding (transmission) between subscriber units. For example, this one could Coin data are stored in a secure storage area, also only a return process but no action process of the subscriber unit has access.

The imminent blocking can be detected in advance by the subscriber unit and a user of the subscriber unit can be informed in order to prevent the blocking of the coin data set by immediately returning the coin data set. Additionally or alternatively, the subscriber unit may return the electronic coin record upon detecting that the blocking threshold has been exceeded.

The threshold value of the check value is preferably lower than the blocking threshold value of the check value. The blocking threshold can be a multiple of the threshold in order not to block the coin record too early. The threshold value is ten, for example, or five, for example, or 3, for example. The blocking threshold value is correspondingly 30, or, for example, 15, or, for example, 10.

In a preferred embodiment, the issuer entity queries test values of coin data sets at predefined periodic intervals or in a specifically controlled manner and automatically requests an electronic coin data set back if a test value of the electronic coin data set is exceeded.

In a preferred embodiment of the return method, the monitoring register of the payment system determines a counter value in the monitoring register relating to the electronic coin data set using the test value of the electronic coin data set. If the counter value exceeds a threshold value, the electronic coin data record is returned (directly or indirectly) to the central issuing authority. In this case, preferably only masked coin data records are managed in the monitoring register. The issuer instance or the payment system requests the corresponding coin data set from the subscriber unit or provides corresponding information from the payment system to the subscriber unit for (direct) return. The counter value is preferably increased with each action on the electronic coin data set, the counter value preferably being increased with different weighting for different actions. Reference is made to the above-mentioned advantages of such a method.

In a preferred embodiment of the return method, when an action is carried out with the electronic coin data set by the monitoring register, the check value of the electronic coin data set is reset by the payment system. This simplifies the procedure since the subscriber unit does not have to be adjusted to the sum of all permitted actions, but only to the sum of consecutively permitted direct transmissions. In a preferred embodiment, when combining (=connecting) electronic coin part data records into a combined electronic coin data record, the payment system determines the highest test value of the electronic coin part data records and this highest test value is adopted as the test value of the combined electronic coin data record.

In a preferred embodiment, when electronic coin part data records are combined into a combined electronic coin data record, the monitoring register determines a new test value from the sum of all test values of the electronic coin part data records divided by the product of the number of coin part data records with a constant correction value, this new test value being the test value of the combined electronic coin dataset is adopted, the correction value being greater than or equal to 1 and the correction value preferably depending on a maximum deviation of the individual test values of the electronic coin part datasets or on a maximum test value of one of the electronic coin part datasets, with the correction value being more preferably less than or equal to 2. The correction value is constant throughout the system.

In a preferred embodiment, the electronic coin data record is returned from the monitoring register to the issuing entity when the terminal device initiates the redemption of a monetary amount of the electronic coin data record to an account in the payment system and/or when the subscriber unit exchanges the monetary amount of the electronic coin data record for a requests another currency system of the payment system.

An electronic coin record can be split in a subscriber unit and this split is then registered in the coin register. This has the advantage that an owner of the at least one electronic coin data record is not forced to always transfer the entire monetary amount at once, but rather to form and transfer corresponding partial monetary amounts. The monetary value can be divided symmetrically or asymmetrically without restrictions as long as all electronic coin data subsets have a positive monetary amount that is smaller than the monetary amount of the electronic coin data set from which it is split and the sum of the electronic coin subdata sets is equal to the electronic coin subdata set to be split. Alternatively or additionally, fixed denominations can be used. The division into partial amounts is arbitrary. For example, the splitting triggers the execution of the method described above for generating and encrypting a transaction record, and the masked split electronic coin split record may be part of a transaction record for the trade repository. The method preferably has the following further steps: switching over the transmitted electronic coin part data record; and/or merging the transmitted electronic coin record with a second electronic coin record to form a (new) linked electronic coin record.

When switching over, the partial electronic coin data set received from the first subscriber unit results in a new electronic coin data set, preferably with the same monetary amount, the so-called electronic coin data set to be switched over. The new electronic coin data set is generated by the second subscriber unit, preferably by using the monetary amount of the received electronic coin data set as the monetary amount of the electronic coin data set to be switched. A new concealment amount, for example a random number, is thereby generated. For example, the new obfuscation amount is added to the obfuscation amount of the received electronic coin record so that the sum of both obfuscation amounts (new and received) serves as the obfuscation amount of the electronic coin record to be switched. After switching, the electronic coin part data set received and the electronic coin part data set to be switched over are preferably masked in the subscriber unit by applying the homomorphic one-way function to the electronic coin part data set received and the electronic coin part data set to be switched over, respectively, in order to obtain a masked electronic coin part data set received and a masked electronic coin part data set to be switched over . The switching triggers, for example, the execution of the method described above for generating and encrypting a transaction record and the masked electronic coin part record to be switched can be part of a transaction record for the trade register.

The switching is thus secured by adding a new spoof amount to the spoof amount of the received electronic coin record, thereby obtaining a spoof amount that only the second subscriber unit knows. Newly created obfuscation amounts must have high entropy since they are used as the blinding factor for the corresponding masked electronic coin part records. A random number generator on the security element is preferably used for this purpose. This safeguard can be tracked in the coin register.

As part of the switching, additional information that is required to register the switching of the masked electronic coin data set in the coin register is preferably calculated in the subscriber unit. Preferably, the additional information includes a range verification of the masked electronic coin record to be switched and a range verification of the masked received electronic coin record. The proof of area is proof that the monetary amount of the electronic coin data set is not negative, the electronic coin data set is valid and/or the monetary amount and the concealed amount of the electronic coin data set are known to the creator of the proof of area. In particular, the area credential serves to provide such credential(s) without revealing the monetary amount and/or the concealment amount of the masked electronic coin record. These range proofs are also called "zero knowledge range proofs". Ring signatures are preferably used as area verification. The changeover of the masked electronic coin data set is then registered in the remote coin register. For example, registration triggers the execution of the method described above for generating and encrypting a transaction record, and the masked electronic coin part record to be switched may be part of a transaction record for the transaction register.

The registering step is preferably performed when the second subscriber unit is connected to the coin register. While the electronic coin records are used for direct payment between two subscriber units, the masked coin records can be registered with a pseudonym in the coin register. The registration triggers, for example, the execution of the method described above for generating and encrypting a transaction record and the pseudonymized masked electronic coin part record to be switched can be part of a transaction record for the transaction record.

In a further preferred embodiment of the method, a further electronic coin data record (connected electronic coin data record) is determined from a first and a second electronic coin part data record for connecting electronic coin part data records. The concealment amount for the electronic coin data set to be connected is calculated by forming the sum of the respective concealment amounts of the first and the second electronic coin data set. Furthermore, the monetary amount for the associated electronic coin data record is preferably calculated by forming the sum of the respective monetary amounts of the first and the second electronic coin data record.

After the connection, the first electronic coin part data record, the second electronic coin part data record, and the electronic coin data record to be connected in the (first and/or second) subscriber unit are created by applying the homomorphic one-way function to the first electronic coin part data record, the second electronic coin part data record, and the to connecting electronic coin data set masked to correspondingly a masked first electronic coin part data set, a masked second electronic coin part data set, and a masked electronic coin data set to be connected receive. Furthermore, additional information needed to register the linking of the masked electronic coin records in the remote coin register is computed in the subscriber unit. Preferably, the additional information includes area evidence of the masked first electronic coin part record and area evidence of the masked second electronic coin part record. The proof of area is proof that the monetary amount of the electronic coin data record is not negative, the electronic coin data record was validly created and/or the monetary amount and the concealed amount of the electronic coin data record are known to the creator of the area proof. In particular, area verification serves to provide such verification(s) without revealing the monetary value and/or the amount of obfuscation of the masked electronic coin record. These range proofs are also called "zero knowledge range proofs". Ring signatures are preferably used as area verification. The connection of the two masked electronic coin part data sets is then registered in the remote coin register. For example, registration triggers the execution of the method described above for generating and encrypting a transaction record, and the masked linked electronic coin part record may be part of a transaction record for the transaction repository.

With the step of connecting, two electronic coin data records or two electronic coin part data records can be combined. The monetary amounts as well as the concealment amounts are added up. As with splitting, the validity of the two original coin data records can also be carried out when connecting.

In a preferred embodiment, the registering step comprises receiving the masked electronic coin part data set to be switched over in the coin register, checking the masked electronic coin part data set to be switched over for validity; and registering the masked electronic coin part record to be switched in the coin register if the verifying step is successful, whereby the electronic coin part record to be switched is deemed to be verified.

This results, for example, in an at least three-tier payment system. In a first layer (direct transaction layer), electronic coin data records are transmitted directly between individual subscriber units or their security elements. In a second layer (testing layer), masked electronic coin data sets are registered and checked in a coin register and a monitoring register. In the second layer, preferably no payment transactions are recorded, only masked electronic coin data records, their status, possibly test values, signatures and modifications for the purpose of verifying the validity of (non-masked) electronic coin data records. This ensures the anonymity of the participants in the payment system. The second layer provides information about valid and invalid electronic coin data sets, for example to avoid multiple issuance of the same electronic coin data set or to verify the authenticity of the electronic coin data set as validly issued electronic money or to record the sum of monetary amounts per security element in order to compare this sum with a limit value and prohibit or permit modification accordingly. The second layer may use a counter value of an electronic coin record to determine whether the electronic coin record has expired and is to be returned, or modified appropriately so that it is deemed to be returned. In a third layer (archiving layer), encrypted transaction data records are stored in a transaction repository and decrypted on official request as shown above in order to be checked.

In addition, the payment system also includes, for example, an issuer entity that generates electronic coin data sets (creation) and requests them again (deletion). When issuing an electronic coin data record from the issuer entity to a subscriber unit, a masked electronic coin data record can also be issued by the issuer entity to the coin register and/or the monitoring register of the payment system for registering the electronic coin data record.

In the present case, a subscriber unit can have a security element or itself be a security element in which the electronic coin data record is securely stored. An application that controls or at least initiates parts of the transmission process can be installed ready for operation on the subscriber unit.

Electronic coin data records can be transmitted with the aid of terminal devices as subscriber units, which are logically and/or physically connected to the security elements.

The communication between two subscriber units, possibly with the respective security elements, can be wireless or wired, or e.g. also optically, preferably via QR code or barcode, and can be designed as a secure channel, for example between applications of the subscriber units. The optical path can include, for example, the steps of generating an optical code, in particular a 2D code, preferably a QR code, and reading in the optical code.

The transmission of the electronic coin data record is secured, for example, by cryptographic keys, for example a session key negotiated for an electronic coin data record exchange or a symmetric or asymmetric key pair. By communicating between subscriber units, for example via their security elements, the exchanged electronic coin records are protected from theft or tampering. The level of security elements thus complements the security of established blockchain technology.

In a preferred embodiment, the coin data records are transmitted as APDU commands. For this purpose, the coin data record is preferably stored in an (embedded) UICC as a security element and is managed there. An APDU is a combined command/data block of a connection protocol between the UICC and a terminal. The structure of the APDU is defined by the ISO-7816-4 standard. APDUs represent an information element of the application layer (layer 7 of the OSI layer model).

In addition, it is advantageous that the electronic coin data sets can be transmitted in any format. This implies that it communicates, i.e. can be transmitted, on any channel. They do not have to be saved in a fixed format or in a specific program.

In particular, a mobile telecommunications terminal, for example a smartphone, is regarded as a subscriber unit. Alternatively or additionally, the subscriber unit can also be a device such as a wearable, smart card, machine, tool, vending machine or even a container or vehicle. A subscriber unit is thus either stationary or mobile. The subscriber unit is preferably designed to use the Internet and/or other public or private networks. For this purpose, the subscriber unit uses a suitable connection technology, for example Bluetooth, LoRa, NFC and/or WiFi, and has at least one corresponding interface. The subscriber unit can also be designed to be connected to the Internet and/or other networks by means of access to a mobile radio network.

For example, two subscriber units set up a local wireless communication connection via the protocol of which the transmission between the two security elements located therein is then introduced.

In one embodiment, it can be provided that the first and/or second security element processes the received electronic coin data records in the presence or receipt of a plurality of electronic coin data records according to their monetary value. Provision can thus be made for electronic coin data records with a higher monetary value to be processed before electronic coin data records with a lower monetary value. In one embodiment, the subscriber unit can be designed, after receiving an electronic coin data record, to connect this to the electronic coin data record already present in the subscriber unit depending on attached information, for example a currency or denomination, and to carry out a corresponding step of connecting. Furthermore, the subscriber unit can also be designed to automatically carry out a switchover after receipt of the electronic coin data set.

In one embodiment, further information, in particular metadata, is transmitted during the transmission from the first subscriber unit or first security element to the second subscriber unit or second security element, for example a currency. In one embodiment, this information can be included in the electronic coin data set.

The procedures are not limited to one currency. For example, the payment system can be set up to manage different currencies from different publishers. The payment system is set up, for example, to convert (=change) an electronic coin data record in a first currency into an electronic coin data record in a different currency. This switching is also a modification of the electronic coin record. With the change, the original coin record becomes invalid and is deemed returned. Flexible payment with different currencies is therefore possible and user-friendliness is increased.

The methods also allow the electronic coin data record to be converted into book money, ie, for example, the monetary amount can be redeemed in an account held by the participant in the payment system. This repositioning is also a modification. Upon redemption, the electronic coin record becomes invalid and is deemed to have been returned.

The at least one initial electronic coin data record is preferably created exclusively by the issuer entity, with the divided electronic coin data records, in particular electronic partial coin data records, also being able to be generated by a subscriber unit. Creating and choosing a monetary amount preferably also includes choosing a high entropy obfuscation amount. The publishing entity is a computing system, which is preferably remote from the first and/or second subscriber unit. After creating the new electronic coin record, the new electronic coin record is masked in the issuer instance by applying the homomorphic one-way function to the new electronic coin record to obtain a masked new electronic coin record accordingly. Furthermore, additional information needed to register the creation of the masked new electronic coin record in the remote coin register is calculated in the issuer entity. are preferred this further information is proof that the (masked) new electronic coin data set originates from the issuing authority, for example by signing the masked new electronic coin data set. In one embodiment, it can be provided that the issuing entity signs a masked electronic coin data record with its signature when the electronic coin data record is generated. The signature of the issuing authority is stored in the coin register. The signature of the issuing authority is different from the signature generated by a subscriber unit or a security element.

The issuer entity can preferably deactivate an electronic coin data record that is in its possession (i.e. of which it knows the monetary amount and the obfuscation amount) by masking the masked electronic coin data record to be deactivated with the homomorphic one-way function and a deactivate command for the coin register prepared. In addition to the masked electronic coin data set to be deactivated, a part of the deactivation command is preferably also the proof that the deactivation step was initiated by the issuing authority, for example in the form of the signed masked electronic coin data set to be deactivated. As additional information, range checks for the masked electronic coin record to be deactivated could be included in the deactivate command. Disabling may be the result of a return. The deactivation of the masked electronic coin data set is then registered in the remote coin register. The deactivation step is triggered with the deactivation command.

The create and deactivate steps preferably take place in secure locations, especially not in the subscriber units. In a preferred embodiment, the steps of creation and deactivation are carried out or initiated only by the publishing entity. These steps preferably take place in a secure location, for example in a hardware and software architecture that was developed for processing sensitive data material in insecure networks. The deactivation of the corresponding masked electronic coin data set has the effect that the corresponding masked electronic coin data set is no longer available for further processing, in particular transactions. However, in one embodiment it can be provided that the deactivated, masked electronic coin data record remains in the archives of the issuing authority. The fact that the deactivated masked electronic coin data set is no longer valid or returned can be identified, for example, using a flag or another coding, or the deactivated masked electronic coin data set can be destroyed and/or deleted. The deactivated electronic coin record is also physically removed from the subscriber unit or security element. Various processing operations (modifications) for the electronic coin data sets and the corresponding masked electronic coin data sets are made possible by the method according to the invention. Each of the processing operations (in particular creating, deactivating, dividing, connecting and switching over) is registered in the coin register and appended there in unchangeable form to the list of previous processing operations for the respective masked electronic coin data set. Each of the processing operations initiates the process of creating and encrypting a transaction record, for example. The registration is independent of the payment process between the subscriber units, both in terms of time and place (spatial). The processing operations "Create" and "Deactivate" (=return), which affect the existence of the monetary amount itself, i.e. the creation and destruction up to the destruction of money, require additional approval, for example in the form of a signature, by the issuing authority in order to be registered (i.e. logged) in the coin register. The remaining processing operations (dividing, connecting, switching), of which the dividing and connecting can also be delegated from one subscriber unit to another subscriber unit, do not require authorization by the issuing authority or by the command initiator (= payer, e.g. subscriber unit or security element ).

Processing in the direct transaction layer only affects the ownership and/or the assignment of the coin data records to subscriber units of the respective electronic coin data records. A registration of the respective processing in the coin register or the monitoring register is implemented, for example, by corresponding list entries in a database that includes a series of markings that must be carried out by the coin register. A possible structure for a list entry includes, for example, column (s) for a predecessor coin data set, column (s) for a successor coin data set, a signature column for the issuer instance, a signature column for the sending and / or receiving security element, a Signature column for coin division operations and at least one marking column. A change (modification) is final when and the required markings have been validated by the coin register or the monitoring register, ie after the corresponding check, for example, they have changed from status "0" to status "1". If a check fails or takes too long, it is instead changed from status to status "0", for example. Other status values are conceivable and/or the status values mentioned here are interchangeable. The statuses regarding the modifications are independent of the status during the transfer process (inactive/active). The validity of the respective (masked) electronic coin data sets from the status values of the markings are summarized in one column for each masked electronic coin data set involved in registering the processing. In a further exemplary embodiment, at least two, preferably three or even all of the aforesaid flags can also be replaced by a single flag which is then set if all tests have been successfully completed. Furthermore, the two columns for predecessor data sets and successor data sets can each be combined into one in which all coin data sets are listed together. As a result, more than two electronic coin data sets could then also be managed per field entry, and thus, for example, a split into more than two coin data sets could be implemented.

The checks by the surveillance register to check whether a processing is definitive are already described above and are in particular:

Are the masked electronic coin records of the predecessor column(s) valid?

- Does a monitoring result in the correct test value?

Are the area verifications successful for the masked electronic coin records?

Is the signature of the masked electronic coin record a valid signature of the issuing authority?

- Does the sending/receiving subscriber unit (pseudonym) exceed a limit for a maximum permissible monetary amount, particularly per unit of time? Is the Coin Record Inactive due to Transferring between Subscriber Units?

It is also preferred that a masked electronic coin data set is invalid if one of the following checks applies, i.e. if:

(1) the masked electronic coin record is not registered in the coin register;

(2) the last processing of the masked electronic coin record indicates that it has predecessor coin records, but this last processing is not final; or

(3) the last processing of the masked electronic coin record indicates that it has successor coin records and that last processing is final;

(4) the masked electronic coin record is not the successor of a valid masked electronic record unless signed by the issuing authority;

(5) the monetary amount of the masked electronic coin data record means that a limit value for a maximum permissible monetary amount, in particular per unit of time, is exceeded and the required deanonymization is rejected by the corresponding subscriber unit;

(6) An active status for a security element is entered in the coin register, but another subscriber unit requests an action (switch, combine, split) under indication of ownership.

The payment system is preferably designed to carry out the above-mentioned method and/or at least one of the embodiment variants. A further aspect relates to a currency system comprising an issuer entity, a coin register layer, a first security element and a second security element, the issuer entity being designed to create an electronic coin data record. The masked electronic coin data set is designed to be demonstrably created by the issuing authority. The verification layer is designed to perform a registration step as set forth in the above method. The security elements, ie at least the first and second security element, are preferably suitable for carrying out one of the above-mentioned methods (i) for transmission and (ii) for generating + encrypting + initiating.

In a preferred embodiment of the currency system, only the issuing entity is authorized to initially create an electronic coin data record and finally withdraw it. Processing, for example the step of connecting, splitting and/or switching, can and preferably is performed by a subscriber unit. The deactivation processing step can preferably only be carried out by the publishing entity.

The coin register, the monitoring register and the issuer entity are preferably arranged in a common server entity or are present as a computer program product on a server and/or a computer.

The transaction register is preferably arranged in a server instance that is different from the common server instance or is present there as a computer program product.

An electronic coin data record can be present in a large number of different forms and can therefore be exchanged via different communication channels, also referred to below as interfaces. This creates a very flexible exchange of electronic coin data sets.

The electronic coin data set can be presented in the form of a file, for example. A file consists of data that is related in terms of content and is stored on a data carrier, data storage device or storage medium. Each file is initially a one-dimensional sequence of bits, which are usually interpreted in groups of bytes. An application program or an operating system of the security element and/or the terminal interprets this bit or byte sequence as text, an image or a sound recording, for example. The file format used can be different, for example it can be a pure text file that represents the electronic coin data set. In particular, the monetary amount and the blind signature are mapped as a file. The electronic coin data record is, for example, a sequence of American Standard Code for Information Interchange, or ASCII for short, characters. In particular, the monetary amount and the blind signature are shown as this sequence.

The electronic coin record can also be converted from one representation form to another representation form in a subscriber unit. For example, the electronic coin data record can be received as a QR code in a subscriber unit and can be output from the subscriber unit as a file or character string.

These different forms of representation of one and the same electronic coin data record enable a very flexible exchange between subscriber units or security elements or end devices of different technical equipment using different transmission media (air, paper, wired) and taking into account the technical design of a subscriber unit. The selection of the form of representation of the electronic coin data records is preferably made automatically, for example on the basis of recognized or negotiated transmission media and device components. In addition, a user of a subscriber unit can also select the form of representation for exchanging (=transmitting) an electronic coin data set.

In a simple case, the data store is an internal data store of the subscriber unit. The electronic coin data sets are stored here. This ensures easy access to electronic coin data sets.

The data memory is in particular an external data memory, also called online memory. Thus, the security element or the subscriber unit has only one means of access to the electronic coin data records that are stored externally and thus securely. In particular, if the security element or subscriber unit is lost or if the security element or subscriber unit malfunctions, the electronic coin data sets are not lost. Since owning the (unmasked) electronic coin records is equivalent to owning the monetary amount, using external data storage allows money to be stored and managed more securely.

If the coin register is a remote entity, the subscriber unit preferably has an interface for communication using a standard Internet communication protocol, for example TCP, IP, UDP or HTTP. The transmission may include communication over the cellular network. In a preferred embodiment, the interface for issuing (=sending) the at least one electronic coin data set is a protocol interface for wirelessly sending the electronic coin data set to the other security element via a subscriber unit using a communication protocol for wireless communication. In this case, in particular, near-field communication is provided, for example by means of a Bluetooth protocol or NFC protocol or IR protocol; WL AN connections or mobile phone connections are conceivable as an alternative or in addition. The electronic coin data set is then adapted according to the protocol properties or integrated into the protocol and transmitted.

In a preferred embodiment, the interface for issuing the at least one electronic coin data record is a data interface for providing the electronic coin data record to the other subscriber unit using an application. In contrast to the protocol interface, the electronic coin data set is transmitted here using an application. This application then transfers the electronic coin data record in an appropriate file format. A file format specific to electronic coin records can be used. In the simplest form, the coin data record is transmitted as an ASCII character string or as a text message, for example SMS, MMS, instant messenger (such as Threema or WhatsApp). In an alternative form, the coin record is transmitted as an APDU character string. A purse application can also be provided. In this case, the exchanging subscriber units preferably ensure that an exchange using the application is possible, ie that both subscriber units have the application and are ready to exchange.

In a preferred embodiment, the subscriber unit also has an interface for receiving electronic coin data records.

In a preferred embodiment, the interface for receiving the at least one electronic coin data record is an electronic detection module of the security element or terminal device, set up to detect an electronic coin data record presented in visual form. The detection module is then, for example, a camera or a barcode or QR code scanner.

In a preferred embodiment, the interface for receiving the at least one electronic coin dataset is a protocol interface for wirelessly receiving the electronic coin dataset from another security element or end device using a communication protocol for wireless communication. In particular, near-field communication is provided, for example by means of a Bluetooth protocol or NFC protocol or IR protocol. Alternatively or additionally, WLAN connections or mobile radio connections are conceivable. In a preferred embodiment, the interface for receiving the at least one electronic coin data record is a data interface for receiving the electronic coin data record from the other subscriber unit using an application. This application then receives the coin data set in a corresponding file format. A file format specific to coin records can be used. In the simplest form, the coin data record is transmitted as an ASCII character string or as a text message, such as SMS, MMS, Threema or WhatsApp. In an alternative form, the coin record is transmitted as an APDU character string. In addition, the transfer can take place using a wallet application.

In a preferred embodiment, the subscriber unit comprises at least one security element reader, set up to read a security element; a random number generator; and/or a communication interface to a vault module and/or bank institution with access to a bank account to be authorized.

In a preferred embodiment, the data memory is a shared data memory that at least one other subscriber unit can access, each of which has an application, with this application being set up to communicate with the coin register for corresponding registration of electronic coin part data sets.

A solution is therefore proposed here that issues digital money in the form of electronic coin data sets, which is based on the use of conventional (analog) banknotes and/or coins. The digital money is represented here by electronic coin data sets. As with (analogue) banknotes, these electronic coin records will also be usable for all forms of payments, including peer-to-peer payments and/or POS payments. Knowing all the components (in particular the monetary amount and the obfuscation amount) of a valid electronic coin dataset is tantamount to owning (owning) the digital money. It is therefore advisable to treat these valid electronic coin data records confidentially, i.e. to store them in a security element/safe module (of an end device) and process them there, for example. In order to decide on the authenticity of an electronic coin data set and to prevent double payments, masked electronic coin data sets are kept in the coin register as a unique, corresponding public representation of the electronic coin data set. Knowing or possessing a masked electronic coin record does not constitute possession of money. Rather, it is like verifying the authenticity of the analog currency.

The coin register also contains, for example, markings about executed and planned processing of the masked electronic coin data set. From the markers to the A status of the respective masked electronic coin data record is derived from processing, which indicates whether the corresponding (non-masked) electronic coin data record is valid, ie ready for payment. Therefore, a receiver of an electronic coin data record will first generate a masked electronic coin data record and have the validity of the masked electronic coin data record authenticated by the coin register. A great advantage of this solution according to the invention is that the digital money is distributed to terminals, dealers, banks and other users of the system, but no digital money or other metadata is stored in the coin register or the monitoring register - ie shared entities.

The proposed solution can be integrated into existing payment systems and infrastructures. In particular, there can be a combination of analog payment transactions with banknotes and coins and digital payment transactions according to the present solution. Thus, a payment process can take place with banknotes and/or coins, but the change or change is available as an electronic coin data set. For example, ATMs with an appropriate configuration, in particular with a suitable communication interface, and/or mobile terminals can be provided for the transaction. Furthermore, an exchange of the electronic coin data record for banknotes or coins is conceivable.

The steps of creating, switching, splitting, connecting and deactivating (returning) listed here are each triggered by a corresponding create, switching, splitting, connecting or deactivating command (return commands).

BRIEF SUMMARY OF THE FIGURES The invention and further embodiments and advantages of the invention are explained in more detail below with reference to figures, with the figures merely describing exemplary embodiments of the invention. Identical components in the figures are provided with the same reference symbols. The figures are not to be regarded as true to scale; individual elements of the figures may be exaggerated in size or exaggeratedly simplified.

Show it:

Fig.la,b an embodiment of a payment system according to the prior art;

2 shows an embodiment of a payment system according to the invention;

3 shows an exemplary embodiment of a method flow chart of a method according to the invention in a subscriber unit; 4 shows an exemplary embodiment of a method flow chart of a method according to the invention in a transaction register;

5 shows an exemplary embodiment of an encryption and decryption of a transaction data record;

FIG. 6 shows a further development of the exemplary embodiment of a payment system from FIG. 2;

Fig. 7 shows an alternative development of the embodiment of a payment system

Figure 2;

8 shows an embodiment of a coin register and monitoring register;

9 illustrates one embodiment of a system in accordance with the invention for splitting and switching and direct transmission of electronic coin records;

10 shows an embodiment of a payment system according to the invention for connecting electronic coin data sets;

11 shows an exemplary embodiment of a method flow chart of a method according to the invention and corresponding processing steps of a

coin record;

12 shows an exemplary embodiment of a method flow chart of a method according to the invention and corresponding processing steps of a

coin record;

13 shows an exemplary embodiment of a security element according to the invention;

14 shows a payment system according to the invention;

15 shows an exemplary embodiment of a sequence of payment processes according to the invention with monitoring of the monetary amounts per subscriber unit; and

16 shows an exemplary embodiment of a sequence of an area confirmation according to the invention. FIGURE DESCRIPTION

1a and 1b show an exemplary embodiment of a payment system according to the prior art. These Fig.la and Fig.lb have already been described in the introduction to the description. It is repeatedly pointed out that a terminal M8 _{would like to register the coin data record C c} as the coin data record C _e in the coin register 2 and the coin register 2 determines that the coin data record C _{b is} already invalid. As a result, the coin register 2 accepts neither the supposedly valid coin data set C _c nor the coin data set C _{e to be switched over} .

The problem can occur when, for example, an attacker with terminal Ml is a further Münzdatensatz C _b (pirated) at two terminals M2 and M3 directly. As soon as one of the two participants with the terminal M2 registers the coin data record in the coin register 2 (so-called coin conversion), the coin data record C _b becomes invalid. Instead, an unsuspecting subscriber with terminal M3 forwards the coin data set C _b directly to terminal M5 without having it registered. Only terminal M7 breaks through the direct transmission chain and shows the coin data set C _b in coin register 2. At the same time, the subscriber with terminal M2 divides the coin data set C _b into coin data sets C _c and C _x and _{forwards C c} directly to terminal M4. Terminal M4 forwards the coin data set C _c directly to terminal M6. Terminal M6 forwards the coin data record C _c directly to terminal M8. Only when coin data record C _{c is registered} in coin register 2 can the invalidity of coin data record C _b and, as a result, double spending be recognized. An attack (double issuing of an electronic coin data record) by M1 is therefore only discovered late in the prior art and a large number of direct transmissions were carried out in an unauthorized manner. In addition, due to the large number of transactions in an electronic coin data set and also due to the increasing service life, the risk that manipulation(s) have been carried out on the electronic coin data set increases.

In a payment system, when a certain lifespan or total number of actions on/with the coin data set is exceeded, the coin data set should expire, i.e. on the one hand the number of direct transmissions of coin data sets should be limited and on the other hand it should be possible to trace who caused the attack if an attack is detected (Here terminal Ml) has carried out. To secure evidence, a method/system is described below in which transaction data from subscriber units (terminals or security elements) are archived in a remote transaction register and can be checked in the event of an official decision.

For this purpose, the payment system according to the invention comprises at least two, preferably a large number of subscriber units TEs, which are also referred to or illustrated below as security elements SEx or terminal devices Mx, and a transaction register. The payment system can use it In addition, for example, at least one issuing authority 1, one or more commercial banks, one (or more) central coin register 2, which registers the coin data sets and checks and logs the modifications to the coin data set. Further examples of payment systems according to the invention are shown in Figs. 6, 7, 14 and 16.

2 shows an exemplary embodiment of a payment system BZ according to the invention. The payment system BZ includes at least two security elements SEI and SE2. The SEI and SE2 can be placed ready for operation in respective terminals M1 and M2 and logically or physically connected to the respective terminal M1 and M2. In addition, a transaction register 4 of the payment system BZ is shown.

In the payment system of FIG. 2 there is also an issuer entity 1, for example a central bank, which generates the electronic coin data record C in addition to the person assignment 7. A masked electronic coin data set Z is generated for the electronic coin data set C and registered 104 in a coin register 2 of the payment system. In step 104, the masked electronic coin data record Z is output to the coin register 2, for example, by the issuing entity 1 directly or via the first terminal M1. The masked electronic coin data set Z is alternatively generated by the first terminal M1 (or second terminal M2) and sent to the coin register 2 in step 104.

When a transmission 105 of an electronic coin data set C is planned or has already been carried out, as will be described in detail below, a transaction data set TDS is generated in the first terminal M1. The transaction data record TDS has a subscriber ID of the sending terminal device Ml, a subscriber ID of the receiving terminal device M2, optionally a transaction number, optionally a monetary amount of the coin data record, optionally a masked coin data record Z corresponding to the electronic coin data record C (masking is explained later ) and optionally a transaction time. Each subscriber ID of a terminal device is assigned to a natural person throughout the pay system. This assignment of persons 7 is carried out and also managed here, for example, by an editorial authority. This assignment 7 is only carried out after the person has been successfully identified by presenting an identity card or passport. This assignment 7 can be changed at the request of the person, for example when changing the subscriber unit or adding another subscriber unit.

After the transaction data record TDS has been generated, it is encrypted by the first terminal M1 using a cryptographic key. This cryptographic key is, for example, a public key part of a corresponding composite private key part. This private key part is composed of three partial keys 8a, 8b, 8c, the partial keys 8a, 8b, 8c being added or XORed, for example. This combination of the partial keys 8a, 8b, 8c takes place either in the first terminal M1 or in the transaction register 4. This combination of the partial keys 8a, 8b, 8c is, for example, secret throughout the system. Knowing or possessing only one partial key 8a, 8b, 8c does not allow the transaction data record TDS to be decrypted. FIG. 5 shows an embodiment for encrypting and decrypting a transaction data record TDS.

In FIG. 2, the encrypted transaction data record TDS is sent from the first terminal M1 to the transaction register 4 and stored there. The time of sending is preferably closely linked to the transmission 105 of the electronic coin data record, so that the transaction register 4 is always up to date on the transactions carried out in the payment system BZ.

In the event of suspected fraud, an official decision, for example a court decision, could be ordered to decrypt the encrypted transaction data set TDS in order to uncover and analyze the transaction recorded therewith (the transmission 105). By means of the official decision, all stored transactions would then be queried, for example, at the transaction register 4 for a terminal M (using the identifier) over a specific point in time or a specific period of time. In addition, other attributes of the transaction data, such as the monetary value of the coin data sets, the respective transaction partners, etc., could be queried.

As a result of the court decision, the transaction data can be decrypted by a plurality of remote entities as authorized parties generating (or providing) a decryption key by combining their partial keys. The remote entities are, for example, law enforcement agencies, notaries, the Ministry of Justice, a central bank or others.

All remote entities (authorized parties) only have partial keys 8a, 8b, 8c of the decryption key. All members or a minimum number n of m remote entities are required to jointly decrypt the transaction data record TDS. From a technical point of view, the individual sub-keys 8a, 8b, 8c of the various remote entities are assembled into a common private key part by addition or by bit-by-bit XOR linking. This private key part (which corresponds to the corresponding public key part of the encryption) is then used to decrypt the transaction data record TDS. This concept guarantees that no remote entity alone can decrypt the TDS transaction record and thus bypass other entities. If the concept does not depend on the availability of all m remote instances should be, threshold cryptography could be applied to use a subset n of these subkeys 8a, 8b, 8c. This subset n then defines the minimum number of partial keys 8a, 8b, 8c to be combined.

The payment system shown in FIG. 2 has a three-layer structure. In a first layer, the issuing authority 1, for example a central bank, is responsible for money creation and destruction, as will be explained later. Commercial banks (not shown) can store coin data sets C, for example in vault modules that are designed as highly secure modules, for example as HSMs. Distributes money to users and sends or receives money to/from the central bank.

The coin register 2 and the transaction register 4 are provided in a second layer. This layer serves to check the coin data sets C, in particular the validity and authenticity of the coin data sets C in circulation, and checks whether coin data sets C have been issued twice. In order to set up a law enforcement system, the trade register 4 is provided. It is also conceivable to decouple this transaction register 4 from the payment system BZ in order to follow the principle of "separation of concerns". For the sake of simplicity, the trade register 4 is subsequently assigned to the second layer of the payment system BZ. The Trade Repository 4, as a trusted authority, is responsible for protecting people's privacy in regular situations and disclosing encrypted transaction records TDS when required by court decisions. This can be used to check that no irregular transactions or money operations are taking place, in particular that no (new) money is being created or destroyed illegally. The Trade Repository 4 is an extension for use cases in law enforcement, with the aim of uncovering suspicious transaction data. The trade repository 4 stores encrypted data records about transactions that are (must) be reported by the participants involved and forwards them to the authorities according to due process. The transaction data records TDS are stored in encrypted form in the transaction register 4 . This ensures that due process must be followed and no one can access this sensitive transaction data at will. In addition, a re-encryption unit can be deployed in the trade repository, which re-encrypts the TDS so that a law enforcement agency only has access to officially approved data. Metadata such as transaction time and participant ID are used to provide the requested data. The transcoding unit can access and decrypt all data.

The third layer is a direct transaction layer 3 in which all participants, ie consumers, dealers, etc., participate equally via their subscriber units TE in order to exchange electronic coin data records C. Each subscriber unit TE can have a wallet application have to manage coin records C. The coin data records C can be stored locally in the subscriber unit TE or they are stored in an online memory (=cloud memory) and the subscriber unit TE can manage them remotely. In the case of an offline scenario, in which a transmission 105 takes place without control entities or register entities 2, 4, 6 of the payment system BZ, subscriber units TE can directly (directly) interact with other subscriber units TE. The actual data transfer for a coin record may involve other intervening entities. This offline design of the payment system BZ makes it necessary for the coin data records C to be kept in certified areas, for example a purse application, ideally within security elements SE, for example smart cards or an eSim environment, in order to obtain trustworthiness in the payment system BZ.

In order to generate an electronic coin data record C, the following method is proposed.

The transmission 105 takes place, for example, wirelessly via WLAN, NFC or Bluetooth, ie preferably locally. The transmission 105 can be additionally protected by cryptographic encryption methods, for example by negotiating a session key or by using a PKI infrastructure. The transmission 105 can also take place using an online data memory, from which the electronic coin data set C is transmitted to the TE2 (M2, SE2).

In the transmission step 105, for example, a secure channel is set up between the SEI and the SE2, within the framework of which both SEs authenticate one another. The transmission path between SEI and SE2 is not necessarily direct, but can be an Internet or near-field communication path with entities connected in between (end devices, routers, switches, applications). By using SEs as a secure environment instead of terminals ME as TEs, a higher level of trust is generated, ie trustworthiness in the payment system BZ is increased. A timer is optionally started at the same time as the eMD C is sent or immediately before or after it. Before that, the eMD C can be invalidated and then no longer used by the SEI for actions (as described below). The eMD C is thus blocked in the payment system BZ due to a transmission process 105 that has already been initiated (and has not yet ended). This prevents double spending. Invalidating allows for easy handling during the transfer process 105.

If the eMD C is properly received in the SE2, the SE2 generates an acknowledgment of receipt and sends it back to the SEI. The acknowledgment of receipt from the SE2 can be sent as a deletion request, because the eMD C can (may) only be validated and used in the SE2 after the eMD C has been deleted in the SEI. Optionally, deleting the eMD C are displayed by the SEI. In this case, for example, an amount display of the SEI (or a terminal ME1 in which the SEI is logically located) is updated. For example, the monetary amount of the eMD C is subtracted from an amount of the SEI available for payment transactions. A deletion confirmation can be sent from the SEI to the SE2. This serves as an acknowledgment that the eMD C is no longer available in the SEI and can therefore be validated in the SE2. Upon receipt of the deletion confirmation in the SE2, the SE2 can convert the status of the eMD C in the SE2 into an active status, the eMD C is thus validated and can be used for further payment transactions or actions (split, combine, switch) in the SE2 from this point in time . Optionally, the eMD C of the SE2 in coin register 2 is switched to the SE2 (see below), whereby the eMD C is registered to the SE2 (step 104).

A transmission error in the transmission 105 can be determined in the SEI, for example by exceeding a predefined period of time, indicated by a timer or by receiving an error message from SE2 or the terminal M1 or the other terminal M2 (not shown). For example, a counter value can be incremented with each new attempt to transmit the eMD C (RETRY) and if a maximum permissible number of retries is exceeded, for example 10 or 5 or 3 times, it is decided in step 308 automatically and independently of the error that no new Sending attempt (RETRY) is carried out, but the transmission 105 is to be ended as unsuccessful and a ROLLBACK has to be carried out.

In an alternative embodiment of the transmission method 105, the status of the eMD is reported to the coin register 2 by the SEI. A connection is then established with coin register 2 to query the status of the eMD C. If the coin register 2 continues to report an inactive status to the eMD C (registered on the SEI), no transaction error (manipulation attempt) is assumed. However, if the coin register 2 reports an active status to the eMD C or a registration to another SE, a transaction error (attempted manipulation) is assumed and the payment system is alarmed. The transaction data record TDS of the SEI is used as evidence.

The electronic coin data record C can be requested in advance from an issuing entity 1 and optionally received by a terminal M (or an SE) or the issuing entity 1 or another payment system. Steps 104 and 105 may correspond to steps 104 and 105 of FIG. An action (split, connect, switch, transfer, redeem, change) on the eMD C can correspond to one of the actions of FIGS. 9 to 12.

For example, a genuine random number is generated as the concealment amount n. The concealment amount n is linked to a monetary amount Ui. An i-th electronic coin data set according to the invention could therefore read: Ci = {Ό;; r,} (1)

A valid electronic coin record can be used for payment. The owner of the two values Ui and r therefore owns the digital money. The digital money is defined by a pair consisting of a valid electronic coin data set Ci and a corresponding masked electronic coin data set Zi. A masked electronic coin data set Zi is obtained by applying a homomorphic one-way function f(Ci) according to equation (2):

Z = f(C.) (2)

This function f(Ci) is public, i.e. every system participant can call up and use this function. This function f(Ci) is defined according to equation (3):

Z, = v, H + r, G (3) where H and G are generator points of a group G in which the discrete logarithm problem is hard, with the generators G and H for which the discrete logarithm of the other base is unknown . For example, G and H are generator points of an elliptic curve encryption, ECC, - ie private keys of the ECC are. These generator points G and H must be chosen in such a way that the connection between G and H is not publicly known, so that:

G = n H (4) the link n must not be found in practice in order to prevent the monetary amount Ui from being manipulated and a valid Zi being able to be calculated. Equation (3) is a "Pederson commitment for ECC" that ensures that the monetary amount Ui can be granted to a coin register 2, i.e. "committed", without revealing it to the coin register 2. The public and remote coin register 2 is therefore only sent (revealed) the masked coin data set Zi, which is shown in FIG. 2 as step 104 (registration).

Even if encryption based on elliptic curves is or is described in the present example, another cryptographic method which is based on a discrete logarithmic method would also be conceivable.

Due to the entropy of the amount of concealment n, equation (3) enables a cryptographically strong Zi to be obtained even with a small value range for monetary amounts Ui. Therewith a simple brute force attack by merely estimating monetary amounts Ui is practically impossible.

Equation (3) is a one-way function, which means that computing Zi from Ci is easy because an efficient algorithm exists, whereas computing Ci from Zi is very difficult because there is no polynomial-time solvable algorithm.

In addition, equation (3) is homomorphic for addition and subtraction, which means that:

Z, + Z _j = (v, H + r, G) (v _j H + h G) = (u, + u,) H (r, + h) G (5)

Thus addition operations and subtraction operations can be carried out both in the direct transaction layer 3 and also in parallel in the coin register 2 without the coin register 2 having knowledge of the electronic coin data records Ci. The homomorphic property of Equation (3) allows monitoring of valid and invalid electronic Münzdatensätzen Ci to lead on the sole basis of the masked Münzdatensätze Zi and to ensure that no new monetary amount U _j has been created.

Due to this homomorphic property, the coin data set Ci can be divided according to equation (1) into:

C i = C _j + C k = {v _j; r _j } + {vk; n} (6) where: v i = V j + V k (7) r i = /? + n (8)

For the corresponding masked coin data sets:

Z Z, + Z* (9)

Equation (9) can be used to check, for example, a "symmetric or asymmetric splitting" processing or a "symmetric or asymmetric splitting" processing step of a coin data set according to FIG. 9 or 12 in a simple manner, without the coin register 2 being aware of Ci , _Ck has. In particular, the condition of equation (9) is checked to validate split coin data sets and C _k and invalidate coin data set Ci. Such a partitioning of an electronic coin record Ci is shown in FIG. 9 or 12. FIG. Electronic coin data records C can also be combined (connected) in the same way, see FIG. 10 or 11 and the explanations relating thereto.

In addition, it is necessary to check whether (not permitted) negative monetary amounts are registered. An owner of an electronic coin data record Ci must be able to prove to the coin register 2 and/or a monitoring register 6 that all monetary amounts Ui in a processing operation are within a value range of [0, ..., n], without the coin register 2 being involved communicate the monetary amounts Ui. These range proofs are also called "range proofs". Ring signatures are preferably used as area verifications. For the present exemplary embodiment, both the monetary amount u and the obfuscation amount r of an electronic coin data set C are resolved in bit representation. The following applies:

Ui=Za _j -2 ^J for 0 < j < n and a _j e (0; 1 } (9a) and ri=Zb _j -2 ^J for 0 < j < n and b _j e (0; 1 } (9b ) A ring signature is preferably used for each bit

Cij- aj H + bj G (9c) and

Cij - aj H (9d), it being possible in one embodiment to carry out a ring signature only for certain bits.

3 shows an exemplary embodiment of a method sequence diagram of a method 300 according to the invention in a subscriber unit TE, also referred to below as terminals M or security elements SE. The blocks of the method 300 shown in dashed lines are optional. Each of these steps may involve user interaction or at least user informing, for example via a GUI of the TE.

In step 301 a transaction data record TDS is generated. The transaction data record TDS includes the subscriber identifiers from the first subscriber unit TE1 (sending TE) and from the second subscriber unit TE2. In addition, information about the electronic coin data set C to be transmitted (or transmitted) is included, for example the monetary value v. Instead of the information about the to be transferred (or the transferred) electronic Coin data record C, the masked electronic coin data record Z can be introduced into the TDS. In addition, a transaction time can be contained in the TDS, which characterizes the time of the transmission 105 of the electronic coin data record C between the two subscriber units TE. The time of generation 301 can be closely coupled in time to the time of transmission 105 . A specification of the payment system BZ can require that the electronic coin data record C must first be transmitted (step 105) before the encrypted transaction data record TDS is to be sent.

After the generation step 301, the generated transaction data record TDS is encrypted. For this purpose, the first subscriber unit TE1 has a public key part K, which is made up of partial keys from different remote entities. For example, the key composition is shown in FIG. Alternatively, the subscriber unit TE1 receives a corresponding cryptographic key K in step 302, for example when the transaction register 4 requests the key. The key K can be a key of a PKI structure or a symmetric key.

In step 303, the transaction data record TDS is then encrypted with the cryptographic key K in the first subscriber unit TE1, for example by an encryption module or a processing unit of the first subscriber unit TE1.

Not shown in FIG. 3 is an optional linking step of (plain text) metadata to the encrypted transaction data record TDS, for example an identifier of the first subscriber unit TE1, an identifier of the second subscriber unit TE2 and/or a transaction time. This metadata allows the encrypted TDS stored locally and/or in the trade repository 4 to be indexed or catalogued.

In step 304, a communication link to the transaction register 4 is then initiated. An attempt is thus made to set up a communication channel between the first subscriber unit TE1 and the transaction register 4 . Initiating also includes the respective subscriber unit TE recognizing/knowing that an offline transaction is currently planned/performed and no connection to the remote transaction register 4 can or should be established.

In the subsequent test step 305, the subscriber unit TE1 is queried as to whether a connection could be set up in step 304.

If the test step 305 is yes, the encrypted transaction data record TDS is sent to the transaction register 4 in step 306 . If necessary, further transaction data records TDS from earlier transmissions of electronic coin data records C are also sent, should these communications link may have been established for the first time since those transmissions. In this context, a check value is then also reset (not shown in FIG. 3), which represents a number of transmissions of electronic coin data sets C that took place without sending a transaction data set TDS. In a test step 305a, a query may be made as to whether a transmission error occurred when the encrypted transaction data record TDS was sent 305 . If the test step 305a fails, the encrypted and/or the unencrypted transaction data record TDS is then optionally stored locally in the first subscriber unit TE2 for archiving purposes or for storing a history or for queries based on official requests. The electronic coin data record C is then transmitted to the second subscriber unit TE2 in step 105 if a specification in the payment system BZ is that the encrypted transaction data record TDS is to be sent first before the electronic coin data record C can be transmitted in step 105. In one embodiment of the method 300, after the transmission 105, the masked electronic coin data record Z must be registered 104 in the coin register 2 it is described in Figures 7, 15 and 16.

In the no case of test step 305 (offline transaction, flight mode, no transmission of the transaction data TDS (from the subscriber) desired) and also in the yes case of test step 305a (transmission error, connection termination), a connection error is determined in step 307. Then, in test step 308, a test value p is compared with a threshold value X in the first subscriber unit TE1. The check value in step 308 represents a number of (offline) transmissions 105 of electronic coin data sets C that took place without sending a transaction data set TDS. These (offline) transmissions 105 originating from the first subscriber unit TE1 can have been transmitted to any other subscriber unit TEx. If test step 308 is yes, i.e. if this test value p is greater than the threshold value X, for example 100 or 50 or 10 transmissions, the transaction data record TDS is stored (encrypted and/or unencrypted) and step 304 must be repeated. If the test step 308 is not, the transmission 105 takes place if a specification in the payment system BZ is that the encrypted transaction data record TDS is to be sent first before the electronic coin data record C may be transmitted in step 105 . In step 310, the test value p is then incremented, i.e. increased in stages, preferably increased by 1.

Steps 308 to 310 ensure that the offline behavior of the subscriber units TE remains monitored and does not go beyond a predefined, specific (system-specified) threshold value X of the number of transmissions. Transaction data records TDS of an offline transaction that cannot be sent immediately, i.e. a transmission 105 without registering 104 or reporting to one of the register instances 2, 4, 6 of the Payment system BZ are temporarily stored in step 309 and sent at a later time. The number of offline transactions that a subscriber unit TE is allowed to carry out is limited by the system and checked using the test value p in step 308. If the threshold value X is reached, the transaction data records TDS must first be sent before another offline transaction 105 is possible (see step 309 to step 304). This test value p can be recorded and managed independently of other tests in the subscriber unit TE. This check value p can be combined with other check or counter values pu, pu of the coin data set C for checking in the coin register 2 or the monitoring register 6, see payment system BZ in FIG. 6.

Individual process steps can be interchanged. A general first specification in the payment system BZ can be that coin data records C are only transmitted between TEs before a transaction data record TDS is created for this. A TDS would then always relate to a coin data set C that has already been transmitted; step 105 would have to be carried out before the associated steps 301, 303.

Alternatively, a general first specification in the payment system BZ can be that coin data records C are only transferred between TEs (step 105) after a transaction data record TDS has been created for this (step 301). A TDS would then always relate to a coin data set C still to be transmitted, step 105 would have to be carried out after the associated step 301.

A second general specification in the BZ payment system could relate to the local storage of the TDS in the TE. It may be required that TDS are also stored locally (ie history or archiving). The storage step 309 should then not only be provided for transmission repetitions (in the event of an error in a first transmission attempt). It can be a default detail that the TDS are also to be stored encrypted in the TE. This local storage of the TDS, which is redundant to the storage of the TDS in trade repository 4, can also be read out as part of an official request (a court order), i.e. the participant can be forced to provide this local storage or the transfer of the local storage in take place in a (background) process of the subscriber unit TE without subscriber interaction.

A third general specification in the payment system BZ can be to store pseudonymised TDS ^* in a monitoring register 6 of the payment system BZ. These pseudonymised TDS ^* are taken into account when validating the coin data sets in order to be able to detect fraud scenarios within the payment system. A fourth general requirement in the payment system BZ can be not to send encrypted TDS to the trade register 4 when an offline transaction is planned/performed. This requirement can be tightly coupled to the test value p, so that a subscriber unit TE issues a warning to the subscriber even before selecting a transmission mode (online or offline) that a test value p has exceeded a threshold value for the maximum number of offline transmissions 105 and no further offline transmission is possible without prior sending of the (old) TDS to the trade repository 4 (with reset of the check value counter).

FIG. 4 shows an exemplary embodiment of a method flow chart of a method 400 according to the invention in a transaction register 8 . The blocks of the method 400 shown in dashed lines are optional.

In this case, in step 401 an encrypted transaction data record TDS is received by a subscriber unit TE in the transaction register 4 . This transaction data record TDS was generated according to the method shown in FIG.

In the optional test step 402, it is checked whether different generations of partial keys are present in the payment system BZ, for example the transaction register 4, preferably an HSM module within the transaction register 4 as a key memory. If step 402 is yes, the transaction data record TDS is decrypted with the private key part k of the cryptographic key as the decryption key in step 403 and encrypted again with a cryptographic key, for example with an HSM key of the trade repository 4. In this way it can Storage of differently encrypted transaction records TDS, which are encrypted with different key versions of the remote entities, in the transaction register 4 can be prevented. The administrative effort in the trade register 4 is thus reduced.

After the re-encryption step 403 or, if no, after the check step 402, the transaction data record TDS is stored in a memory area and archived there. If necessary, the transaction data record TDS has metadata in plain text, which is entered or tracked in a database of the transaction register 4 . If, for example, a transaction time is available as metadata of the TDS, a deletion time can be generated as part of data retention. The TDS would then be automatically deleted from the trade repository 4 after a set period of time (the time of deletion) has elapsed.

The TDS are stored in encrypted form in the transaction register 4 (e.g. a database as a trustworthy entity), and several partial keys are required for their decryption are. This ensures that due process must be followed and no one can access sensitive TDS transaction data at will.

Optionally, for example if there is no key memory in the transaction register 4, in step 405 partial keys of the cryptographic key k are received and combined in step 406 in the transaction register 4, for example to form the private key part of the private key part when using a PKI key structure. The combination is secret, for example, in order not to allow owners of the partial keys 8a, 8b, 8c to combine the decryption key. The combined key can also be composed of only a subset of partial keys, which is possible by using threshold cryptography.

As part of an official request--generated outside of the payment system BZ--in particular on the basis of a court order, a decryption request is made to the trade register 4 in step 407. The metadata of the transaction data records can be matched with parameters of the decryption question, for example to query all transaction data records with a specific participant ID for a specific point in time or period. Subsequently, in step 408, each remote entity is requested to authenticate itself at the transaction register 4. Alternatively, only a subset of remote entities required to decrypt the desired transaction data record(s) TDS is queried. In step 409, the decryption then takes place with the combined key from the jointly present partial keys of the remote entities.

Optionally, in step 410, for example without step 407, a subscriber unit identifier in the decrypted transaction data record TDS is replaced by a pseudonym of the subscriber unit TE. The pseudonym preferably corresponds to the pseudonym of FIGS. 7, 15 and 16. This changes an anonymity level for the TDS so that the TDS can be used in unencrypted form for checking coin data records.

Optionally, in step 411, for example without step 407, in addition or as an alternative to step 410, a monetary amount in the decrypted transaction data record TDS is replaced by one or more amount categories. In one embodiment, the monetary amount of the coin data set C is rounded up or down, for example:

• A monetary value of 1.97 becomes the amount category “2 euros”

• Monetary amount of 878.99 becomes the amount category "1000 euros"

• A monetary value of 4.07 becomes the amount category "4 euros"

• Monetary amount of 2118.22 becomes the amount category "2000 euros" In a further embodiment, the monetary amount is sorted into one or more amount categories that represent amount ranges, for example:

• A monetary value of 1.97 becomes the amount category “less than 10 euros”

• monetary amount of 878.99 becomes the amount category "between 100 and 1000 euros")

• Monetary amount of 4.07 becomes the amount category “greater than 1 euro”

Steps 410 and/or 411 can be performed by an HSM in the trade repository 4 . The pseudonymised transaction data TDS ^* and/or the amount-categorized transaction data are sent (back) in step 412 to the monitoring register 6 or the subscriber unit TE. changed for the respective transaction record. The encrypted transaction data records TDS are stored in the transaction register (step 404, possibly after step 412).

The pseudonymised transaction data set TDS ^* always has a higher level of anonymity than the (non-pseudonymised) transaction data set TDS. With this higher level of anonymity, the pseudonymised transaction data record TDS ^* can also be stored unencrypted in the coin register 2, monitoring register 6 and/or the transaction register 4 - as specified by the payment system BZ - and used for further validity checks in the payment system BZ. This would allow cases of fraud or manipulation in the BZ payment system to be better detected by the BZ payment system itself, and an official request (judicial decision) may then not be necessary.

FIG. 5 shows an exemplary embodiment of an encryption and decryption of a transaction data record TDS. The remote instances 8a, 8b, 8c each have partial keys whose bitwise addition results in a private key part k of a cryptographic key (key pair). The private key part k is stored, for example, in a key memory of the transaction register 4, for example a hardware security module of the transaction register 4.

The public key part K is derived from the private key part k and made available to the subscriber unit TE. The encryption step 303 in FIG. 3 of the generated transaction data record TDS or the re-encryption step 403 in FIG. 4 of the decrypted transaction data record TDS is then carried out with the public key part K. This asymmetric crypto-system must ensure that the public key part K is actually the key part derived from the combined private key part k and that this is not a forgery by a fraudster. Digital certificates that confirm the authenticity of the public key part K are used for this purpose. The digital Certificate can itself be protected by a digital signature. The transaction data record TDS encrypted with the public key part K is stored in the transaction register 4 .

Before the private key part k can be used to decrypt the stored encrypted transaction data records TDS, the subset or all remote entities must authenticate themselves to the transaction register 4 . If authentication is successful, the transaction data record TDS is decrypted using the private key part k.

The generated transaction data record consists, for example, of a transaction number, a recipient address (here from TE2), a sender address (here from TE1) and a monetary amount of the eMD C. The generated transaction data record can also be used in TE1 to log the transmission 105 in order to be used in the transmission - carry out a reversal (ROLLBACK) or repetition (RETRY) of the transmission 105 in the event of an error.

FIG. 6 shows a further development of the exemplary embodiment of a system in FIG. 2. Reference is made to the statements in FIG. 2 to avoid repetition.

According to FIG. 6, at least one check value pu can also be kept in the electronic coin data set C as a further data element. This test value pu is incremented as subscriber units TE1, TE2 with each direct transmission 105 of this electronic coin data record C between subscriber units TE1, TE2, ie terminals M1, M2 or security elements SEI, SE2.

In the payment system BZ, a counter value pu can also be managed or determined, which includes the check value pu, for example as the sum of the previous (registered) counter value pu and the check value pu, in order to determine whether the coin data record C is to be returned. Each action with the coin data set C increases this counter value pu. Different action types weight the counter value pu differently, so that, for example, a direct forwarding of the coin data set C has a higher weight than a modification (dividing, combining, switching). In this way, the service life and the actions carried out in a coin data record C are evaluated and criteria for its return are defined according to the actions carried out. The test value pn and also the counter value pu map the life cycle of the coin data set C, on the basis of which a decision is then made about a return.

As has already been described with FIG. 3, a check value p can be provided in the payment system BZ in a subscriber unit TE (ie the terminals M1, M2 or security elements SEI, SE2 shown in FIG. 6) which indicates the number of coin data sets C already transmitted without ( immediate) associated transmission of an encrypted transaction record TDS to the Trade repository 4 represents. This test value p is compared with a threshold value X in step 307 when a connection error is detected. In the process, it is determined whether a further (offline) transmission 105 may be carried out (payment system specification) or not.

FIG. 6 shows transaction register 4, which has already been described with reference to FIGS. In addition, the transaction register 4 can be in communication with the monitoring register 6 in order ^{to register pseudonymised transaction data sets TDS*} in the monitoring register 6 . For this purpose, according to step 410, for example, a subscriber unit identifier in the decrypted transaction data record TDS is replaced by a pseudonym P for the subscriber unit TE. In addition, according to step 411, for example in addition to or as an alternative to step 410, a monetary amount in the decrypted transaction data record TDS is replaced by an amount category. Steps 410 and/or 411 can be performed by an HSM in the trade repository 4 . The pseudonymised transaction data TDS ^* and/or the amount-categorized transaction data TDS ^* are sent to the monitoring register 6 according to step 412, while the encrypted transaction data records TDS are stored in the transaction register 4.

In FIG. 6, a masked electronic coin data set Zi, for example in the SEI, is calculated from the electronic coin data set Ci using equation (3), and this masked coin data set Zi is registered in a monitoring register 6 together with at least the second check value pu.

In the SE2, the transmitted electronic coin data set Ci is received as Ci ^* . Upon receipt of the electronic coin data set Ci ^* , the SE2 is in possession of the digital money that the electronic coin data set Ci ^* represents. With the direct transmission 105 it is available to the SE2 for further actions.

Due to the higher degree of trustworthiness when using SEs, SEI, SE2 can trust one another and, in principle, no further steps are necessary for the transmission 105 . However, the SE2 does not know whether the electronic coin data record Ci ^{* is} actually valid. To further secure the transmission 105, further steps can be provided in the method, as will be explained below.

To check the validity of the received electronic coin data record Ci ^* ^{, the masked transmitted electronic coin data record Zi* can be} calculated in SE2 with the—public—one-way function from equation (3). The masked transmitted electronic coin data set Zi ^* is then transmitted to the coin register 2 in step 104 and searched for there. When matched to a registered and valid masked electronic coin record the validity of the received coin data set Ci ^* is displayed to the SE2 and it applies that the received electronic coin data set Ci ^{* is} equal to the registered electronic coin data set Ci. In one embodiment, the validity check can be used to determine that the received electronic coin data set Ci ^{* is} still valid, ie that it has not already been used by another processing step or in another transaction/action and/or has undergone further modification was.

A changeover (=switch) of the received electronic coin data set preferably takes place afterwards.

Mere knowledge of a masked electronic coin data set Zi does not entitle the user to issue the digital money of the corresponding electronic coin data set Ci.

Merely knowing the electronic coin data record Ci authorizes payment, i.e. to carry out a transaction successfully, in particular if the coin data record Ci is valid, for example if the electronic coin data record Ci has an active status. The status is preferably only set to an active status upon receipt of the deletion confirmation from the SEI. There is a one-to-one relationship between the electronic coin records Ci and the corresponding masked electronic coin records Zi. The masked electronic coin records Zi are registered in the coin register 2, such as a public database. This registration 104 first makes it possible to check the validity of the electronic coin data set Ci, for example whether new monetary amounts were (illegally) created.

The masked electronic coin data sets Zi are stored in the coin register 2. All processing of the electronic coin data record Zi is registered there, whereas the actual transmission of the digital money takes place in a (secret, i.e. not known to the public) direct transaction layer 3 of the payment system BZ. In addition, monitoring of the coin data set C and the subscriber unit TE can be recorded in a monitoring register 6 in this payment system BZ.

The electronic coin data sets C can be modified to prevent multiple spending or to ensure more flexible transmission 105 . Examples of operations are listed in Table 1 below, whereby a corresponding processing step is also carried out with the specified command:

Table 1 - Number of operations that can be carried out per processing of a C in the TE or the publisher instance

Other operations not listed in Table 1 may be required, such as changing currency or cashing the monetary amount into an account. Instead of the implementation listed, other implementations are also conceivable which imply other operations. Table 1 shows that for each coin data set, each of the processing (modification) “Create”, “Return”, “Split”, “Connect” and “Switch” different operations “Create Signature”; "Create random number"; "Create Mask"; "Range check" can be provided, with each of the processing operations being registered in the coin register 2 and appended there in unchangeable form to a list of previous processing operations for masked electronic coin data sets Zi. The processing operations “Create” and “Return” an electronic coin data set C are only carried out in secure locations and/or only by selected entities, for example the issuing entity 1, while the operations of all other processing operations are carried out on the subscriber units TE, i.e. the terminals M or whose security elements SE can be executed.

The number of operations for each processing is marked in Table 1 with "0", "1" or "2". The number "0" indicates that a subscriber unit TE or the issuer entity 1 does not have to carry out this operation for this processing of the electronic coin data record C. The number "1" indicates that the subscriber unit TE or the issuer entity 1 must be able to perform this operation once for this processing of the electronic coin data record C. The number "2" indicates that the subscriber unit TE or the issuer entity 1 must be able to carry out this operation twice for this processing of the electronic coin data record.

In principle, one embodiment can also provide for an area check to be carried out by the issuing authority 1 when creating and/or deleting.

Table 2 below lists the operations required for the coin register 2 and/or the monitoring register 6 for the individual processes:

Table 2 - Number of operations that can be performed per processing of a C in the coin register

Other operations not listed in Table 2 may be required. Instead of the implementation listed, other implementations are conceivable which imply other operations. All of the operations in Table 2 can be performed in the coin register 2 which, as a trustworthy entity, for example as a server entity, for example as a distributed trusted server, ensures that the electronic coin data sets C have sufficient integrity.

Table 3 shows the components to be preferably installed for the system participants in the payment system of FIG. 1:

Table 3 - Preferred units in the system components

Table 3 shows an overview of the components to be used preferably in each system participant, i.e. the issuing entity 1, a subscriber unit TE and the register entities, namely the coin register 2, the monitoring register 6, the transaction register 4.

The subscriber units TE can be designed using an e-wallet for electronic coin data sets Ci (with the test value p, pn pn), i.e. as an electronic wallet with a memory area in which a large number of coin data sets Ci can be stored, and thus, for example, in the form of an application a smartphone or a retailer’s IT system, a be implemented by a commercial bank or another market participant. Thus the components in the subscriber unit TE as shown in Table 3 are implemented in software. The coin register 2, trade register 4 and/or monitoring register 6 are assumed to be server or DLT based and operated by a number of trusted market participants.

FIG. 7 shows an alternative development to FIG. 6 of the exemplary embodiment of a system from FIG. 2. Reference is made to the explanations of FIG. 2 and FIG. 6 to avoid repetition. The configurations of FIG. 7 can also be combined with the configurations of FIG. 6 .

Fig. 7 shows an embodiment of a payment system BZ with terminals Ml and M2 (as examples of subscriber units TE), an issuer entity 1, a coin register 2, a monitoring register 6 and a transaction register 4. The terminals Ml and M2 can also be devices or security elements SEI , be SE2.

The coin register 2 contains a register 210 in which valid masked electronic coin data sets Zi are stored. The electronic coin data record Ci represents a monetary amount Ui. The electronic coin data set Ci is output to a first terminal Ml. Electronic coin data sets Ci, preferably for which a masked electronic coin data set Zi is registered, can be used for payment. The masked electronic coin data record Zi can also be referred to as an amount-masked electronic coin data record, since the monetary amount Ui is unknown to the coin register 2 (and also remains unknown later on). A recipient, for example a second terminal M2 here, of the electronic coin data set Ci can check its validity using the coin register 2 . The coin register 2 can confirm the validity of the electronic coin data set Ci using the masked electronic coin data set Zi. For the coin register 2, the masked electronic coin data set Zi is an anonymous electronic coin data set, particularly since it does not know the owner of the associated electronic coin data set Ci. The anonymity level of a masked coin data record Zi in the register 201 of the coin register 2 is accordingly level 1 (completely anonymous).

7 shows that the second terminal M2 sends masked electronic coin data records Zi ^* anonymously to the coin register 2 in an anonymous mode M2a, ie in particular only sends the masked electronic coin data record Zi*. The coin register 2 processes the masked electronic coin data record Zi* sent anonymously in an anonymous mode 2a in which, for example, the second terminal M2 is only confirmed that the masked electronic coin data record Zi* sent is valid. The coin register 2 stores in the register 210 anonymous (amount) masked coin data sets Zi from electronic coin data sets Ci of the issuer entity 1 or from modified electronic coin data sets of the terminals M.

FIG. 7 also shows that the second terminal M2 can also send masked electronic coin data sets Si* to the monitoring register 6 in a pseudonymized mode M2p. The second terminal M2 links, for example, the masked electronic coin data set Zi ^* with a pseudonym P _M 2 and sends the pseudonymized masked electronic coin data set Si * to the monitoring register 6. The second terminal M2 could a pseudonymized masked electronic coin data set Si * by appending the pseudonym P _M 2 to generate the masked electronic coin data set Zi*. In the embodiment shown, the second terminal M2 creates a signature via the masked electronic coin data record Zi* and adds the signature to the coin data record Zi*. The public key of the signature key pair, for example, can serve as the pseudonym P _{M 2 .} Alternatively, the pseudonym P _M 2 is derived from a subscriber identifier, such as a terminal number, IMEI, IMSI or a similarly derived identifier.

The pseudonym P may be a derivation of the subscriber unit identifier mentioned above. The pseudonym P can also be listed in the person assignment 7 of the publishing entity 1 (or alternatively of a service provider, for example a purse application provider or an online storage provider) next to the subscriber unit identifier. To protect the natural person, the pseudonym P can only be assigned to a natural person in a trustworthy authority.

The monitoring register 6 processes the pseudonymously transmitted masked electronic coin data record Si* in a pseudonymous mode 2p, in which the second terminal M2 is also confirmed that the transmitted masked electronic coin data record Zi* is valid. However, the assignment of the masked electronic coin data record Zi to the pseudonym P _M 2 is additionally stored in a data structure 220 of the monitoring register 6 . As becomes clear in the further configurations, the data structure 220 can be used as a register for masked electronic coin data sets Zi that are still to be checked, ie can also fulfill the function of a coin register 2 . In the pseudonymous mode 2p, the monitoring register 6 postpones or skips in particular a verification step carried out in the anonymous mode 2a (more frequently or always). In the checking step, it is checked—preferably still without knowing the monetary amount Ui—whether the monetary amount Ui of the masked electronic coin data record Zi is within a range. The aspects described below build at least partially on details of this embodiment of FIG. 2, 6 or 7. The more complex pseudonymous mode 2p or M2p is primarily described there, since the simpler anonymous mode 2a or M2a runs without a pseudonym (or signature). In contrast, configurations are described in FIGS. 15 and 16 which can only optionally be combined with the details of the other configurations.

Figure 8 shows a data structure for a coin register 2 and/or a monitoring register 6 of the previous figures. In FIG. 8, data from the coin register 2 and/or the monitoring register 6 are shown together in a common data structure as a table for illustration purposes. In the registers 2, 6, the masked electronic coin data sets Zi and possibly their processing are registered. The coin register 2 and the monitoring register 6 can be accommodated in a common server instance and are only logically separated from one another in order to be able to reduce the computing effort for the individual checks through strict assignments. Alternatively, the registers 2, 6 are also physically separated from one another. Both registers 2, 6 are preferably arranged locally at a distance from the subscriber units TE and are housed, for example, in a server architecture.

Each processing operation for processing (creating, deactivating, dividing, connecting and switching over) is registered in the coin register 2 and appended there, for example in unchangeable form, to a list of previous processing operations for masked electronic coin data sets Zi. The individual operations or their test results, that is to say the intermediate results of processing, are recorded in the coin register 2 . Although the list below is assumed to be continuous, this data structure can also be cleaned up or compressed, if necessary according to predetermined rules, or be provided separately in a cleaned up or compressed form.

The "Create" and "Deactivate" processing _{, which per se affects the existence of the monetary amount Ui,} i.e. the creation and destruction of money, requires additional approval by the issuing authority 1 in order to be in the coin register 2 and/or the Monitoring register 6 registered (ie logged) to be. The other processing operations (dividing, connecting, switching) do not require authorization by the issuer entity 1 or by the command initiator (=payer, for example the first terminal M1). However, the other processing operations must be checked with regard to various test criteria.

The respective processing is registered, for example, by corresponding list entries in the database according to FIG. Each list entry has further markings 25 to 28, which document the intermediate results of the respective processing, which must be carried out by the coin register 2 and/or the monitoring register 6. The markings 25 to 28 are preferably used as an aid and are discarded after the commands from the coin register 2 and/or the monitoring register 6 have been completed.

All checks must always be carried out for anonymous coin data sets, so that all markings 25 -28 could also be discarded. On the other hand, for pseudonymised coin data sets, a check can also be omitted or carried out later.

In FIG. 8, for example, the checks corresponding to the markings 27b and 27c are not necessary for pseudonymised coin data records because they are carried out later in a different form. The checking steps of the markings 25, 26, 27a and 28, on the other hand, are necessary. In the following, necessary or validity-relevant test steps and subsequent or validity-independent test steps are referred to in part, since they are directly or indirectly made up for. A coin record can be treated as valid if the necessary checks have been made. The data highlighted in bold in columns 24, 28 and 29 in Fig. 8 are only relevant for coin data records received in pseudonymised form and therefore primarily relate to entries in the monitoring register 6.

An optional marker 29 can indicate the completion of processing, for example. When a processing command is received, the markings 29 are, for example, in the state and are set to the state “1” after all tests have been successfully completed (for markings 25-28) and are set to the state “0” if at least one test has failed. A (completion) marking 29 with the value "2" could indicate, for example, that only the necessary tests were completed and tests that could be made up for were omitted. If checks for one or more entries are made later by the end device with the pseudonym, the marking can be set to the value "1". Instead of such a use of the completion marker 29, the markers 27b and 27c of the examinations to be made up for could of course also be used and/or a separate pseudonym marker could be used.

A possible structure for a list entry of a coin data record includes, for example, two columns 22a, 22b for a predecessor coin data record (Ol, 02), two columns 23a, 23b for a successor coin data record (Sl, S2), a signature column 24 for signatures from Issuer entity(s) 1 and signatures of terminals M, and six marking columns 25, 26, 27a, 27b and 27c and 28. Each of the entries in columns 25 to 28 has three alternative states or "0".

Column 25 (O-Flag) indicates whether a validity check in column 22a/b with regard to an electronic predecessor coin data set was successful. The state "1" means that a Validity check determined that the column 22a/b electronic coin record is valid and the status "0" indicates that a validity check determined that the column 22a/b electronic coin record is invalid and the status indicates that a validity examination is not yet completed. A common O-flag (both valid) is preferred for multiple predecessor coin data sets rather than two separate O-flags. Column 26 (C-Flag) indicates whether a first check calculation for the masked electronic coin records was successful. The first check calculation checks in particular whether the command is amount-neutral, ie primarily that the sum of the monetary amounts involved is zero. The "1" state means that a calculation was successful and the "0" state indicates that the calculation was unsuccessful and the state indicates that a calculation is not yet complete.

For example, the calculation to be performed in column 26 is:

(Zoi + Z02) - (Zsi + Zs2) == 0 (10)

Column 27a (RI flag) indicates whether an initial check of an area verification or the area verification was successful. The same applies to the other columns 27b (R2 flag) and 27c (R3 flag). The status "1" means that a validity check showed that the

Area proofs or the area proof are or is to be understood and the status "0" indicates that a validity check showed that the area proofs or the

Proof of area could not or could not be traced and the condition indicates that a validity check has not yet been completed, was not successful. The first area proof of column 27a is always necessary for the coin record(s) to be considered valid. A typical example of a necessary check is checking that the monetary amount is not negative (or that none of the monetary amounts is negative). The second and third proof of area does not affect the validity of the coin data set and can be made up for pseudonymized masked coin data sets, for example in a later transaction of the pseudonym. The area verification in column 27b is used to check whether the monetary amount of the masked coin data record (or each coin data record) is below a maximum amount. The maximum amount can be predetermined system-wide or for specific end device types. With the proof of area in column 27c, for example, a sum of monetary amounts that the subscriber unit TE (sent or received) in a certain period of time - such as 24 hours - is compared with a total limit value or, for example, a number of transactions per time unit for the subscriber unit TE is checked, such as maximum 5 per minute or 100 per day. The limit values can be specified system-wide by the payment system BZ or can be defined for specific subscriber unit types (that is to say subscriber unit-specific). For example, a Type X coffee maker is designed to only dispense four portions of hot beverages per minute and accordingly only allows four coin transactions per minute. Column 28 (S-Flag) indicates whether a signature of the electronic coin dataset matches the signature in column 24, with status "1" meaning that a validity check revealed that the signature could be identified as that of the issuing authority and the state "0" indicates that a validity check revealed that the signature could not be identified as that of the publisher authority and the state indicates that a validity check has not yet been completed.

A change in the status of one of the markings (also referred to as a "flag") requires the approval of the coin register 2 and/or the monitoring register 6 and must then be stored invariably in the data structure of FIG. Processing is final in anonymous mode (or for an anonymous masked coin data set) if and only if the required markings 25 to 28 have been validated by the coin register 6, i.e. after the corresponding check from state "0" to state "1" or the status "1" was changed. Processing in the pseudonymous mode (or for a pseudonymised masked coin data set) is completed when the checks for the markings 25 to 27a and 28 have been carried out by the monitoring register 6.

In the following, a data structure without final markings 29 is assumed and the validity of anonymous coin data sets is considered first. To determine if a masked electronic coin record Z is valid, the coin register 2 looks for the last change affecting the masked electronic coin record Z. It applies that the masked electronic coin data record Z is valid if the masked electronic coin data record Z is listed for its last processing in one of the successor columns 23a, 23b if and only if this last processing has the corresponding final marking 25 to 28. It also applies that the masked electronic coin data record Z is valid if the masked electronic coin data record Z is listed for its last processing in one of the predecessor columns 22a, 22b if and only if this last processing failed, i.e. at least one of the corresponding required states of markings 25 to 28 is set to "0".

If the masked electronic coin record Z is not found in the coin register 2, it is invalid. It also applies that the anonymous masked electronic coin data record Z is not valid for all other cases. For example, if the last processing of the masked electronic coin data record Z is listed in one of the successor columns 23a, 23b, but this last processing never became final, or if the last processing of the masked electronic coin data record Z is in one of the predecessor columns 22a, 22b and this last processing is final. The checks made by coin register 2 and/or monitor register 6 to determine if processing is final are represented by columns 25 through 28: The status in column 25 indicates whether the masked electronic coin record(s). are valid according to predecessor columns 22a, 22b. The status in column 26 indicates whether the calculation of the masked electronic coin record according to equation (10) is correct. The status in column 27a indicates whether the area verifications for the masked electronic coin records Z could be verified successfully. The status in column 28 indicates whether the signature in column 24 of the masked electronic coin data set Z is a valid signature of the issuing authority 1.

The status "0" in a column 25 to 28 indicates that the check was unsuccessful. The status "1" in a column 25 to 28 indicates that the check was successful. The status in a column 25 to 28 indicates that no check has taken place. The statuses can also have a different value, as long as it is possible to clearly distinguish between the success/failure of a test and whether a specific test was carried out.

Five different types of processing are defined as examples, which are explained in detail here. Reference is made to the corresponding list entry in FIG.

One processing is, for example, “creating” an electronic coin data record Ci. The creation in the direct transaction layer 3 by the issuer entity 1 involves choosing a monetary amount Ui and creating an obfuscation amount n, as already described with equation (1). As shown in FIG. 8, no entries/markings are required in columns 22a, 22b, 23b and 25 to 27 during the “generate” processing. The masked electronic coin data set Zi is registered in the successor column 23a. This registration preferably takes place before the transmission 105 to a subscriber unit TE, in particular or already during generation by the issuing entity 1, with equation (3) having to be executed in both cases. The masked electronic coin data record Zi is signed by the issuing authority 1 when it is created, this signature is entered in column 24 to ensure that the electronic coin data record Ci was actually created by an issuing authority 1, with other methods also being possible. If the signature of a received Zi matches the signature in column 24, the marking in column 28 is set (from "0" to "1"). The markings according to columns 25 to 27 do not require a status change and can be ignored. The proof of area is not required since the coin register 2 and/or the monitoring register 6 can be confident that the issuing authority 1 will not issue any negative monetary amounts. In an alternative embodiment, however, it can also be sent by the issuer instance 1 in the create command and can be checked by the coin register 2 and/or the monitoring register 6 . An example of processing is “deactivation”. The deactivation, ie the destruction of money, has the effect that the masked electronic coin data record Zi becomes invalid after the issuer entity 1 has successfully executed the deactivation command. It is therefore no longer possible to process the (masked) electronic coin data record to be deactivated in the coin register 2 and/or in the monitoring register 6 . To avoid confusion, the corresponding (non-masked) electronic coin records Ci should also be disabled in the direct transaction layer 3. When “deactivating” the predecessor column 22a is written with the electronic coin data set Zi, but no successor columns 23a, 23b are occupied. The masked electronic coin data record Zi is to be checked when deactivating whether the signature matches the signature according to column 24 in order to ensure that the electronic coin data record Ci was actually created by an issuing authority 1, although other means can be used for this check. If the signed Zi, which is also sent in the deactivation command, can be confirmed as signed by the issuer authority 1, the marker 28 is set (from "0" to "1"). The flags according to columns 26 to 27 do not require a status change and can be ignored. The markings according to columns 25 and 28 are set after a corresponding check.

A processing (modification) is, for example, the "split". The division, i.e. the division of an electronic coin data set Zi into a number n, for example 2, of electronic partial coin data sets Z _j and Z _k takes place first in the direct transaction layer 3, as is shown in Figures 9, 11 and 12, with the monetary amounts U _j and the concealment amount h are generated. V _k and r _k are given by equations (7) and (8). The markings 24 to 27 are set in the coin register 2 and/or the monitoring register 6, the predecessor column 22a is written with the electronic coin data set Zi, successor column 23a is written with Z _j and successor column 23b is written with Z _k . The status changes required according to columns 24 to 27 take place after the corresponding check by the coin register 2 and/or the monitoring register 6 and document the respective check result. In particular, the flag according to column 28 is ignored in anonymous mode. For example, a first proof of area RI according to column 27a must be provided to show that no monetary amount is negative. A second proof of area R2 in column 27b is not necessary, since the monetary partial amounts of the successor are always smaller than the initial monetary amount of the predecessor. A summary area statement R3 in column 27c is also usually not required (no new monetary amounts). Column 24 is used for entering a generated signature dividing the coin data record subscriber unit TE.

An example of processing is "connecting". The connection, ie the combining of two electronic coin data sets Zi and Z _j to form an electronic coin data set Z _m , first takes place in the direct transaction layer 3, as is also shown in FIGS where the monetary amount u _m and the concealment _{amount r m are} calculated. The markings 25 to 28 are set in the coin register 2 and/or the monitoring register 6, the predecessor column 22a is written with the electronic coin data record Zi, the predecessor column 22b is written with Z _j and the successor column 23b is written with Z _m . The flags in columns 25 through 28 require status changes and coin register 2 and/or monitor register 6 performs the appropriate checks. A first proof of area RI according to column 27a must be provided to show that no new money was generated. A second proof of area R2 in column 27b makes sense since the new monetary amount of the successor could be greater than a maximum value. A cumulative area statement R3 in column 27c is also generally useful since the terminal device could use newly received predecessors. The marking according to column 28 can be ignored. Column 24 is used for entering a generated signature connecting the coin data record subscriber unit TE.

Another processing is, for example, "switching". Switching is necessary when an electronic coin data set has been transferred to another subscriber unit TE and a renewed issue by the transmitting subscriber unit TE is to be ruled out. When switching over, also called “switch”, the electronic coin data record C _{k received} from the first subscriber unit TE1 is exchanged for a new electronic coin data record Ci with the same monetary amount. The new electronic coin data record Ci is generated by the second subscriber unit TE2. This switching is necessary in order _{to invalidate (make invalid) the electronic coin data record C k received} from the first subscriber unit TE2, thereby avoiding the same electronic coin data record C _k being issued again. Since the first subscriber unit TE1 is aware of the electronic coin data set C _k , as long as the electronic coin data set C _{k is} not switched, the first subscriber unit TE1 can forward this electronic coin data set C _k to a third subscriber unit TE. The switching is effected for example by adding a new fogging amount r to _add fogging amount r _k of the obtained electronic Münzdatensatz C _k, n is obtained whereby a fogging amount, known only to the second subscriber unit TE2. This can also be done in the coin register 2 or the monitoring register 6. In order to prove that only a new fogging amount r to _add fogging amount r _k of the masked received electronic Münzdatensatzes Z _k has been added, the monetary amount is, however, remained the same, and therefore, equation (11):

Vk = (11) applies, the second subscriber unit TE2 must be able to prove that Zi-Z _{k can be represented} as a scalar multiple of G, ie as r _add *G. That is, only one obfuscation _{amount r add was} generated and the monetary amount of Zi is equal to the monetary amount of Z _k , i.e Zi=Z _k + r _add *G. This is done by generating a signature with the public key Zi-Z _k ^- r _add *G.

The modifications "split" and "connect" to an electronic coin data record can also be delegated from a subscriber unit TE1 to another subscriber unit TE, for example if a communication link to the coin register 2 and/or to the monitoring register 6 is not available.

FIG. 9 shows an exemplary embodiment of a payment system BZ according to the invention for the “split”, “connect” and “switch” actions of electronic coin data records C. In Fig. 9, the first subscriber unit has received the TE1 Münzdatensatz Ci and now wants a pay transaction do not perform _k with the total monetary amount Ui, but only a partial amount V. To do this, the coin data set Ci is divided. To do this, the monetary amount is first divided:

V, = Vj + Ok (12)

Each of the received amounts U _j , U _k must be greater than 0 because negative monetary amounts are not permitted.

In a preferred embodiment, the monetary amount Ui is divided symmetrically into a number n of equal monetary partial amounts Uj.

V _j = / n (12a)

The number n is an integer greater than or equal to two. For example, a monetary amount of 10 units can be divided into 2 installments of 5 units (n=2), or 5 installments of 2 units each (n=5), or 10 installments of 1 unit each (n=10).

In addition, new concealment amounts are derived:

If it is divided symmetrically, an individual, unique spoofing amount h is formed in the subscriber unit TE1 for each coin portion, the sum of the number n of spoofing amounts h of the coin portion data sets being equal to the spoofing amount r i of the divided coin data set: r = l = ^r j_ (13a ) In particular, it applies that the last partial amount of concealment h_ _{h is} equal to the difference between the amount of concealment n and the sum of the remaining partial amounts of concealment:

In this way, the obfuscation can h_i amounts to r, _n -i be arbitrarily selected and the procedure of the equation (13a) is by means of appropriate calculation of the "last" h_ individual fogging amount satisfies _h.

In an asymmetric splitting masked Münzdatensätze Z _j, and Z _k according to equation (3) obtained from the _k Münzdatensätzen and C and in the Münzregister 2 and / or the monitoring register 6 registered. For the splitting, the predecessor column 22a is written with the coin data set Zi, the successor column 23a with Z _j and the successor column 23b with Z _k . Additional information for the area proof (zero-knowledge-proof) must be generated. The marks in columns 25 through 27 require a status change and the coin register 2 and/or the monitor register 6 performs the appropriate checks. Column 28 marking and Column 29 statuses are ignored.

In the case of symmetrical splitting, a signature is calculated in the respective subscriber unit TE. For this purpose, the following signature key sig is used for the k-th partial coin data set Q _k _{: sig = r, - nr jk} (13c)

Where n is the number of symmetrically divided coin part data sets. In the case of symmetrical splitting, the signature of the k-th partial coin data set _k can be checked according to (13c) with the following verification key Sig:

Sig = Zt n Zj _k (i3d)

Where Z _{jk is} the masked k-th coin part data set and n is the number of symmetrically divided coin part data sets. This simplification results from the connection with equation (3):

Zi - n Z _j = (Oi- n V _j _k)-H + fr,- nr _jj JG where the symmetry properties of the partition mean that:

(Oi-n- _Vjk )-H=0 so Equation 13e simplifies to: Z, n Z _jj = (r, - nr _j JG

(13g)

The simplification based on Equation 13f makes it possible to completely dispense with zero-knowledge proofs, which means that the use of a symmetrical distribution saves an enormous amount of computing power and data volume.

A partial coin data set, here C _k , is then transmitted from the first subscriber unit TE1 to the second subscriber unit TE2. In order to prevent double spending, a switching operation makes sense in order to exchange the electronic coin data record C _{k received} from the first subscriber unit TE1 for a new electronic coin data record Ci with the same monetary amount. The new electronic coin data record Ci is generated by the second subscriber unit TE2. The monetary amount of the coin data record Ci is adopted and not changed, see equation (11).

Then, according to equation (14) is a new fogging amount r r _add to the amount added concealment _k of the obtained electronic Münzdatensatz C _k, whereby a concealment amount n is obtained, which only the second subscriber unit TE2 knows. In order to prove that only a new fogging amount r _add to the fogging amount r _k of the obtained electronic Münzdatensatz Z was added to _k, the monetary amount is, however, remained the same (u _k = ui), may have to the second subscriber unit TE2 prove to that Zi-Z _{k can be represented} as a multiple of G. This is done using the public signature R _add according to equation (15):

Radd r add ^'G (15)

Zi-Zk=(vi-Vk)*H+(rk+r _add -rk)*G where G is the generator point of the ECC. Then, the coin data set Ci to be switched is masked by the equation (3) to obtain the masked coin data set Z _\ . In the coin register 2 and/or the monitoring register 6, the private signature r _add can then be used, for example, to sign the masked electronic coin data record Z _\ to be switched over, which is considered proof that the second subscriber unit TE2 only _{adds a concealment amount r add} to the masked electronic coin data record added and no additional monetary value, ie vi = Vk.

The proof is as follows:

Z _k = V _k H + G (16) FIG. 10 shows an embodiment of a payment system according to the invention for connecting (also called combining) electronic coin data records. The two coin data sets Ci and are received in the second subscriber unit TE2. Based on the splitting according to FIG. 9, a new coin data record Z _m is now obtained by adding both the monetary amounts and the concealed amount of the two coin data records Ci and Ci. Then the obtained coin data C _{m to be connected is} masked and the masked coin data Z _m is registered in the coin register 2 . Then, when “connecting”, the signature of the second subscriber unit TE2 is entered, since this has received the coin data sets Ci and .

In the case of a combination by the payment system BZ, the highest of the two individual check values of the respective electronic partial coin data records Ci and Ci is determined. This highest check value is adopted as the check value Ci and the combined electronic coin record.

Alternatively, when combining (=connecting) by a payment system BZ, a new check value is determined from the sum of all check values of the electronic coin part data sets Ci and divided by the product of the number (here two) of the coin part data sets Ci and with a constant correction value. The correction value is constant throughout the system. The correction value is greater than or equal to 1. The correction value is preferably dependent on a maximum deviation of the individual test values of the electronic coin part data sets Ci and/or on a maximum test value of one of the electronic coin part data sets Ci and . The correction value is more preferably less than or equal to 2. This new check value is adopted as the check value of the combined electronic coin data set C _m .

FIGS. 11 and 12 each show an exemplary embodiment of a method flowchart of a method 100. FIGS. 11 and 12 are explained together below. In the optional steps 101 and 102, a coin data record is requested and provided by the issuer entity 1 to the first subscriber unit TE1 after the electronic coin data record has been created. A signed masked electronic coin record is sent at step 103 to the coin register 2 and/or the monitoring register 6. In step 103, the received electronic coin data set Ci is masked according to equation (3) and signed in step 103p according to equation (3a). Then in step 104 the masked electronic coin data record Zi is registered in the coin register 2 or the monitoring register 6 . Optionally, the subscriber unit TE1 the received electronic Switch coin data set, then a signature Si would be entered in the coin register 2 or the monitoring register 6. In step 105, the coin data record Ci is transmitted in the direct transaction layer 3 to the second subscriber unit TE2. In the optional steps 106 and 107, a validity check is carried out with prior masking, in which case the coin register 2 and/or the monitoring register 6 confirms the validity of the coin data set Zi or Ci.

In optional step 108, a received coin data set C _k is then switched over (of course, the received coin data set Ci could also be switched over) to a new coin data set Ci, whereby the coin data set C _k becomes invalid and double issuance is prevented. For this purpose, the monetary amount v _/, - of the transmitted coin data set C _{k is used} as the "new" monetary amount. In addition, as already explained with equations (14) to (17), the concealment amount n is created. The additional obfuscation _{amount r add} is used to prove that no new money (in the form of a higher monetary amount) was generated by the second subscriber unit TE2. Then the masked coin data set is signed and the signed, masked coin data set Zi to be switched over is sent to the coin register 2 and/or the monitoring register 6 and the switching over from C _k to Ci is instructed. In addition, a signature S _{k is created} by the first subscriber unit TE1 or the second subscriber unit TE2 and stored in the coin register 2 and/or the monitoring register 6 . In addition or as an alternative, a signature Si could also be created and stored in the coin register 2 and/or monitoring register 6 if transmitting subscriber units TE were registered instead of receiving subscriber units TE.

In step 108', the corresponding check is carried out in coin register 2 and/or monitoring register 6. Z _{k is} entered in column 22a according to the table in FIG Coin register 2 and/or the monitoring register 6 whether Z _{k is} (still) valid, i.e. whether the last processing of Z _{k is} entered in one of the columns 23a/b (as proof that Z _{k is} not further divided or deactivated or connected was made) and whether a check for the last processing failed. In addition, Zi is entered in column 23b and the markings in columns 25, 26, 27 are initially set to "0". A check is now made as to whether Zi is valid, in which case the check according to equations (16) and (17) can be used. If it is good, the mark in column 25 is set to “1”, otherwise to “0”. A check is now carried out, the calculation according to equation (10) shows that Z _k and Zi are valid and the marking in column 26 is set accordingly. Furthermore, it is checked whether the areas are conclusive, then the marking is set in column 27. The signature Si is then verified with the public verification key correspondingly present in the coin register 2 and/or the monitoring register 6 and logged accordingly. If all checks were successful, and this accordingly unchangeable in the coin register 2 and/or the monitoring register 6, the coin data record is considered switched. Ie the coin data set C _k is no longer valid and the coin data set Ci is valid immediately. A double issuance is no longer possible if a third subscriber unit TE requests the validity of the coin data record (issued twice) from the coin register 2 and/or the monitoring register 6 . When checking the signature, it can be checked in pseudonymous mode whether the second subscriber unit TE2 has exceeded a limit value for monetary amounts. The check is carried out with regard to a unit of time, for example a daily limit value could be monitored with it. If the limit value is exceeded, the coin register 2 and/or the monitoring register 6 initially refuses to switch over the coin data set Ci and requests the second subscriber unit TE2 to deanonymize itself. Depending on the system, deanonymized switching may be permitted.

In the optional step 109, two coin data records C _k and Ci are connected to a new coin data record C _m , as a result of which the coin data records C _k , Ci become invalid and double dispensing is prevented. For this purpose, the monetary amount u _m is formed from the two monetary amounts and U _k Ui. For this purpose, the concealment amount r _{m is formed} from the two concealment amounts r _k and r i . _{In addition, the masked coin data set Z m} to be connected is obtained by means of equation (3) and this (together with other information) is sent to the monitoring register 6 and/or the coin register 2 and connection is requested as processing. In addition, a signature S _k and a signature Si are generated and communicated to the monitoring register 6 and/or the coin register 2 .

In step 109', the corresponding check is made in the coin register 2 and/or the monitoring register 6. In this case, Z _{m is} entered in the column 23b according to the table in FIG. 2, which is also equivalent to a paraphrase. A check then takes place in the coin register 2 and/or the monitoring register 6 as to whether Z _k and Zi are (still) valid, _{i.e. whether the last processing of Z k} or Zi is entered in one of the columns 23a/b (as proof of this that Z _k and Zi were not split further or deactivated or connected) and whether a check for the last processing failed. In addition, the markings in columns 25, 26, 27 are initially set to "0". A check is now made as to whether Z _{m is} valid, in which case the check according to equations (16) and (17) can be used. If it is good, the mark in column 25 is set to “1”, otherwise to “0”. A check is now carried out, the calculation according to equation (10) shows that Zi plus Z _{k is} equal to Z _m and the marking in column 26 is set accordingly. Furthermore, it is checked whether the areas are conclusive, then the marking is set in column 27. When checking the signature, it can be checked whether the second subscriber unit TE2 has exceeded a limit value for monetary amounts. The check is carried out with regard to a unit of time, for example a daily limit value could be monitored with it. If the limit is exceeded, coin register 2 and/or monitoring register 6 refuses first connects the coin data set C _m and requests the second subscriber unit TE2 to de-anonymize itself. A deanonymized connection may then be permitted.

In optional step 110, a coin data set Ci is asymmetrically divided into two partial coin data sets C _k and Q, whereby coin data set Ci is invalidated and the two asymmetrically divided partial coin data sets C _k and are to be validated. In an asymmetric splitting the monetary amount Ui is divided into different sized part monetary amounts U _k and U _j. For this purpose, the concealment amount r is divided into the two concealment amounts _rk and r. In addition, the masked coin part data sets Z _k and Z _j are obtained using equation (3) and sent to the coin register 2 and/or the monitoring register 6 with further information, for example the area checks (zero-knowledge proofs), and the splitting is requested as processing . In addition, a signature Si is created and sent to the coin register 2 and/or to the monitoring register 6 .

In step 110', the corresponding check is carried out in the coin register 2 and/or the monitoring register 6. Z _j and Z _{k are} entered in the columns 23a/b according to the table in FIG. A check is then carried out in the monitoring register 6 and/or the coin register 2 to determine whether Zi is (still) valid, i.e. whether the last processing of Zi is entered in one of the columns 23a/b (as proof that Zi is not further divided or disabled or connected) and whether a check for the last processing failed. In addition, the markings in columns 25, 26, 27 are initially set to "0". A check is now made as to whether Z _j and Z _{k are} valid, in which case the check according to equations (16) and (17) can be used. If it is good, the marking in column 25 is set to "1". A check is now carried out, the calculation according to equation (10) shows that Zi is equal to Z _k plus Z _j and the marking in column 26 is set accordingly. Furthermore, it is checked whether the areas are conclusive, then the marking is set in column 27. When checking the signature, it can be checked whether the second subscriber unit TE2 has exceeded a limit value for monetary amounts. The check is carried out with regard to a unit of time, for example a daily limit value could be monitored with it. If the limit value is exceeded, the coin register 2 and/or the monitoring register 6 initially refuses to split up the coin data record Ci and requests the second subscriber unit TE2 to deanonymize itself. Deanonymized splitting may then be permitted.

FIG. 13 shows an exemplary embodiment of a first subscriber unit TE1 according to the invention. The first subscriber unit TE1 can be a device M1 in which a security element SEI is incorporated. For the sake of simplicity, the term device M1 is used below. Electronic coin data records Ci can be stored in a data memory 10, 10' in the device M1. The electronic coin data records Ci can be on the data memory 10 of the device M1 or can be available in an external data memory 10'. When using a external data memory 10', the electronic coin data records Ci could be stored in an online memory, for example a data memory 10' of a provider for digital purses. In addition, private data storage, for example a network attached storage, NAS could also be used in a private network.

In one case, the electronic coin record Ci is presented as a hard copy. The electronic coin data record can be represented by a QR code, an image of a QR code, or a file or a character string (ASCII).

The device Ml has at least one interface 12 available as a communication channel for issuing the coin data set Ci. This interface 12 is, for example, an optical interface, for example for showing the coin data set Ci on a display unit (display), or a printer for printing out the electronic coin data set Ci as a paper printout. This interface 12 can also be a digital communication interface, for example for near-field communication such as NFC, Bluetooth, or an Internet-enabled interface such as TCP, IP, UDP, HTTP or access to a chip card as a security element. This interface 12 is a data interface, for example, so that the coin data record Ci is transmitted between devices via an application, for example an instant messenger service, or as a file or as a character string.

In addition, the interface 12 or another interface (not shown) of the device M1 is set up to interact with the coin register 4. For this purpose, the device M1 is preferably online-capable.

In addition, the device Ml also have an interface for receiving electronic coin data sets. This interface is set up to receive visually presented coin data sets, for example using a detection module such as a camera or scanner, or digitally presented coin data sets, received via NFC, Bluetooth, TCP, IP, UDP, HTTP or coin data sets presented using an application.

The device M1 also includes a computing unit 13 which can carry out the method described above for masking coin data sets and the processing of coin data sets.

The device Ml is online capable and can preferably recognize by means of a location detection module 15 when it is connected to a WLAN. A specific WLAN network can optionally be marked as preferred (=location zone), so that the device M1 only performs special functions when it is registered in this WLAN network. Alternatively, the location detection module 15 recognizes when the device Ml is in predefined GPS coordinates including a defined radius and performs the special functions according to the so-defined location zone through. This location zone can either be introduced manually into the device M1 or via other units/modules into the device M1. The special functions that the device Ml performs when recognizing the location zone are, in particular, the transmission of electronic coin data sets from / to the external data memory 10 from / to a vault module 14 and, if necessary, the transmission of masked coin data sets Z to the coin register 4 and / or the monitoring register 6, for example as part of the above processing of a coin data record. The device M1 is accordingly set up to carry out the method according to FIG. The device Ml is set up to create and encrypt a transaction data record TDS. The device M1 is set up to initiate communication with a transaction register. The device M1 is set up to send the encrypted transaction data set TDS to the transaction register. Device M1 is set up to link metadata (in plain text) to the transaction data record TDS. The device M1 is set up to store the transaction data record TDS locally (temporarily).

In the simplest case, all coin data records Ci are automatically linked to form a coin data record in device M1 upon receipt (see link processing or link step). That is, as soon as a new electronic coin data set is received, a connect or toggle command is sent to the coin register 4. The device M1 can also prepare electronic coin data records in algorithmically defined denominations and store them in the data memory 10, 10', so that a payment process is also possible without a data connection to the coin register 4 and/or monitoring register 6.

A payment system is shown in FIG. 14 for better understanding. The overall system according to the invention includes an issuing authority (central bank) la. In addition, further issuer instances lb, lc can be provided which, for example, issue electronic coin data records in a different currency. In addition, at least one payment system BZ is shown, in which at least one coin register 2, a monitoring register 6 and a transaction register 4 of the payment system BZ are provided in order to register the coin data sets Ci or Zi and to check and log the modifications to the coin data set Ci. The publishing entity la can also be provided as part of the payment system BZ. In addition, bank instance(s) can be arranged between the issuing instances la-c and the payment system BZ. Registers 2, 4, 6 are housed together, for example, in one server entity and are logically separated from one another there. Alternatively, the registers 2, 4, 6 are also spatially/physically separated from one another. The trade register 4 can also be arranged as a unit external to the payment system BZ. In addition, a judicial/judicial authority 9 is shown, which requests a judicial request for decrypting encrypted transaction data records TDS from the payment system BZ (or directly from the transaction register) if fraud is suspected. Remote instances 8a-c with corresponding subkeys are also shown to in the event of a request to make their partial keys available to the trade repository 4 in order to obtain a cryptographic key as a decryption key.

In addition, FIG. 14 provides a large number of participants, which are shown as terminal devices Mx (with respective SEx). The terminals Ml to M6 can directly exchange coin data records Ci in the direct transaction layer 3. For example, terminal M5 transmits a coin record to terminal M4. For example, terminal M4 transmits the coin record to terminal M3. For example, the terminal M6 transmits a coin data set to the terminal Ml. The test value pn of the coin data set to be sent or received and, if applicable, the counter value p is used in each transmitting terminal device Mx or each receiving terminal device Mx to check whether the coin data set is displayed in the payment system and/or whether the coin data set is displayed in the Publishing authority la is to be returned. The payment system BZ uses the test value pn or a counter value p derived from the test value pn to check for each coin data set C whether the coin data set C is to be returned or not. In addition, a test value is provided in each terminal Mx in order to monitor a number of transaction data sets TDS that have not yet been sent, despite the coin data sets being transmitted.

FIG. 15 shows a flowchart of a method with which, for example, compliance with a limit value for monetary amounts per unit of time is made possible.

The upper part of the figure shows the payment system BZ consisting of three terminals M1, M2, M3. Three data structures 910, 920, 930 of the respective registers 2, 4, 6 are shown in the lower part of the figure. The valid masked coin data records Zi are stored in the data structure 910 of the coin register 2 . The data structure 920 of the monitoring register 6 includes the assignment of pseudonymously transmitted, masked coin data sets to the pseudonym and can be viewed as the monitoring register 6 of coin data sets that are still to be checked pseudonymously. Based on the data in the data structure 920, the monitoring register 6 can decide whether an area verification is requested for a pseudonym. Encrypted transaction data records TDS are stored in the data structure 930 of the transaction register.

The following transactions were carried out:

1. The first terminal Ml split a coin 901. The coin register 2 therefore knows that the coin Ci is a result of this split and stores the masked coin record Zi in the data structure 910. The first terminal Ml could report the split to the monitoring register 6 anonymously or send pseudonymously. In the illustration, it is assumed that the terminals M1 and M3 send their masked coin data records to the monitoring register 6 anonymously. 2. The first terminal M1 sends the coin Ci directly to the second terminal M2 in a direct transmission step 902. Neither the coin register 2 nor the monitoring register 6 receive any information about this. The first terminal Ml generates a transaction data record TDS902 regarding the transmission step 902, encrypts this transaction data record TDS902 and sends it to the transaction register 4. The encrypted transaction data record TDS902 contains an identifier of the first terminal Ml, an identifier of the second terminal M2 and the monetary amount ui of the coin ci

3. The second terminal M2 converts the coin Ci into the coin C2 (switches over) 903. The new masked coin data record Z2 is stored in the data structure 910 of the coin register 2 and the old masked coin data record Zi is deleted (or marked as invalid). The second terminal M2 transmits its masked (or at least the illustrated) Münzdatensätze pseudonym to the monitoring register 6. Thus, also receives the monitoring register 6, the information that the second terminal M2 has received the coin C with the pseudonym P _M 2 (and now coin C2 possesses) and stores the masked coin data set Z2 (and/or the masked coin data set Zi) for P _M 2 in the data structure 920 of the monitoring register 6 accordingly the terminal M2.

4. The second terminal M2 sends the coin C2 in a further direct transmission step 905 to the third terminal M3. Neither the coin register 2 nor the monitoring register 6 receive any information about this. The second terminal M2 generates a transaction data record TDS905 with regard to the transmission step 905, encrypts this transaction data record TDS905 and sends it to the transaction register 4. The encrypted transaction data record TDS905 contains an identifier for the second terminal M2, an identifier for the third terminal M3 and the monetary amount 02 of the coin C2.

5. In step 904, the third terminal M3 connects the received coin C2 to the connected coin C3 and sends this information to the coin register 2 with anonymous masked coin data sets. The coin register 2 carries out all checking steps, i.e. in particular all area verifications for the masked coin data sets Z2 involved. .. and Z3 or a cumulative area proof for the third terminal M3. Only then does the coin register 2 delete the masked coin data record Z2 (and the other coin data records of the process) from the data structure 910 and save the new masked coin data record Z3 as a valid masked coin data record. 6. The third terminal M3 in step 906 sends the coin C ₃ directly to the second terminal M2. Neither the coin register 2 nor the monitoring register 6 receive any information about this. The third terminal M3 generates a transaction data record TDS ₉₀₆ with regard to the transmission step 906, encrypts this transaction data record TDS ₉₀₆ and sends it to the transaction register 4. The encrypted transaction data record TDS _{906 contains} an identifier for the third terminal M3, an identifier for the second terminal M2 and the monetary amount 0 _{3 of} the coin C _3.

7. The second terminal M2 converts in a further step 903, the coin C ₃ in the coin C4 to (switch), and sends a masked Münzdatensatz Z4 together with his alias to the monitoring register 6. The monitoring register 6 receives the information necessary tests throws . With the help of the data structure 920, the monitoring register 6 determines whether one or more checks are to be made up for the pseudonym of the terminal M2. If the criterion for a catch-up, such as time elapsed or number of transactions for a pseudonym, is not yet met, only notes the further masked coin data record Z4 for the pseudonym in the data structure 920 of the monitoring register 6. The coin register 2 stores the masked coin data record Z4 in the data structure 910 and deletes the masked coin data set Z3 there. On the other hand, if a criterion for a catch-up test step is met, it first carries out the catch-up test step (or its equivalent).

In the specific example, the monitoring register 6 has the information that the second terminal device M2 had the coin C ₂ (see step 3). Since the sum of the monetary amounts of C ₂ and coin coin C4 might exceed its Münzschwellwert, calls the monitoring register 6 from the second terminal M2 a sum detection area (or a total area confirmation) on. The proof of the sum range shows that the sum of the monetary amounts of the coins C ₂ and C ₄ has not yet exceeded the—for example daily—limit of the transactions for the second terminal M2. The monitoring register 6 can also monitor a limit for a time-independent number of transactions (area verification after 3/5/10/... transactions). As an alternative or in addition to a sum check of several coin data sets, the monitoring register 6 can make up for a range check for the individual coin data sets _{that are linked in the data structure 920 of the monitoring register 6 with the pseudonym P M} 2 (Is the monetary amount of each coin data set Z2 and Z4 less than X? ). If checks were successfully made up for, the corresponding data records in the data structure 920 of the monitoring register 6 can also be deleted.

In its data structure 930, the transaction register 4 has the transaction data records TDS ₉₀₂ , TDS ₉₀₅ and TDS ₉₀₆ in encrypted form. In an embodiment of FIG. 15 that is not shown, the transaction data records are decrypted and pseudonymised. In the case of pseudonymization, the identifiers of the terminals M1 to M3 are replaced by the pseudonyms P and the respective amount is converted into amount categories. The pseudonymized unencrypted transaction data records are sent to the monitoring register 6. Since the sum of the monetary amounts of coin C2 and coin C4 could exceed a coin threshold value, the monitoring register 6 requests a sum range proof (or sum range confirmation) from the second terminal M2. Alternatively, ^{the amount categories in the pseudonymised transaction data records TDS* are} meaningful in such a way that the monitoring register 6 can itself carry out the proof of the sum range using the pseudonymised transaction data records TDS ^*. As an alternative or in addition to a sum check, the monitoring register 6 can now also carry out a range check for the individual coin data sets using the pseudonymised transaction data sets TDS ^* .

FIG. 16 shows a further exemplary embodiment of a sequence in a payment system BZ with masked coin data records. A first terminal M1 sends anonymous masked coin data records to the coin register 2 in steps 151. A second terminal M2, on the other hand, sends pseudonymised masked coin data records to the monitoring register 6 in steps 161.

The coin register 2 responds to each of the anonymous transmission steps 151 of the first terminal Ml (in its anonymous mode) with a (recoverable) check for the masked coin data set or the first terminal Ml. Any additional tests that may be necessary are not shown in FIG. In step 152, the coin register 2 requests, for each masked coin record, a range verification that the monetary amount of the masked coin record from step 151 is below a maximum value (or equivalent range confirmation). Alternatively or additionally, in step 152 the coin register 2 requests proof (or confirmation) of the total area from the first terminal M1. The first terminal M1 must create the (or the) requested evidence(s) in step 153 and send them in step 154 so that the (at least one) masked coin data record of step 151 in the coin register 2 is treated as valid.

The monitoring register 6 reacts to the first transmission steps 161 of the second terminal M2 (in its pseudonymous mode) by skipping a (repeatable) check for the masked coin data record or the second terminal M2. The masked coin data set sent pseudonymously is registered as valid. Necessary checks, not shown here, are carried out, for example, which, however, do not require further communication with the second terminal M2. As previously described in other examples, the monitoring register 6 stores an association between the pseudonym and the pseudonymously transmitted masked coin data record(s). In the example shown, this reacts Monitoring register 6 analogous to a second (or further) transmission steps 161 of the second terminal M2. In doing so, it checks whether a catch-up criterion has been met for the pseudonym.

It is only in the third step 161 shown that the monitoring register 6 establishes that a check should be carried out for the pseudonym. It sends a request 162 to the second terminal M2, for example to create area verifications for a number of coin data records or a total area verification. In step 163, the second terminal M2 creates a number of area verifications, a total area verification or a total area confirmation and sends this to the monitoring register 6 in step 164. In step 163, for example, multiple coin data records of the second terminal M2 are selected and a sum is formed from their monetary amounts. These coin data records relate either only to pseudonymised coin data records or to anonymous and pseudonymised coin data records (here, the masked coin data records that have already been sent are taken into account and the sum is formed from the monetary amounts of the corresponding unmasked coin data records). The selection can be made on the basis of criteria that are either known due to the system or were transmitted from the monitoring register 6 in step 162 . The criteria are, for example, a period of time, in particular a predefined period of time, in which a total of all monetary amounts should/may not exceed a certain range, for example a monetary amount x euros per time unit y. Alternatively or additionally, the criterion can also be a list in the first terminal M1 or in the monitoring register 6. This allows for a certain randomization of the area, which further secures the system. The sum formed is then compared with the range (and using the criterion if necessary). In step 164 the requested sum area confirmation (or the requested sum area proof) is transmitted from the second terminal M2 to the monitoring register 6 .

Since a payment transaction (transmission of coin data records) of a large amount of money can also be divided into several payment transactions of smaller amounts of money, which could each be below a range, the range (= limit value) is defined with the procedure, if necessary, in a terminal-specific and time-dependent manner. The area generally relates to a total of all transactions within a specific time unit that are received and/or sent by a terminal. A mechanism is therefore created with which it is determined how high the total of all monetary amounts that were sent or received by a terminal within a specific time unit is.

Within the scope of the invention, all of the elements described and/or drawn and/or claimed can be combined with one another as desired. REFERENCE LIST

BZ payment system

1, la-c Publisher or Bank

2 coin register 21 command entry

22a, b Entry of an electronic coin data record to be processed (predecessor) 23a, b Entry of a processed electronic coin data record (successor)

24 signature entry

25 Validation Mark

26 Marking of calculation check

27 Area Evidence Check Mark

28 Marking of signature verification

29 completion marker

3 direct transaction layer

4 Trade Repository

5 applique common purse

6 monitoring registers

7 Assignment of person to identifier 8a-c Subkey from remote authority 9 Judicial authority

10, 10' data storage

11 ad

12 interface

13 unit of account

14 vault module

15 Location Awareness Module

Mx xth device

Ci electronic coin record

Q, C _k split electronic coin part data set,

Q _k k-th split electronic coin part data set with symmetrical split

Ci Electronic coin data record to be switched

Cm electronic coin record to be connected

Zi Masked Electronic Coin Record

Zj, Zk Masked Split Electronic Coin Part Record

Zi masked toggling electronic coin record

Z _m masked electronic coin record to be connected

S Signed Masked Electronic Coin Record

SEx umpteenth security element

TEx x-th subscriber unit

TDS encrypted transaction record

TDS ^* Pseudonymized/anonymized transaction record

Wow, monetary amount D _j , u. Split monetary amount ui _, Monetary amount of an electr. coin record

U _m, Monetary amount of an electr. to be connected/connected. Coin data record pu _, test value for direct transmission of the coin data record pu _, counter value for aging of the coin data record p test value for transaction register n number of symmetrically divided partial coin data records n spoofing amount, random number h, h spoofing amount of a split electronic coin data record r _m spoofing amount of an electronic coin data record to be connected Ci* transmitted electronic coin data record * , Ck* transmitted split electronic coin part record,

Zi* Masked Transmitted Electronic Coin Record

Zj *, Z ^* _k masked transmitted split electronic Münzdatensatz f (C) one-way function Homomorphic

[Zi] Sig(PKi) Signature of the publishing authority

101-110 method steps of the payment system according to an embodiment 301-310 method steps in the subscriber unit according to an embodiment 401-412 method steps in the transaction register according to an embodiment

Claims

PATENT CLAIMS

1. A method (300) in a first subscriber unit (TE1), preferably a first security element (SEI), having an electronic coin data record (C), which is registered in a coin register (2) of a payment system (BZ) (104), with the process steps:

- Generating (301) a transaction data record (TDS) with regard to a transmission (105) of the electronic coin data record (C) to a second subscriber unit (TE2), preferably a second security element (SE2), or with regard to a modification to be registered in the coin register (2) of the electronic coin record (C);

- Encrypting (303) the generated transaction data record (TDS) with a cryptographic key (K), the cryptographic key (K) being composed of at least two partial cryptographic keys, preferably at least three partial cryptographic keys, each from different remote entities (8a, 8b, 8c). is; and

- Initiating (304) a communication connection to a transaction register (4) in order to send the encrypted transaction data record (TDS) to the transaction register (4).

2. The method (300) according to claim 1, wherein the first security element (SEI) is introduced ready for operation in the first subscriber unit (TE1) and the generation (301) and the encryption (303) preferably take place from the first security element (SEI).

3. The method (300) according to any one of the preceding claims, wherein the first subscriber unit (TE1) sends (306) the encrypted transaction data record (TDS) to the transaction register (4).

4. The method (300) according to any one of the preceding claims, wherein the encrypted transaction data record (TDS) is sent to the transaction register (4) in a cryptographically secured manner for transport.

5. The method (300) according to any one of the preceding claims, wherein the transaction data record (TDS) has at least:

- an identifier or address of the first subscriber unit (TE1), and

- an identifier or address of a second subscriber unit (TE2), and

- A monetary value (u) of the electronic coin data set (C).

The method (300) of claim 5, wherein the transaction record (TDS) further comprises:

- a transaction number and/or - A masked electronic coin data record (Z) corresponding to the electronic coin data record (C) to be transmitted or modified or modified, preferably instead of the monetary amount (u) of the electronic coin data record (C) and/or

- a transaction time.

7. The method (300) according to any one of the preceding claims, wherein the first subscriber unit (TE1) adds a transaction time to the encrypted transaction data record (TDS).

8. The method (300) according to any one of the preceding claims, wherein the encrypted transaction data record (TDS) is stored (309) in the first subscriber unit (TE1) when the communication connection setup (304) to the transaction register (4) or the sending (306) of the encrypted transaction record (TDS) fails (307).

9. The method (300) according to any one of the preceding claims, wherein the encrypted transaction data record (TDS) is sent from the first subscriber unit (TE1) to the transaction register (4) as soon as the communication connection setup (304) with the transaction register (4) is successful .

The method (300) of any preceding claim, wherein the first subscriber unit (TE1) transmits (105) the electronic coin record (C) to a second subscriber unit (TE2).

The method (300) of claim 10, wherein the transmitting step (105) occurs immediately before or after the generating step (301), or the encrypting step (303), or the initiating step (304).

12. The method (300) according to claim 10, wherein the transferring step (105) is only executed if a checking step (308) results in that a check value (p) for a number of transmissions (105) to the second subscriber unit (TE2) or to further subscriber units (TE) in the event of a failed communication connection establishment (307) to the trade register (4) or failed (305a) sending (306) of the encrypted transaction data record (TDS) to the trade register (4) below or equal to a predefined threshold value (X) is.

13. The method (300) according to claim 10, wherein when a predefined threshold value (X) of a test value (p) is exceeded for a number of transmissions (105) to the second subscriber unit (TE2) or to further subscriber units (TE) in the event of a failed ( 307) Communication connection establishment (304) to the trade repository (4) or failed (305a) sending (306) the encrypted transaction data set (TDS) to the trade repository (4) sending (306) the encrypted transaction data set (TDS) and/or a stored transaction data set (TDS) to the trade repository (4) before the transmission (105 ) of the electronic coin dataset (C).

14. The method (300) according to any one of claims 10 to 12, wherein in the event of successful transmission (105) of the electronic coin data set (C) and failed (307) communication connection establishment (304) to the transaction register (4) or failed (305a) sending (306 ) of the encrypted transaction data record (TDS) to the transaction register (4), a test value (p) is incremented in the first subscriber unit (TE1) (310).

15. The method (300) according to claim 14, wherein the test value (p) is also used to determine whether the electronic coin data set (C) from the first subscriber unit (TE1) to the payment system (BZ), in particular a coin register (2) or a monitoring register (6), and/or whether the electronic coin data record (C) is returned to the central issuing authority (1).

16. The method (300) according to any one of claims 10 to 15, wherein in the event of a transmission error, the electronic coin data set (C) is retransmitted (306) on the basis of the transaction data set (TDS).

17. The method (300) according to any one of the preceding claims with the further steps:

masking the electronic coin record (C) by applying a homomorphic one-way function (f(C)) to the electronic coin record (C) to obtain a masked electronic coin record (Z);

Registering (104) the masked electronic coin data set (Z) in a coin register (2) and/or a monitoring register (6) of the payment system (BZ), the registering (104) preferably for switching, dividing or connecting masked electronic coin data sets (Z ) is.

18. The method (300) according to any one of the preceding claims with the further steps:

Linking the masked electronic coin data set (Z) with a pseudonym (P) to obtain a pseudonymised masked electronic coin data set (S); and Sending the pseudonymised, masked electronic coin data set (S) to a monitoring register (6) of the payment system (BZ).

19. The method (300) according to any one of the preceding claims, wherein the cryptographic partial keys see each of: a law enforcement agency; a notary authority; a Department of Justice entity; a central issuing authority of the payment system; or a commercial bank instance of the payment system.

20. The method (300) according to any one of the preceding claims, wherein the cryptographic key (K) for encryption is a public key part of an asymmetric key infrastructure, the corresponding private key part (k) for decrypting (409) the encrypted transaction data record (TDS) is composed (406) of all cryptographic partial keys of the different instances (8a, 8b, 8c) by an addition operation or a bitwise XOR operation.

21. The method (300) according to any one of the preceding claims, wherein the cryptographic key (K) for encryption is a public key part of an asymmetric key infrastructure, the corresponding private key part (k) for decrypting the encrypted transaction data record from a predefined number (n ) is composed of cryptographic sub-keys from different entities (8a, 8b, 8c), the predefined number (n) being less than the total number (m) of the different entities (8a, 8b, 8c).

22. The method (300) according to claim 20 or 21, wherein the public key part (K) is received (302) from the transaction register (4) before the encryption step (303) in the first subscriber unit (TE1).

23. The method (300) according to any one of claims 1 to 19, wherein the cryptographic key (K) for encryption is a symmetric key which is composed (406 ) is.

24. A subscriber unit (TE), preferably a security element (SE), comprising:

- A computing unit (13), set up to execute the method (300) of

claims 1 to 23; - means for accessing a data memory (10, 10'), wherein at least one electronic coin data set (C) is stored in the data memory (10, 10'); and

- An interface (12) set up for (304) setting up a communication link to a transaction register (4) in order to send an encrypted transaction data set (TDS) to the transaction register (4).

25. A method (400) for storing encrypted transaction data records (TDS) of a payment system (BZ) with the method steps:

- Generating (301), from a first subscriber unit (TE1), a transaction data record (TDS) with regard to a transmission (105) of the electronic coin data record (C) to a second subscriber unit (TE2), preferably a second security element (SE2), or with regard to a modification of the electronic coin data record (C) to be registered at the coin register (2);

- Encrypting (303), from the first subscriber unit (TE1), the transaction data record (TDS) generated with a cryptographic key (K), the cryptographic key (K) being made up of at least two cryptographic sub-keys, preferably at least three cryptographic sub-keys, is composed of different remote entities (8a, 8b, 8c),

Sending the encrypted transaction record (TDS) to a trade repository

(4);

Receiving (401) the encrypted transaction data set (TDS), wherein the received encrypted transaction data set (TDS) was generated (301) and encrypted (303) in particular by the method (300) of claims 2 to 23, and storing (404) the encrypted Transaction data record (TDS) in a memory area of the transaction register (4).

26. The method (400) of claim 25, further comprising the step of:

- Decrypting (409) the encrypted transaction data record (TDS) with a cryptographic key (k), the key (k) for decrypting (409) the encrypted transaction data record (TDS) from at least two cryptographic partial keys of respective different remote entities (8a, 8b, 8c) is assembled (406) in the transaction register (4).

27. The method (400) of claim 26, wherein the assembling (406) is performed by an addition operation or a bitwise XOR operation.

28. The method (400) according to claim 26 or 27, wherein the cryptographic key (k) for decrypting (409) the encrypted transaction data set (TDS) from a predefined number (n) of cryptographic part see different remote encryption entities (8a, 8b, 8c) is composed (406), the predefined number (n) being less than the total number (m) of the different remote entities (8a, 8b, 8c).

29. The method (400) according to any one of claims 26 to 28, wherein the decryption (409) takes place only in response to an external request (407).

30. The method (400) according to any one of claims 25 to 29, wherein the transaction register (4) has a hardware security module, wherein the hardware security module is a secure key memory in which different generations of the partial keys are kept.

31. The method (400) according to any one of claims 25 to 30, wherein the transaction register (4) has a hardware security module against which the various remote instances (8a, 8b, 8c) prior to decrypting (409) the stored encrypted transaction data record (TDS) authenticate (408).

32. The method (400) according to claim 31, wherein only after successful authentication (408) of each remote instance (8a, 8b, 8c) may the decryption (409) take place with all generations of partial keys.

33. The method (400) according to any one of claims 25 to 32, wherein after receiving (401) the encrypted transaction data set (TDS) from the first subscriber unit (TE1), the encrypted transaction data set (TDS) is re-encrypted (403).

34. The method (400) according to any one of claims 25 to 32, wherein after receiving an updated partial key from one of the different remote entities (8a, 8b, 8c), the encrypted transaction data record (TDS) is re-encrypted (403).

35. The method (400) according to any one of claims 25 to 34, wherein after receiving (401) the encrypted transaction data set (TDS) from the first subscriber unit (TE1), the encrypted transaction data set (TDS) is decrypted (409) and an identifier of a subscriber unit (TE1) is replaced (410) by a pseudonym (P) in the transaction data record (TDS) in order to obtain a decrypted pseudonymised transaction data record (TDS ^* ).

36. The method (400) according to any one of claims 25 to 35, wherein after receiving (401) the encrypted transaction data record (TDS) from the first subscriber unit (TE1), the encrypted transaction data record (TDS) is decrypted (409) and a monetary amount ( u) an electronic coin data set (C) by an amount category im transaction record (TDS) is replaced (411) to obtain a decrypted pseudonymised transaction record (TDS ^* ).

37. The method (400) according to one of claims 35 or 36, wherein the decrypted, pseudonymised transaction data record (TDS ^* ) is sent (412) to a monitoring register (6) of the payment system (BZ).

38. A trade repository (4) for a payment system (BZ) having:

- a computing unit (13) set up to execute the method (400) of claims 25 to 37;

- Means for accessing a data memory (10, 10'), wherein in the data memory (10,

10') at least one encrypted transaction data record (TDS) is stored; and

- An interface (12) set up for communication with a subscriber unit (TE) in order to receive (401) an encrypted transaction data set (TDS) from the subscriber unit (TE).

39. The trade repository (4) of claim 38, further comprising:

- a hardware security module set up for:

- secure storage of partial keys of different generations;

- Decrypt (409) encrypted transaction records (TDS).

40. The transaction register (4) according to claim 39, wherein the hardware security module is set up for:

- decrypting (409) encrypted transaction records (TDS);

- replacing (410) an identifier of a subscriber unit (TE) with a pseudonym (P) in the transaction data record (TDS) in order to obtain a decrypted pseudonymised transaction data record (TDS ^* ).

41. The transaction register (4) according to claim 39 or 40, wherein the hardware security module is set up for:

- decrypting (409) encrypted transaction records (TDS);

- Replacing (411) a monetary amount (u) of an electronic coin data record (C) by an amount category in the transaction data record (TDS) in order to obtain a decrypted, pseudonymised transaction data record (TDS ^* ).

42. The transaction register (4) according to claim 38 to 41, wherein the interface (12) is set up to send (412) the decrypted pseudonymised transaction data record (TDS) to a monitoring register (6) of the payment system (BZ).

43. Having a payment system (BZ):

- at least one subscriber unit (TE1, TE2) according to claim 20, wherein the subscriber unit (TE1, TE2) for executing the generating step (301) and the encrypting step (302) of the method (300) according to any one of claims 1 to 23 is set up, wherein the encrypted transaction data record (TDS) is sent to a transaction register (4); and

- The transaction register (4) according to any one of claims 38 to 42, wherein the transaction register (4) for executing the method (400) according to any one of claims 25 to 37 is set up.

44. The payment system (BZ) according to claim 43, further comprising: an issuing entity (1) which is designed to create (102) an electronic coin data set (C) for the payment system (BZ); and/or a coin register (2), set up for registering (104) a masked electronic coin data record (Z), the registering (104) being preferred for switching, dividing or connecting masked electronic coin data records (Z); and/or a monitoring register (6) set up to receive a pseudonymised masked electronic coin data record (S) from the subscriber unit (TE) or to receive a decrypted pseudonymised transaction data record (TDS) from the transaction register (4).