EP4179489A1

EP4179489A1 - Method, terminal, and coin register for transmitting electronic coin data sets

Info

Publication number: EP4179489A1
Application number: EP21739314.9A
Authority: EP
Inventors: Daniel Albert; Raoul-Thomas HERBORG
Original assignee: Giesecke and Devrient Advance52 GmbH
Current assignee: Giesecke and Devrient Advance52 GmbH
Priority date: 2020-07-08
Filing date: 2021-06-30
Publication date: 2023-05-17
Also published as: DE102020004117A1; CN115803763A; US20230222509A1; CA3182400A1; WO2022008321A1

Abstract

The invention relates to a method in a first security element for transmitting an electronic coin data set to a second security element, said electronic coin data set being registered in a coin register of a payment system. The method has the steps of: setting a status of the electronic coin data set from the security element to an inactive status; transmitting the electronic coin data set from the first security element to the second security element; checking whether a receipt confirmation from the second security element has been received in the first security element; and deleting the transmitted electronic coin data set if the checking step results in that the receipt confirmation has been obtained by the first security element. The invention additionally relates to a payment system, a coin register, a security element, and a terminal for transmitting electronic coin data sets. (Fig. 5)

Description

METHOD OF TERMINAL AND COIN REGISTER FOR TRANSMITTING ELECTRONIC COIN DATA RECORDS

TECHNICAL FIELD OF THE INVENTION

The invention relates to a method in a first security element for the transmission of electronic coin data sets and a terminal device with a security element and a payment system and a coin register of a payment system.

TECHNICAL BACKGROUND OF THE INVENTION Security of payment transactions and the associated payment transaction data means protecting the confidentiality of the data exchanged; as well as protection of the integrity of the exchanged data; as well as protection of the availability of the exchanged data.

It must be possible to prove basic control functions for electronic coin data sets, in particular (1) the detection of multiple issuance processes, also known as double spending, and (2) the detection of uncovered payments. In case (1) someone tries to spend the same coin data set several times and in case (2) someone tries to spend a coin data set although he/she has no credit (anymore) or does not have this coin data set.

In order to illustrate case (1), a payment system is shown in FIGS. In the case of direct transmission, no central instance of the payment system, for example a coin register, is then involved. In FIG. 1a, a terminal M1 divides a coin data set C _a in order to obtain a partial coin data set C _b . The terminal Ml passes on the coin data set C _b in an unauthorized manner to the terminal M2 and M3 at the same time.

In the payment system of FIG. 1a, terminal M2 passes on coin data set C _b and receives coin data set C B , which is then forwarded directly to terminal M4. The terminal M4 forwards the coin data record C _c directly to the terminal M6. The terminal M6 forwards the coin data record C _c directly to the terminal M8. The unsuspecting participant with terminal M3 forwards the partial coin data set C _b directly to terminal M5. The terminal M3 is the Münzdatensatz C _b to the terminal M5 directly on. The terminal M5 gives Münzdatensatz C _b to the terminal M7 spur. Both coin data sets C _b and C _c thus frequently change hands without a coin register of the payment system finding out about this.

If - as illustrated in FIG lb -. The terminal M7 the Münzdatensatz C _b in a Münzregister 4 of the payment system to register leaves (= switching), the Münzdatensatz C _b is invalid (indicated by the strikeout of the Münzdatensatzes) and a Münzdatensatz C _d valid. If the terminal M8 also _{wants to register the coin data record C c} as the coin data record C _e with the coin register 4, the coin register 4 determines that the coin data record C _{b is} already invalid. Ml's attack is only now being discovered. As a result, the coin register 4 accepts neither the coin data set C _c nor the coin data set C _e .

In addition, the risk of manipulation(s) being carried out on the electronic coin data set increases due to the large number of transactions in an electronic coin data set and also due to the increasing service life.

In the future, it should be possible to do without cash (banknotes and analogue coins) or at least without analogue coins.

A valid electronic coin data record may - as a system requirement - only exist once, i.e. only at a single location. This system requirement increases the requirements for a transmission process, in particular to successfully ward off attacks during transmission or to prevent possible transmission errors from being exploited for manipulation of the payment system. This system requirement is made more difficult by the fact that the technical transmission between two participants in the payment system should be able to take place with instances or devices or remote data storage in between, in order not to reduce the degree of flexibility when paying.

It is therefore the object of the present invention to create a method and a system in which a payment transaction between participants in a payment system is designed to be secure but nevertheless simple. In particular, direct and anonymous payment between devices, tokens, smartphones, security elements, machines, checkout terminals or vending machines should be created. It should be possible for the participant (=user) to combine and/or divide several coin data sets as desired in order to enable flexible exchange. The exchanged coin records should be confidential to other system participants, but allow each system participant to perform basic checks on the coin record, namely (1) detecting multiple dispensing attempts; (2) recognizing attempts to pay with non-existent monetary amounts; and (3) recognizing return criteria for already dispensed coin records, such as that a coin record should expire.

In particular, a tamper-proof transaction protocol for transmitting the electronic coin data record is to be created.

SUMMARY OF THE INVENTION

The tasks are solved with the features of the independent patent claims. Further advantageous configurations are described in the dependent patent claims. The object is achieved in particular by a method in a first security element for transmitting an electronic coin data record to a second security element, the electronic coin data record being registered in a coin register of a payment system, with the method steps: Setting a status of the electronic coin data record from the first security element to an inactive Status; sending the electronic coin record from the first security element to the second security element; checking whether an acknowledgment of receipt from the second security element has been received in the first security element; and deleting the transmitted electronic coin record if the verifying step determines that the acknowledgment of receipt has been received from the first security element.

An electronic coin data record is in particular an electronic data record that represents a monetary (=monetary) amount and is colloquially referred to as a “digital coin” or “electronic coin”. In the process, this monetary amount changes from a first security element to a second security element. In the following, a monetary amount is understood to mean a digital amount that can be credited to an account at a financial institution, for example, or exchanged for another means of payment. An electronic coin record represents cash in electronic form.

An electronic coin data record for transferring amounts of money differs significantly from an electronic data record for data exchange or data transfer, since, for example, a classic data transaction takes place on the basis of a question-answer principle or on intercommunication between the data transfer partners. An electronic coin data record, on the other hand, is unique, unambiguous and is part of a security concept, which can include masking, signatures, test values or encryption, for example. In principle, an electronic coin data record contains all the data that is required for a receiving entity with regard to verification, authentication and forwarding to other entities. Intercommunication between the end devices when exchanging data is therefore generally not provided for with this type of data set.

In contrast to copying, i.e. duplicating digital data, a valid electronic coin data set may only exist once in the payment system. This system requirement must be observed in particular when transferring electronic coin data sets in order to prevent multiple issuance.

The electronic coin record can be placed in an active status and/or in an inactive status. The inactive status invalidates the respective electronic coin data record for further actions. The active status validates the respective electronic coin record for further actions. The electronic coin data set, that is to say in particular a monetary amount and a concealed amount, remain unchanged when the status is changed. The status is managed or logged, for example, in a data memory of the security element for each electronic coin data record. The inactive status represents a flag to indicate to accessing elements that the coin record is already being used or is to be used in a transfer operation. A coin record in an inactive state cannot be used for any further action. It is therefore in the interest of each participant not to manage any coin data set in an inactive status for longer than is absolutely necessary, since the monetary amount is blocked during the inactive status. A speedy completion of the transmission process is therefore advantageous for the participants in the transmission.

In order to design a transmission protocol securely, the electronic coin data sets are managed here by security elements and also transmitted by them. A security element is a technical resource-limited facility. A security element is, for example, a special computer program product, in particular in the form of a secure runtime environment within an operating system of a terminal device, English Trusted Execution Environments, TEE, or eSIM software, stored on a data memory, for example a device such as a mobile terminal device, token, smartphone, Machine, cash register terminal, vending machine. Alternatively or additionally, the security element is, for example, special hardware, in particular in the form of a secure hardware platform module, English Trusted Platform Module, TPM or as a chip card or an embedded security module such as eUICC or eSIM. The security element provides a trustworthy environment and thus has a higher level of trust than a device in which the security element is possibly integrated ready for operation.

An electronic coin data record can be securely stored in the security element. The security element can also have a multiplicity of electronic coin data records, for example the multiplicity of electronic coin data records can be stored in a data memory exclusively assigned to a security element. The data memory then represents an electronic purse, for example. This data memory can be an internal memory of the security element, for example. Alternatively and to increase the flexibility of the payment method, the data memory can be an external data memory, for example a data memory of the end device (etc.), in which the security element is possibly integrated ready for operation. Possibly only one respective security element has an exclusive right of access to this external data storage device. The external data storage can also be a remote data storage (cloud storage). The data store can be virtual.

Transmission of an electronic coin record occurs between the two security elements. The logical transmission of the electronic coin record directly, whereas physical transmission may be via one or more intervening entities, for example one or more terminals for activating the security element(s) and/or a remote data storage service where the purse with the electronic coin records is stored.

Security elements can transmit electronic coin data sets among themselves and then continue to use them directly - without being checked by a central instance of the payment system. A system requirement could be that electronic coin data sets received by a security element are to be regarded as secure/valid per se.

The first security element can have received an electronic coin data record from a less trustworthy entity, such as a terminal or a machine or an online service, as a participant in the payment system. An import function of the security element is provided for this purpose, for example. Electronic coin data records from such an insecure origin, in particular not directly from another security element, are considered insecure and, after receipt in the security element, are checked for validity using a central instance of the payment system, for example a remote coin register. In one embodiment, such insecure electronic coin data sets are registered on the first security element by an action such as switching, combining, dividing, before they are (may) be transmitted to the second security element.

Only - and exclusively - for the sending step is a copy made of the (inactivated) electronic coin record and this copy is sent to the second security element.

The electronic coin data record to be transmitted is registered in a coin register, ie a remote entity, of the payment system. Thus, for example, the establishment of a communication link to the coin register is provided for registering the electronic coin data set. This communication connection does not necessarily have to be present during the transmission process (payment process). The coin register is designed, for example, as a higher-level central instance of the payment system. Accordingly, the coin register is not necessarily arranged in the same level (=layer) of the security elements. The coin register is preferably provided for the administration and checking of masked electronic coin data records. It is conceivable that the coin register also manages and checks other transactions between devices.

For example, the coin register is a database. This database makes it easy to check coin data records for their validity and to prevent "double spending", i.e. multiple issues, without the transfer itself being registered or logged will. The database describes a technique for networked computers that come to an agreement about the sequence of certain transactions and that these transactions update data.

The coin register can be a decentrally controlled database, English Distributed Ledger Technology, DLT, in which the masked electronic coin data records are registered with corresponding processing of the masked electronic coin data record. In a preferred embodiment, a status or a validity of the (masked) electronic coin data record can be derived from this. The status or the validity of the (masked) electronic coin data records is preferably noted in and by the coin register. The registration of the processing or the processing steps can also relate to the registration of test results and intermediate test results relating to the status or the validity of an electronic coin data set, in particular the determination of test values and counter values of corresponding coin data sets. If processing is final, this is indicated, for example, by corresponding markings or a derived total marking in the coin register. Final processing then decides whether an electronic coin record is valid or invalid.

The coin register is preferably a centrally managed database, for example in the form of an accessible data store. For example, the coin register is a service server of the payment system.

In the method, after the electronic coin data set has been sent from the first security element to the second security element, a check is carried out to determine whether an acknowledgment of receipt from the second security element has been received in the first security element. This checking serves as an investigation in the first security element as to whether the transmission step was successful and was acknowledged accordingly by the second security element. This acknowledgment of receipt is absolutely necessary in order to delete the sent electronic coin data record in a subsequent step. With the confirmation of receipt, which corresponds to a request for deletion from the second security element, the electronic coin data record in the first security element is deleted. Preferably, the first security element could be blocked from transmitting further coin data sets until the delete step occurs and is confirmed.

In one embodiment, it is provided that the deleted electronic coin data record remains in the security element for archival purposes. The fact that the deleted electronic coin data set is no longer valid or will be returned can be marked (=identified) using a flag, a status or another coding, for example. Alternatively and preferably, the electronic coin data record to be deleted is destroyed and possibly also physically removed from the security element. This procedure ensures that only inactive electronic coin data records are copied which are still used in the first security element after being sent to the second security element. A duplication of an active electronic coin data record is thus prevented by the transmission protocol. The use of security elements guarantees a secure environment for such a transmission, so "double-spending" is not possible. The checking also ensures in the first security element that a transmission was successful and the electronic coin data record can be deleted in the first security element without destroying monetary amounts.

In the selected (offline) transmission environment, it is particularly important that transmission errors or transmission conflicts can be resolved without a central instance(s) of a payment system, such as the coin register. The transmission protocol proposed here ensures that a transmission process (payment process) is trustworthy, even though it is executed asynchronously, by checking the presence of an acknowledgment of receipt and using security elements. The transfer proposed here, namely invalidating, sending, checking and only then deleting, ensures that monetary amounts are not destroyed and that no duplicates can be generated in the active state.

In a preferred embodiment, the security element is incorporated into a device ready for operation. The device can contain an application through which a user (=participant) controls a payment process and in this payment process accesses electronic coin data records of the security element. A transmission (ie also the sending) of the electronic coin data set between the first and the second security element can be integrated into an existing transmission between two devices and/or integrated into a secure channel between two applications of the respective devices. In addition, the transmission can include an Internet data connection to an external data store, for example an online store.

The device can be, for example, a mobile terminal such as a smartphone, a tablet computer, a computer, a server, an automat or a machine. The electronic coin data set is transmitted from the (first) security element of a first device, for example, to the (second) security element of another device. In this case, a device-to-device transmission link can be set up, via which, for example, a secure channel is set up between the two security elements, via which the electronic coin data record is then transmitted. An application brought ready for operation (installed) on the device can initiate and control the transmission of the coin data record by using the input and/or output means of the respective device. For example, amounts of electronic coin data records can be displayed and the transmission process can be monitored. In particular, a mobile telecommunications terminal, for example a smartphone, is regarded as a device. Alternatively or additionally, the device can also be a wearable, a machine, a tool, an automat or even a container or vehicle. A device is therefore either stationary or mobile. The device is preferably designed to use the Internet and/or other public or private networks. For this purpose, the device uses a suitable connection technology, for example Bluetooth, LoRa, NFC and/or WiFi, and has at least one corresponding interface. The device can also be designed to be connected to the Internet and/or other networks by means of access to a mobile radio network.

For example, two devices establish a local wireless communication link. The transmission between the two security elements takes place via the wireless communication connection - with its corresponding protocol.

In a preferred embodiment, the first security element sets the status of the electronic coin data set to an inactive status immediately before or after the sending step. This shortens the length of time that a coin record is inactive, whereby the monetary value is not blocked for long periods of time due to its invalidity.

In a preferred embodiment, the electronic coin data record is sent in a cryptographically secured manner. In this case, mutual authentication of the security elements and/or encrypted transmission of the coin data record between the first and second security element is used. A key exchange is either negotiated as a session key or issued in advance. This increases security when transmitting the coin data record and makes attacks on the transmission channel to intercept the coin data record more difficult, for example in the case of "man-in-the-middle" or "relay" attacks.

In a preferred embodiment, a transaction data record relating to the transmitted electronic coin data record is stored in the first security element, preferably in a non-volatile manner. The storage takes place locally in the security element, for example. In the event of an incorrect transmission, the transaction data record can be used to reconstruct the transmission process and, if necessary, to repeat it. In this case, no changes need to be made to the electronic coin data set itself, in particular an inactive status marking of the coin data set also indicates that a transmission step has already taken place, but the coin data set has not been deleted.

The method thus provides both a processing method (rollback) and a repetition method (retry) in order to be able to reverse or repeat the transaction in the event of a transmission error in which the transmission was not completed. In the event of a recurrence, the transfer can be completed, in the case of settlement the transfer will be completely undone. However, this also means that the previously sent electronic coin record is recoverable should the retry fail or be undesired. This restoration can be completed with a registration in the coin register. With the recovery, a deletion request is also sent to the second security element in order to delete a coin data record that has been received but has not been confirmed to have been received. In one refinement, the restoration does not take place until the deletion request to the second security element has been confirmed by the second security element to the first security element.

In a preferred embodiment, the transaction data record has a transaction number. This transaction number is, for example, a random number generated before the sending step. A random number generator of the security element is preferably used for this purpose. Alternatively or additionally, the transaction number is an identification number of the transaction, which is unambiguous and unique for the transmission from the first security element to the second security element. In addition, the transaction number can be an identification of the transaction in the payment system and this transaction number is assigned by the payment system, for example the coin register. This allocation can take place in advance or during the initialization of the security element in the payment method. There can be a large number of transaction numbers that are managed in a similar way to TAN lists.

The transaction data record also has an identifier or an address of the first security element (=sender), ie a piece of data with which this security element can be clearly identified in the payment system. The transaction data record also has an identifier or an address of the second security element (=recipient), ie a piece of data with which this security element can be uniquely identified in the payment system. For example, the transaction record includes an amount of the electronic coin record. With this transaction data record, the transmission attempt can be reconstructed and, if necessary, repeated or reversed.

In one embodiment, the transaction data record is transmitted together with the coin data record. The acknowledgment of receipt can then be the transaction data record that has been transmitted back.

In a preferred embodiment, in the event of a transmission error, the electronic coin data record is sent again using the stored transaction data record. It is assumed that the transmission of the electronic coin data set has failed, but the transmission process is to be completed. The transmission of the electronic coin record is promptly repeated. The electronic coin data record to be resent corresponds to the electronic coin data record during the transmission of which a transmission error occurred. The electronic coin data set are therefore for the renewed Send no changes required. In one embodiment, a further transaction data record is generated for logging purposes.

A transmission error case is assumed, for example, if an acknowledgment of receipt was not received in the first security element within a predefined period of time. A timer is started for this purpose, for example. Preferably, the timer is started during the step of sending the electronic coin record.

Alternatively or additionally, the case of a transmission error can be indicated by an error message from the first or the second security element. This means that the error case is explicitly displayed and only then is it decided whether to process or repeat it.

The transmission error case can also be assumed by a detected connection fault. In this way, the error case is indicated implicitly and only then is it decided whether to unwind or repeat.

The transmission error case can also occur due to failed authentication.

The transmission error can also occur when a terminal device in which one of the operational security elements is installed is switched off, or when the transmission range is exceeded due to the movement of a participant.

The transmission error case can also occur as a result of an internal error in the first or second security element, in an application of the device, or in the respective device.

In a preferred embodiment, the first security element queries the second security element at predefined periodic time intervals and actively requests the confirmation of receipt. Alternatively, the first security element actively requests a confirmation of receipt when a time value of a timer is exceeded.

In a preferred embodiment, a successful transfer is indicated in the first security element after the deletion step. A user display can be updated or the monetary amount can be deleted from a list of available monetary amounts. A participant (user) in the payment system is visualized by this display that the transmission process was successful. In addition or as an alternative, an available monetary amount is updated, in particular reduced in accordance with the transmitted monetary amount.

In a preferred embodiment, the electronic coin data set is evaluated as an input parameter of an application of a device containing the first security element in the display step. The deleted electronic coin data record or the transaction data of this electronic coin data records thus actively control the transmission process, regardless of an application that is executable on the terminal device. The changes to the electronic coin data set are visualized for a user by the application on the end device, and the user accordingly receives prompt feedback on the validity/status/deletion of the electronic coin data set to be transmitted/transmitted.

In a preferred embodiment, the first security element indicates to the second security element that the sent coin data record has been deleted. This notification is the sending of a deletion confirmation to the second security element. This indication also serves to indicate that the acknowledgment of receipt has been received in the first security element. From the point in time of this display by the first security element, the electronic coin data record can be used in the second security element and the transmission process (payment process) is considered to have been successfully completed.

In a preferred embodiment, the first security element indicates to the coin register that the sent coin data record has been deleted. This notification is the sending of a cancellation confirmation to the coin register. This indication also serves to indicate that the acknowledgment of receipt has been received in the first security element. From the point in time at which this is indicated by the first security element, the electronic coin data record can be used in the second security element and the transmission process (payment process) is deemed to have been successfully completed. The second security element obtains knowledge of this display by querying the coin register.

In a preferred embodiment, the second security element sets the status of the electronic coin data set to an active status after the deletion step, preferably after the display step. By setting the active status, the second security element validates the sent (or received) electronic coin data record for further actions. The electronic coin data record, that is to say in particular a monetary amount and a concealed amount, remain unchanged when the status is changed. For example, the status is maintained or logged in a local storage area of the security element for each electronic coin data set. The active status thus represents a marker to indicate to accessing entities that the electronic coin data record is not (or no longer) used in a transmission process and allows further use.

In a preferred embodiment, in the event of a transmission error (see above), the status of the transmitted electronic coin data record is reset to an active status in the first security element. With the setting of the active status, the first security element revalidates (reactivates) the unsuccessfully sent electronic coin data record for further actions. The electronic coin data record, that is, in particular, a monetary amount and a Obfuscation amount, remain unchanged by status reset. This restoration can be completed with a registration in the coin register. Before the restoration, a deletion request can also be made to the second security element in order to delete a coin data set that has been received but has not been confirmed to have been received in the second security element. In one refinement, the restoration does not take place until the deletion request to the second security element has been confirmed by the second security element to the first security element. Alternatively, it is also possible to switch only sent coin data records to active again, while received coin data records cannot be activated but only deleted.

In a preferred embodiment of the method, in the event of a transmission error, the first security element will request a status of the transmitted electronic coin data set from the coin register. In the event that the sent electronic coin data record is registered on the first security element, the status of the sent coin data record in the first security element is reset (caused by the detected error) to an active status (rollback) by the first security element. The old status prior to the unsuccessful transfer is thus restored, including the coin register.

If the sent electronic coin data set is not registered on the first security element, the first security element reports a transaction error to the coin register. This case is assessed as a case of fraud or an attack scenario, because according to the first security element, the transfer has not yet been completed and the coin data record can therefore not yet have been transferred to another security element.

In a preferred embodiment, the second security element queries the status of the transmitted electronic coin data record from the coin register in the event of a transmission error. In the event that the sent electronic coin data set is registered on the first security element, the sent coin data set is deleted in the second security element by the first security element (rollback). The old status prior to the unsuccessful transfer is thus restored, including the coin register.

If the electronic coin data set sent is not registered on the first security element, the second security element reports a transaction error to the coin register. This case is assessed as a case of fraud or an attack scenario, because according to the first security element, the transfer has not yet been completed and the electronic coin data record can therefore not yet have been transferred to another security element. In a preferred embodiment, the first security element re-registers the sent coin data record in the coin register if the confirmation of receipt is not received. Non-receipt is evaluated as a transmission error case and can be recognized, for example, by exceeding a predefined time period of a timer that was started, for example, when the coin data record was sent.

The object is also achieved by a security element as described above. The security element has a computing unit that is set up to transmit electronic coin data sets according to the method described above. The security element also has means for accessing a data memory, with at least one electronic coin data set being stored in the data memory. And the security element has an interface set up for outputting the at least one electronic coin data record to another security element.

The object is also achieved by a terminal device with a security element as described above, the interface being set up to output the at least one electronic coin data record to the other security element via an interface of the terminal device.

The object is also achieved by a method in a payment system, in particular a commercial bank or a coin register of the payment system, for managing electronic coin data records, the electronic coin data records being issued by a central issuing authority, with a status being present for each electronic coin data record, the status includes the status "active" or "inactive" and is set to the active status or the inactive status (marked) in the case of direct transmission of the electronic coin data record between two security elements as participants in the payment system and before carrying out actions on or with the retrieving an electronic coin record from a subscriber, the method comprising the step of: determining, by the coin register based on the status of the electronic coin record, whether the electronic coin record is valid.

In the method in the payment system, preferably only masked electronic coin data sets are managed. The masking of the coin data records is described later and ensures anonymity or pseudonymity in the payment system.

In a preferred embodiment, the electronic coin data record is provided for transmission between two security elements, the electronic coin data record to be transmitted being declared valid or invalid by the payment system as a result of the determination and an invalid coin data record being returned to the issuing authority or released for deletion. In a preferred embodiment, when the payment system carries out an action with the electronic coin data record, the status of the electronic coin data record is reset by the payment system.

The object is also achieved by a payment system having a coin register, at least one terminal device of the type described above and an issuing entity that is designed to create an electronic coin data record for the payment system, with a security element for executing the method for transmitting electronic coin data records in the terminal device is set up in the manner described above.

The payment system is preferably also set up to manage electronic coin data sets from other issuing entities and/or monetary amounts as book money.

The object is also achieved by a coin register, the coin register being set up to register electronic coin data sets.

In an advantageous embodiment, the electronic coin data set has a monetary amount, ie a date that represents a monetary value of the electronic coin data set, and an obfuscation amount, for example a random number. In addition, the electronic coin data record can have further metadata, for example which currency the monetary amount represents. An electronic coin data record is uniquely represented by these at least two pieces of data (monetary amount, concealment amount). Anyone who has access to this data of an electronic coin record can use this electronic coin record for payment. Knowing these two pieces of data (monetary amount, concealment amount) is therefore equivalent to owning the digital money. This electronic coin data set can be directly transferred between two security elements. In one embodiment of the invention, only the transmission of the monetary amount and the obfuscation amount is necessary for exchanging digital money. In one embodiment, a status (active, inactive) of the electronic coin data record is also added to the coin data record, so that this then consists of three pieces of data (monetary amount, concealment amount, status). Alternatively, the status of a coin data record is not appended to the coin data record and is only managed in the security element itself and/or the coin register.

In a preferred embodiment, a corresponding masked electronic coin data record is assigned to each electronic coin data record in the method and in the payment system (the coin register). Knowledge of a masked electronic coin record does not authorize spending the digital money represented by the electronic coin record. This represents a key difference between the masked electronic coin records and the (non-masked) electronic coin records. A masked electronic coin record is unique and also unique to an electronic one Assign coin data set, so there is a 1-to-l relationship between a masked electronic coin data set and a (non-masked) electronic coin data set. The electronic coin data set is preferably masked by a computing unit of the security element. The security element has at least one electronic coin data set. Alternatively, the masking can be performed by a processing unit of a security element receiving the electronic coin data set.

In one embodiment, the masked electronic coin data set can be linked to a pseudonym in order to obtain a pseudonymized masked electronic coin data set. Also by a possible To enable the required mechanism for deanonymization, the linking step is carried out before the masking in order to link a pseudonym of the security element with the electronic coin data record. The pseudonym is preferably security element-specific. A pseudonym is any kind of disguised identity that makes it possible to draw conclusions about the security element and the transactions carried out with it without merely knowing the coin data record.

The difference between an anonymous masked coin record and a pseudonymized masked coin record lies in the identifiability of the security element by the coin register when using the pseudonym. An anonymous masked coin record does not contain any information about its origin, so it cannot be associated with a security element. In contrast, a pseudonymized masked coin data record has a link to a pseudonym of the security element, so that the security element that sent the pseudonymized masked coin data record to the coin register can be identified via the linked pseudonym.

When an electronic coin data record is issued by the issuer entity to a security element, a masked electronic coin data record can also be issued in parallel by the issuer entity to the coin register of the payment system for registration of the electronic coin data record.

This masked electronic coin record is obtained by applying a one-way homomorphic function, specifically a cryptographic homomorphic function. This function is a one-way function, i.e. a mathematical function that is “easily” calculable in terms of complexity theory, but is “difficult” to practically impossible to reverse. Here, a one-way function is also referred to as a function for which no reversal that can be carried out in practice within a reasonable time and with reasonable effort is known to date. Thus, computing a masked electronic coin record from an electronic coin record is comparable to generating a public key in a Encryption method using a residue class group. Preferably, a one-way function is used that operates on a group where the discrete logarithm problem is difficult to solve, such as B. a cryptographic method analogous to an elliptic curve encryption, ECC for short, from a private key of a corresponding cryptographic method. The reverse function, ie the generation of an electronic coin data record from a masked electronic coin data record, is very time-consuming—equivalent to generating the private key from a public key in an encryption method using a residual class group. Whenever sums and differences or other mathematical operations are discussed in the present document, the respective operations on the corresponding mathematical group are to be understood in the mathematical sense, for example the group of points on an elliptic curve.

The one-way function is homomorphic, i.e. a cryptographic method that has homomorphic properties. Mathematical operations can thus be carried out with the non-masked electronic coin data set, which can also be carried out in parallel on the (masked) electronic coin data set and can therefore be reproduced. In the present case, operations based on the masked electronic coin data sets are reproduced in the coin register, which were carried out in the security element with the corresponding non-masked electronic coin data sets. With the help of the homomorphic one-way function, calculations with masked electronic coin data records in the coin register can be reproduced without the corresponding (non-masked) electronic coin data records being known there. Therefore, certain calculations with electronic coin data sets, for example for processing the (non-masked) electronic coin data set (e.g. splitting or connecting), can also be proven in parallel with the associated masked electronic coin data sets, for example for validation checks or for monitoring the legality of the respective electronic coin record. The homomorphism properties apply at least to addition and subtraction operations, so that a splitting or combining (=connecting) of electronic coin data sets can also be recorded in the coin register by means of the appropriately masked electronic coin data sets and can be traced by requesting security elements and/or by the coin register without To gain knowledge of the monetary amount and the terminal device used.

The homomorphic property thus makes it possible to keep an entry of valid and invalid electronic coin data sets based on their masked electronic coin data sets in a coin register without knowledge of the electronic coin data sets, even if these electronic coin data sets are processed (split, connected, switched), i.e. one action is performed with these electronic coin records. It is thereby ensured that no additional monetary amount has been created or that an identity of the security element is recorded in the coin register. Masking allows for a high Level of security without giving any insight into the monetary amount or the end device. This results in a two-tier payment system, for example. On the one hand there is the coin register, in which masked electronic data records are checked, and on the other hand there is a direct transaction layer in which at least two security elements transmit electronic coin data records.

When an electronic coin data set is transmitted directly from the first security element to the second security element, two security elements simultaneously have knowledge of the electronic coin data set to be transmitted. The method described above is used to prevent the transmitting first security element from also using the electronic coin data set for payment with another (third) security element (so-called double spending). In particular, before the transmission, the status of the coin data record is set to inactive status in order to invalidate the coin data record, then the transmission takes place and if there is a confirmation of receipt from the second security element, the coin data record is deleted in the first security element. A confirmation of clearing from the first security element can be sent to the coin register or the second security element to indicate successful clearing.

In addition, the transmitted electronic coin data record can be switched (“switched”) from the first security element to the second security element. The switching can preferably take place automatically when the confirmation of deletion of an electronic coin data set is received in the second security element. In addition, it can also take place on request, for example by a command from the first and/or second security element. In addition, an electronic coin data set can also be divided into at least two partial coin data sets (“split”). In addition, two electronic coin datasets can be combined into one coin dataset (“merge”).

Switching, splitting and connecting are various modifications to an electronic coin record, i.e. actions on the electronic coin record. These modifications require the masked coin data set to be registered in the coin register of the payment system. The concrete implementation of the individual modifications will be explained later.

Switching also takes place when an electronic coin dataset is changed, for example split up or connected to other electronic coin datasets, in particular in order to be able to settle a monetary amount to be paid appropriately. The payment system should always be able to pay any monetary amount as long as the sum of the individual coin data records does not exceed the monetary amount.

The splitting up and subsequent registration has the advantage that an owner of the at least one electronic coin data record is not forced to always pay the entire monetary amount to be transferred at once, but now to form and transfer corresponding monetary partial amounts. The monetary value can be divided symmetrically or asymmetrically without restrictions, as long as all electronic coin data part sets have a positive monetary amount that is smaller than the monetary amount of the electronic coin data set from which it is split and the sum of the electronic coin part data sets is equal to the electronic coin part data set to be split . Alternatively or additionally, fixed denominations can be used. The division into partial amounts is arbitrary.

The method preferably has the following further steps: switching over the transmitted electronic coin part data set; and/or linking the transmitted electronic coin data set with a second electronic coin data set to a further electronic coin data set, namely linked electronic coin data set.

When switching over, the partial electronic coin data set received from the first security element results in a new electronic coin data set, preferably with the same monetary amount, the so-called electronic coin data set to be switched over. The new electronic coin data set is generated by the second security element, preferably by using the monetary amount of the electronic coin data set received as the monetary amount of the electronic coin data set to be switched. A new concealment amount, for example a random number, is thereby generated. For example, the new obfuscation amount is added to the obfuscation amount of the received electronic coin record so that the sum of both obfuscation amounts (new and received) serves as the obfuscation amount of the electronic coin record to be switched. After switching, the electronic coin part data set received and the electronic coin part data set to be switched over are preferably masked in the security element by applying the homomorphic one-way function to the electronic coin part data set received and the electronic coin part data set to be switched over, in order to obtain a masked electronic coin part data set received and a masked electronic coin part data set to be switched over.

The switching is thus secured by adding a new amount of obfuscation to the amount of obfuscation of the received electronic coin record, whereby an amount of obfuscation is obtained that only the second security element knows. Newly created obfuscation amounts must have high entropy since they are used as the blinding factor for the corresponding masked electronic coin part records. A random number generator on the security element is preferably used for this purpose. This safeguard can be tracked in the coin register.

As part of the switching, additional information is preferably required for registering the switching of the masked electronic coin data set in the coin register are calculated in the security element. Preferably, the additional information includes a range verification of the masked electronic coin record to be switched and a range verification of the masked received electronic coin record. The proof of area is proof that the monetary amount of the electronic coin data record is not negative, the electronic coin data record was validly created and/or the monetary amount and the concealed amount of the electronic coin data record are known to the creator of the area proof. In particular, the area credential serves to provide such credential(s) without revealing the monetary amount and/or the concealment amount of the masked electronic coin record. These range proofs are also called "zero knowledge range proofs". Ring signatures are preferably used as area verification. The changeover of the masked electronic coin data set is then registered in the remote coin register.

The registering step is preferably carried out when the second security element is connected to the coin register. While the electronic coin records are used for direct payment between two security elements, the masked coin records can be registered with a pseudonym in the coin register.

In a further preferred embodiment of the method, a further electronic coin data record (connected electronic coin data record) is determined from a first and a second electronic coin part data record for connecting electronic coin part data records. The concealment amount for the electronic coin data set to be connected is calculated by forming the sum of the respective concealment amounts of the first and the second electronic coin data set. Furthermore, the monetary amount for the associated electronic coin data record is preferably calculated by forming the sum of the respective monetary amounts of the first and the second electronic coin data record.

After the connection, the first electronic coin part data set, the second electronic coin part data set, and the electronic coin data set to be connected in the (first and/or second) security element by applying the homomorphic one-way function to the first electronic coin part data set, the second electronic coin part data set, and the data set to be connected masked electronic coin data set to obtain correspondingly a masked first electronic coin part data set, a masked second electronic coin part data set, and a masked electronic coin data set to be connected. Furthermore, additional information needed to register the linking of the masked electronic coin records in the remote coin register is computed in the security element. Preferably, the additional information includes area evidence of the masked first electronic coin part record and a Area verification via the masked second electronic coin part record. The proof of area is proof that the monetary amount of the electronic coin data record is not negative, the electronic coin data record was validly created and/or the monetary amount and the concealed amount of the electronic coin data record are known to the creator of the area proof. In particular, area verification serves to provide such verification(s) without revealing the monetary value and/or the amount of obfuscation of the masked electronic coin record. These range proofs are also called "zero knowledge range proofs". Ring signatures are preferably used as area verification. The connection of the two masked electronic coin part data sets is then registered in the remote coin register.

With the step of connecting, two electronic coin data records or two electronic coin part data records can be combined. The monetary amounts as well as the concealment amounts are added up. As with splitting, the validity of the two original coin data records can also be carried out when connecting.

In a preferred embodiment, the registering step comprises receiving the masked electronic coin part data set to be switched over in the coin register, checking the masked electronic coin part data set to be switched over for validity; and registering the masked electronic coin part record to be switched in the coin register if the verifying step is successful, whereby the electronic coin part record to be switched is deemed to be verified.

The payment system preferably has at least two layers and has a direct payment transaction layer for the direct exchange of (unmasked) electronic coin data records and a coin register layer, which can also be referred to as a “disguised electronic data record ledger”. In the coin register layer, preferably no payment transactions are recorded, only masked electronic coin data records, their status, possibly test values, signatures and modifications for the purpose of verifying the validity of (non-masked) electronic coin data records. This ensures the anonymity of the participants in the payment system. The transactions are also concealed in this way, since no monetary amounts and/or no identifiers of the security elements of the transaction are stored in the coin register. The coin register layer provides information about valid and invalid electronic coin data records, for example to avoid multiple issuance of the same electronic coin data record or to verify the authenticity of the electronic coin data record as validly issued electronic money or to record the sum of monetary amounts per security element in order to record this sum to compare with a limit value and to prevent or allow a modification accordingly. The coin register layer may use a counter value of an electronic coin record to determine whether the electronic Coin Record has expired and is to be returned or modified to be deemed returned.

In the present case, a device can have a security element or itself be a security element in which the electronic coin data record is securely stored. An application that controls or at least initiates parts of the transfer process can be installed ready for operation on the device.

Electronic coin data sets can be transmitted with the aid of devices that are logically and/or physically connected to the security elements.

The communication between two devices with the respective security elements can be wireless or wired, or e.g. also optically, preferably via QR code or barcode, and can be designed as a secure channel, e.g. between applications of the end devices. The optical path can include, for example, the steps of generating an optical code, in particular a 2D code, preferably a QR code, and reading in the optical code.

The transmission of the electronic coin data record is secured, for example, by cryptographic keys, for example a session key negotiated for an electronic coin data record exchange or a symmetric or asymmetric key pair.

By communicating between devices, for example via their security elements, the exchanged electronic coin records are protected from theft or tampering. The level of security elements thus complements the security of established blockchain technology.

In a preferred embodiment, the coin data records are transmitted as APDU commands. For this purpose, the coin data record is preferably stored in an (embedded) UICC as a security element and is managed there. An APDU is a combined command/data block of a connection protocol between the UICC and a terminal. The structure of the APDU is defined by the ISO-7816-4 standard. APDUs represent an information element of the application layer (layer 7 of the OSI layer model).

In addition, it is advantageous that the electronic coin data sets can be transmitted in any format. This implies that it communicates, i.e. can be transmitted, on any channel. They do not have to be saved in a fixed format or in a specific program. In one embodiment, it can be provided that the first and/or second security element processes the received electronic coin data records in the presence or receipt of a plurality of electronic coin data records according to their monetary value. Provision can thus be made for electronic coin data records with a higher monetary value to be processed before electronic coin data records with a lower monetary value.

In one embodiment, the security element can be designed, after receiving an electronic coin data record, to connect it to the electronic coin data record already present in the security element depending on attached information, for example a currency or denomination, and to carry out a corresponding step of connecting. Furthermore, the security element can also be designed to automatically carry out a switchover after receipt of the electronic coin data set.

In one embodiment, further information, in particular metadata, is transmitted during the transmission from the first terminal or first security element to the second terminal or second security element, for example a currency. In one embodiment, this information can be included in the electronic coin data set.

The procedures are not limited to one currency. For example, the payment system can be set up to manage different currencies from different publishers. The payment system is set up, for example, to convert (=change) an electronic coin data record in a first currency into an electronic coin data record in a different currency. This switching is also a modification of the electronic coin record. With the change, the original coin record becomes invalid and is deemed returned. Flexible payment with different currencies is therefore possible and user-friendliness is increased.

The methods also allow the electronic coin data record to be converted into book money, ie, for example, the monetary amount can be redeemed in an account held by the participant in the payment system. This repositioning is also a modification. Upon redemption, the electronic coin record becomes invalid and is deemed to have been returned.

The at least one initial electronic coin data record is preferably created exclusively by the issuing entity, with the divided electronic coin data records, in particular electronic partial coin data records, also being able to be generated by a security element. Creating and choosing a monetary amount preferably also includes choosing a high entropy obfuscation amount. The publishing entity is a computing system, which is preferably remote from the first and/or second end device. After creating the new electronic coin record, the new electronic coin record masked in the issuer instance by applying the homomorphic one-way function to the new electronic coin data set to obtain a masked new electronic coin data set accordingly. Furthermore, additional information needed to register the creation of the masked new electronic coin record in the remote coin register is calculated in the issuer entity. This additional information is preferably proof that the (masked) new electronic coin data record originates from the issuing authority, for example by signing the masked new electronic coin data record. In one embodiment, it can be provided that the issuing entity signs a masked electronic coin data record with its signature when the electronic coin data record is generated. The key of the issuing authority for validating the signature is stored in the coin register. The signature of the issuing authority is different from the signature generated by an end device or a security element.

The issuer entity can preferably deactivate an electronic coin data record that is in its possession (i.e. of which it knows the monetary amount and the obfuscation amount) by masking the masked electronic coin data record to be deactivated with the homomorphic one-way function and a deactivate command for the coin register prepared. In addition to the masked electronic coin data set to be deactivated, a part of the deactivation command is preferably also the proof that the deactivation step was initiated by the issuing authority, for example in the form of the signed masked electronic coin data set to be deactivated. As additional information, range checks for the masked electronic coin record to be deactivated could be included in the deactivate command. Disabling may be the result of a return. The deactivation of the masked electronic coin data set is then registered in the remote coin register. The deactivation step is triggered with the deactivation command.

The creation and deactivation steps are preferably carried out in secure locations, especially not in the end devices. In a preferred embodiment, the steps of creation and deactivation are carried out or initiated only by the publishing entity. These steps preferably take place in a secure location, for example in a hardware and software architecture that was developed for processing sensitive data material in insecure networks. The deactivation of the corresponding masked electronic coin data set has the effect that the corresponding masked electronic coin data set is no longer available for further processing, in particular transactions. However, in one embodiment it can be provided that the deactivated, masked electronic coin data record remains in the archives of the issuing authority. The fact that the deactivated masked electronic coin data record is no longer valid or is returned can be identified, for example, using a flag or another coding or the deactivated masked electronic Coin record can be destroyed and/or deleted. The deactivated electronic coin data record is also physically removed from the end device or the security element.

Various processing operations (modifications) for the electronic coin data sets and the corresponding masked electronic coin data sets are made possible by the method according to the invention. Each of the processing operations (in particular creating, deactivating, dividing, connecting and switching over) is registered in the coin register and appended there in unchangeable form to the list of previous processing operations for the respective masked electronic coin data set. The registration is independent of the payment process between the security elements, both in terms of time and place (spatial). The processing operations "Create" and "Deactivate" (=return), which affect the existence of the monetary amount itself, i.e. the creation and destruction up to the destruction of money, require additional approval, for example in the form of a signature, by the issuing authority in order to be registered (i.e. logged) in the coin register. The other processing operations (dividing, connecting, switching), of which the dividing and connecting can also be delegated from one security element to another security element, do not require authorization by the issuing authority or by the command initiator (= payer, e.g. end device or security element ).

Processing in the direct transaction layer only affects ownership and/or the assignment of the coin data records to security elements of the respective electronic coin data records. A registration of the respective processing in the coin register is implemented, for example, by corresponding list entries in a database that includes a series of markings that must be carried out by the coin register. A possible structure for a list entry includes, for example, column (s) for a predecessor coin data set, column (s) for a successor coin data set, a signature column for the issuer, a signature column for the sending and / or receiving security element, a Signature column for coin division operations and at least one marking column. A change (modification) is final when and the required markings have been validated by the coin register, ie after the corresponding check, for example, the status "0" has been changed to the status "1". If a check fails or takes too long, it is instead changed from status to status "0", for example. Other status values are conceivable and/or the status values mentioned here are interchangeable. The statuses regarding the modifications are independent of the status during the transfer process (inactive/active). The validity of the respective (masked) electronic coin data sets from the status values of the markings are summarized in one column for each masked electronic coin data set involved in registering the processing. In a further exemplary embodiment, at least two, preferably three or even all of the aforesaid flags can also be replaced by a single flag which is then set if all tests have been successfully completed. Furthermore, the two columns for predecessor data sets and successor data sets can each be combined into one in which all coin data sets are listed together. As a result, more than two electronic coin data sets could then also be managed per field entry, and thus, for example, a split into more than two coin data sets could be implemented.

The checks by the coin register to check if a processing is final are already described above and are in particular:

Are the masked electronic coin records of the predecessor column(s) valid?

- Does a monitoring result in the correct test value?

Are the area verifications successful for the masked electronic coin records?

Is the signature of the masked electronic coin record a valid signature of the issuing authority?

- Does the sending/receiving end device (pseudonym) exceed a limit for a maximum permissible monetary amount, particularly per unit of time?

Is the coin record Inactive due to transfer between security elements?

It is also preferred that a masked electronic coin data set is invalid if one of the following checks applies, i.e. if:

(1) the masked electronic coin record is not registered in the coin register;

(2) the last processing of the masked electronic coin record indicates that it has predecessor coin records, but this last processing is not final; or

(3) the last processing of the masked electronic coin record indicates that it has successor coin records and that last processing is final;

(4) the masked electronic coin record is not the successor of a valid masked electronic record unless signed by the issuing authority;

(5) the monetary amount of the masked electronic coin data record means that a limit value for a maximum permissible monetary amount, in particular per unit of time, is exceeded and the required deanonymization is rejected by the corresponding end device;

(6) An active status for a security element is entered in the coin register, but another security element is requesting an action (switch, combine, split) under possession indication.

In one aspect, a payment system for exchanging monetary amounts is provided with a coin register layer with a preferably decentrally controlled database, English Distributed Ledger Technology, DLT, in which masked electronic coin data records are stored are; and a direct transaction layer with at least two security elements, in which the method described above can be carried out; and/or an issuer entity for generating an electronic coin record. The issuer entity can prove that the masked generated electronic coin data set was generated by it; the issuer entity can preferably identify itself by signing and the coin register layer can check the signature of the issuer entity.

The payment system is preferably designed to carry out the above-mentioned method and/or at least one of the embodiment variants.

A further aspect relates to a currency system comprising an issuer entity, a coin register layer, a first security element and a second security element, the issuer entity being designed to create an electronic coin data record. The masked electronic coin data set is designed to be demonstrably created by the issuing authority. The coin register layer is designed to carry out a registration step as carried out in the above-mentioned method Preferably, the security elements, i.e. at least the first and second security element, are suitable for carrying out one of the above-mentioned method for transmission.

In a preferred embodiment of the currency system, only the issuing entity is authorized to initially create an electronic coin data record and finally withdraw it. Processing, for example the step of connecting, splitting and/or switching, can and is preferably carried out by a security element. The deactivation processing step can preferably only be carried out by the publishing entity.

The coin register and the issuer entity are preferably arranged in a server entity or are present as a computer program product on a server and/or a computer.

An electronic coin data record can be present in a large number of different forms and can therefore be exchanged via different communication channels, also referred to below as interfaces. This creates a very flexible exchange of electronic coin data records.

The electronic coin data set can be presented in the form of a file, for example. A file consists of data that is related in terms of content and is stored on a data carrier, data storage device or storage medium. Each file is initially a one-dimensional sequence of bits, which are usually interpreted in groups of bytes. An application program (application) or an operating system of the security element and/or the terminal interprets this bit or byte sequence for example as text, an image or a sound recording. The file format used can be different, for example it can be a pure text file that represents the electronic coin data record. In particular, the monetary amount and the blind signature are mapped as a file.

The electronic coin data record is, for example, a sequence of American Standard Code for Information Interchange, or ASCII for short, characters. In particular, the monetary amount and the blind signature are shown as this sequence.

The electronic coin data record can also be converted from one form of representation to another form of representation in a device. For example, the electronic coin data record can be received in the device as a QR code and output by the device as a file or character string.

These different forms of representation of one and the same electronic coin data record enable a very flexible exchange between security elements or end devices of different technical equipment using different transmission media (air, paper, wired) and taking into account the technical design of a end device. The selection of the form of representation of the electronic coin data records is preferably made automatically, for example on the basis of recognized or negotiated transmission media and device components. In addition, a user of a device can also select the form of representation for exchanging (=transmitting) an electronic coin data set.

In a simple case, the data store is an internal data store of the terminal device. The electronic coin data sets are stored here. This ensures easy access to electronic coin data sets.

The data memory is in particular an external data memory, also called online memory. Thus, the security element or the terminal has only one means of access to the electronic coin data records that are stored externally and thus securely. In particular, if the security element or the end device is lost or if the security element or the end device malfunctions, the electronic coin data sets are not lost. Since owning the (unmasked) electronic coin records is equivalent to owning the monetary amount, using external data storage allows money to be stored and managed more securely.

If the coin register is a remote entity, the device preferably has an interface for communication using a standard internet communication protocol, for example TCP, IP, UDP or HTTP. The transmission may include communication over the cellular network. In a preferred embodiment, the security element is set up to carry out the processing already described, in particular the division, connection and switching of an electronic coin data set. The arithmetic unit is set up to mask an electronic coin data set to be switched as the electronic coin data set and to link it to a pseudonym which the security element needs as a masked electronic coin data set to register the switching command or in the switching step. In this way, an electronic coin record - as described above

- be switched.

In addition or as an alternative, the processing unit is preferably set up to mask an electronic coin data record that has been divided into a number of partial coin data records and to link it to a pseudonym in order to obtain a masked electronic coin data record and, if necessary, masked electronic partial coin data records that can be registered in the coin register. In this way, an electronic coin record - as described above

- be divided.

In addition or as an alternative, the computing unit is preferably set up to mask an electronic partial coin data set to be combined from a first and a second electronic coin data set as the electronic coin data set and to link it with a pseudonym in order to obtain a masked coin data set to be combined as the masked electronic coin data set registered in the coin register. In this way, an electronic coin record - as described above - can be linked.

In a preferred embodiment, the interface for issuing the at least one electronic coin data record is an electronic display unit of the terminal device, which is used to display the electronic coin data record and/or the successful transmission of the coin data record (as described above) and/or (if applicable) (also) to issue the electronic coin record is set up in visual form. As already described, the electronic coin data record can then be exchanged between terminals, for example in the form of an optoelectronically detectable code, an image, etc.

In a preferred embodiment, the interface for issuing (=sending) the at least one electronic coin data set is a protocol interface for wirelessly sending the electronic coin data set to the other security element via a terminal using a communication protocol for wireless communication. In particular, near-field communication is provided, for example by means of a Bluetooth protocol or NFC protocol or IR protocol; alternatively or additionally, WL AN connections or Mobile phone connections conceivable. The electronic coin data set is then adapted according to the protocol properties or integrated into the protocol and transmitted.

In a preferred embodiment, the interface for issuing the at least one electronic coin data record is a data interface for providing the electronic coin data record to the other security element by means of an application. In contrast to the protocol interface, the electronic coin data set is transmitted here using an application. This application then transfers the electronic coin data record in an appropriate file format. A file format specific to electronic coin records can be used. In the simplest form, the coin data record is transmitted as an ASCII character string or as a text message, for example SMS, MMS, instant messenger (such as Threema or WhatsApp). In an alternative form, the coin record is transmitted as an APDU character string. A purse application can also be provided. In this case, the exchanging security elements or their terminals preferably ensure that an exchange using the application is possible, ie that both security elements or their terminals have the application and are ready for exchange.

In a preferred embodiment, the security element or the device also has an interface for receiving electronic coin data records.

In a preferred embodiment, the interface for receiving the at least one electronic coin data record is an electronic detection module of the security element or terminal device, set up to detect an electronic coin data record presented in visual form. The detection module is then, for example, a camera or a barcode or QR code scanner.

In a preferred embodiment, the interface for receiving the at least one electronic coin dataset is a protocol interface for wirelessly receiving the electronic coin dataset from another security element or end device using a communication protocol for wireless communication. In particular, near-field communication is provided, for example by means of a Bluetooth protocol or NFC protocol or IR protocol. Alternatively or additionally, WLAN connections or mobile radio connections are conceivable.

In a preferred embodiment, the interface for receiving the at least one electronic coin data set is a data interface for receiving the electronic coin data set from the other security element or end device by means of an application. This application then receives the coin data set in a corresponding file format. A file format specific to coin records can be used. In its simplest form, the coin data record is sent as an ASCII character string or as a text message, such as an SMS. Transfer MMS, Threema or WhatsApp. In an alternative form, the coin record is transmitted as an APDU character string. In addition, the transfer can take place using a wallet application.

In a preferred embodiment, the interface for receiving the at least one electronic coin data set is also the interface for dispensing the electronic coin data set, so that an interface is provided both for sending and for receiving the coin data set.

The part of the monetary amount to be obtained as an electronic coin data record is preferably an electronic partial coin data record of an electronic coin data record that was previously divided symmetrically. The other security element or the other device for splitting can either independently contact the coin register or use the security element or the terminal device as a trustworthy entity for communication with the coin register. In a preferred embodiment, the other security element or the other terminal would in this case send the security element or the terminal an electronic coin data record with the request for symmetrical splitting, for example into a first predefined electronic coin part data record and a second predefined electronic coin part data record.

In a preferred embodiment, the security element or the device comprises at least one security element reader, set up to read a security element; a random number generator; and/or a communication interface to a vault module and/or bank institution with access to a bank account to be authorized.

In a preferred embodiment, the data memory is a common data memory that at least one other security element or terminal device can access, each of which has an application, with this application being set up to communicate with the coin register for corresponding registration of electronic coin part data records.

A solution is therefore proposed here that issues digital money in the form of electronic coin data sets, which is based on the use of conventional (analog) banknotes and/or coins. The digital money is represented here by electronic coin data records. As with (analogue) banknotes, these electronic coin records will also be usable for all forms of payments, including peer-to-peer payments and/or POS payments. Knowing all the components (in particular the monetary amount and the obfuscation amount) of a valid electronic coin dataset is tantamount to owning (owning) the digital money. It is therefore advisable to treat these valid electronic coin data records confidentially, i.e. to store them in a security element/safe module (of an end device) and process them there, for example. In order to decide on the authenticity of an electronic coin record and to prevent double-spending, electronic coin data records masked in the coin register as a unique, corresponding public representation of the electronic coin data record. Knowing or possessing a masked electronic coin record does not constitute possession of money. Rather, it is like verifying the authenticity of the analog currency.

The coin register also contains, for example, markings about executed and planned processing of the masked electronic coin data set. A status of the respective masked electronic coin data record is derived from the markings for the processing, which indicates whether the corresponding (non-masked) electronic coin data record is valid, i.e. ready for payment. Therefore, a receiver of an electronic coin data record will first generate a masked electronic coin data record and have the validity of the masked electronic coin data record authenticated by the coin register. A major advantage of this solution according to the invention is that the digital money is distributed to terminals, dealers, banks and other users of the system, but no digital money or other metadata is stored in the coin register—that is, a common entity.

The proposed solution can be integrated into existing payment systems and infrastructures. In particular, there can be a combination of analog payment transactions with banknotes and coins and digital payment transactions according to the present solution. Thus, a payment process can take place with banknotes and/or coins, but the change or change is available as an electronic coin data set. For example, ATMs with an appropriate configuration, in particular with a suitable communication interface, and/or mobile terminals can be provided for the transaction. Furthermore, an exchange of the electronic coin data record for banknotes or coins is conceivable.

The steps of creating, switching, splitting, connecting and deactivating (returning) listed here are each triggered by a corresponding create, switching, splitting, connecting or deactivating command (return commands).

BRIEF SUMMARY OF THE FIGURES The invention and further embodiments and advantages of the invention are explained in more detail below with reference to figures, with the figures merely describing exemplary embodiments of the invention. Identical components in the figures are provided with the same reference symbols. The figures are not to be regarded as true to scale; individual elements of the figures may be exaggerated in size or exaggeratedly simplified.

Show it:

Fig.la,b an embodiment of a payment system according to the prior art; 2 shows an exemplary embodiment of a method flow chart of a method according to the invention;

3 shows an exemplary embodiment of a further development of that shown in FIG

process flow diagram;

4 shows an exemplary embodiment of a further development of that shown in FIG

process flow diagram;

5 shows an exemplary embodiment of a method flow chart of a method according to the invention in the first security element;

6 shows an embodiment of a system according to the invention;

7 shows an exemplary embodiment of a payment system, in particular a coin register;

Figure 8 illustrates one embodiment of a system in accordance with the invention for splitting and switching and direct transmission of electronic coin records;

9 shows an embodiment of a payment system according to the invention for connecting electronic coin data records;

10 shows an exemplary embodiment of a method flow chart of a method according to the invention and corresponding processing steps of a coin data record;

11 shows an exemplary embodiment of a method flow chart of a method according to the invention and corresponding processing steps of a coin data record;

12 shows an exemplary embodiment of a security element according to the invention; and

13 shows a system according to the invention.

FIGURE DESCRIPTION

1a and 1b show an exemplary embodiment of a payment system according to the prior art and already described in the introduction. It is repeatedly pointed out that the terminal M8 _{would like to register the coin data set C c} as the coin data set C _e in the coin register 4 and the coin register 4 determines that the coin data set C _b already is invalid. As a result, the coin register 4 accepts neither the supposedly valid coin data set C _c nor the coin data set C _{e to be switched over.}

The problem can occur if, for example, an attacker M1 passes the coin data record C _b directly to two participants M2 and M3. As soon as M2 registers the coin data record in the coin register 4, the coin data record C _b becomes invalid. Instead, an unsuspecting participant (terminal) M3 passes on the coin data set C _b directly without having it registered. Only terminal M8 breaks through the direct transmission chain, with coin register 4 recognizing the invalidity of coin data set C _b and double spending being recognized. A central bank (hereinafter synonymous with an issuing authority for the electronic coin data sets) therefore wants to limit the number of direct transmissions of coin data sets and, if an attack is detected, want to be able to track where the attack took place.

An attack (double issuing of an electronic coin data set) by M1 is therefore only discovered much later in the prior art and a large number of direct transmissions were carried out without permission. In addition, the risk of manipulation(s) being carried out on the electronic coin data set increases due to the large number of transactions in an electronic coin data set and also due to the increasing service life. It is therefore desirable for the coin data record to expire if a certain lifetime or total number of actions on/with the coin data record is exceeded.

The overall system according to the invention comprises an issuing entity (central bank), at least one payment system and a large number of participants, which are represented as security elements (terminals Mx). The payment system includes, for example, commercial banks and one (or more) central coin registers, which register the coin data sets and check and log the modifications to the coin data set. Another example of an overall system (system) is also shown in FIG.

2 shows an exemplary embodiment of a flow chart of a method according to the invention for transmitting 105 an electronic coin data record, hereinafter referred to as eMD, C, from a first security element SEI to a second security element SE2. The security elements SE are, for example, eUICC or chip cards.

The SEI may have received an eMD C from a less trustworthy entity, such as a terminal or machine or an online service, as a participant in the payment system. An import function is provided in the SEI for this purpose, for example. EMDs from such an insecure origin, especially not directly from another SE, are considered insecure and, upon receipt in the SE, are checked for validity using coin register 2 of the payment system. In optional step 104, the SEI registers the eMD C on itself, as will be explained below. In step 301, the SEI sets the status of the eMD C to "inactive" to start transmitting 105 the eMD C to the SE2. Optionally, the changed status in the coin register 4 is registered. The status is set, for example, in a data memory of the SEI. In addition (not shown), the SEI optionally creates a transaction data record consisting of a transaction number, a recipient address (here from SE2), a sending address (here from SEI) and a monetary amount of the eMD C and saves this in the SEI. The transmission 105 can be logged with the transaction data record and, in the event of an error, used for reversal (FIG. 4) or repetition (FIG. 3).

In step 302 the eMD C is sent to the SE2. For this purpose, a secure channel was set up between the SEI and the SE2, in the context of which both SEs authenticated each other. The transmission path between SEI and SE2 is not necessarily direct, but can be an Internet or a near-field communication path with intermediate entities (terminals, routers, switches, applications), which are summarized in Fig. 2 as the "Internet" cloud. By using SEs as a secure environment, a higher level of trust is generated, i.e. increased trustworthiness. A timer is started in optional step 303 at the same time as the transmission 302 or immediately before or after it. The eMD C invalidated in step 301 can no longer be used by the SEI for actions (as described below). The eMD is thus blocked in the payment system due to a transmission process 105 that has already been initiated (and has not yet ended). Double spending after the transmission step 302 is thus prevented. Invalidating allows for easy handling during the transfer process 105.

If the eMD C is properly received in the SE2, the SE2 generates an acknowledgment of receipt and sends it back to the SEI. The acknowledgment of receipt from the SE2 can be sent as a deletion request, because the eMD C can (may) only be validated and used in the SE2 after the eMD C has been deleted in the SEI.

In step 304, the SEI checks whether an acknowledgment of receipt has been received from SE2. According to FIG. 2, an acknowledgment of receipt was received, so that the SEI deletes the eMD C in step 305. Erasure of an eMD can be a move of the eMD to a storage area of the eMD that is considered an archive and presents the history of erased eMDs as archival retention. Alternatively, the eMD is physically erased from data storage. Since the eMD has already been successfully sent to the SE2, the monetary value of the eMD C was not destroyed but - as requested - transferred (transmitted).

In step 305a, the deletion of the eMD C from the SEI can optionally be indicated. For example, an amount displayed by the SEI (or a terminal device ME1 in which the SEI logically located) updated. For example, the monetary amount of the eMD C is subtracted from an amount of the SEI available for payment transactions. This process 300 assumes a controlling role, so that the deletion process initiated with step 305 is the reason for the updating of a user display, i.e. the fate of the eMD C controls a higher-level application that may be used.

In step 306, a deletion confirmation is sent to the SE2. This serves as an acknowledgment that the eMD C is no longer available in the SEI and can therefore be validated in the SE2. Upon receipt of the deletion confirmation in the SE2, the SE2 will change the status of the eMD C in the SE2 to an active status, the eMD C is thus validated and can be used for further payment transactions or actions (split, combine, switch) in the SE2 from this point in time .

Optionally, the SE2 sends an activation confirmation to the SEI in step 307. The transmission process 105 is thus completed and the eMD C has been successfully transmitted from the SEI to the SE2.

Optionally, the eMD C of the SE2 is switched to the SE2 in the coin register (see below), whereby the eMD C is registered to the SE2 (step 104).

Developments of the course of a transmission process 105 according to FIG. 2 are shown in each case in FIGS. 3 and 4 . The first steps 104, 301, 302 and 303 of FIG. 3 are identical to the steps 104, 301, 302 and 303 of FIG. 2 and are therefore not explained again here. In contrast to FIG. 2, the SE2 does not receive the eMD C (see end of the arrow in step 302).

The SE2 does not receive the eMD C on the first attempt to send 302. This indicates a transmission error, the causes of which (as described above) can be varied. For example, the SEI can lose an NFC connection to its own terminal M1C (not shown), the SE 2 can lose an NFC connection to its own terminal M2 or to the other terminal M1 (not shown), switch off a device or a transmission protocol error can occur . In all cases, the SE2 will not generate an acknowledgment of receipt.

The error is detected in the SEI, shown in Fig. 3 and Fig. 4 by checking 304, for example by exceeding a predefined period of time, indicated by the timer according to step 303 or by receiving an error message from SE2 or the terminal Ml or the other terminal M2 (not shown).

In step 308, a decision is then made as to whether the eMD C should be sent again or whether the transmission should be reversed. This decision may depend on the nature of the error or the number of retries (for example only X number of retries possible) and leads to different process sequences according to FIG. 3 or FIG. 4. In FIG. 3 it is decided to send the eMD C again. For this purpose, the transmission 105 is carried out according to steps 302 to 307 of FIG. 2, which are not repeated here due to the identical character to FIG. The transaction data record created for this purpose can help to repeat the transaction. However, a new transaction data record is preferably created with each transaction attempt in order to also log the failures and to be able to reconstruct or evaluate them later. The transmission process 105 is thus successfully completed with the second attempt and the eMD C has been successfully transmitted from the SEI to the SE2.

FIG. 4 shows an alternative process sequence to FIG. 3 from test step 308, namely for the case that the SEI decides (or has the requirement) that no repeat attempt is carried out, but that the process is reversed (rollback process). . In this case, the eMD C is reactivated by the SEI in step 309 and can be used/available again for transactions or actions in the SEI from this point in time.

Step 308 may include a verification step. For example, a counter value can be incremented with each new attempt to send (RETRY) and if a maximum permissible number of retries is exceeded, for example 10 or 5 or 3 times, a decision is made in step 308 automatically and independently of the error that no new attempt to send (RETRY) is carried out but the transmission 105 is to be ended as unsuccessful and the method according to FIG. 4 is to run.

Alternatively or additionally, step 308 can also be decided as a function of a detected error, so that a “fatal error” leads to a rollback of FIG. 4, but a connection error of an NFC communication leads to a repetition according to FIG.

Alternatively or additionally, step 308 can also be decided as a function of a generated error message.

The steps of FIGS. 3 and 4 are preferably carried out without querying a coin register, as a result of which the method does not require a connection to the coin register in order to carry out the transmission 105 .

In an alternative embodiment of the method, the status of the eMD is reported to the coin register 4 by the SEI in step 301 . With the checking step 304, a connection is established with the coin register 4 and a status query for the eMD C is carried out. If the coin register 4 continues to report an inactive status to the eMD C (registered on the SEI), no transaction error (manipulation attempt) is assumed and that Procedure continued as described. However, if the coin register 4 reports an active status to the eMD C or a registration to another SE, a transaction error (attempted manipulation) is assumed and the payment system is alarmed. The transaction data record of the SEI is used as evidence.

In a further alternative embodiment of the method, the status of the eMD is reported to the coin register 4 by the SEI in step 301 . If the SE2 does not receive a deletion confirmation after sending the confirmation of receipt, a connection is established with the coin register 4 and a status query is carried out on the eMD C. If the coin register 4 continues to report an inactive status to the eMD C (registered on the SEI), no transaction error (manipulation attempt) is assumed and an acknowledgment of receipt is sent again and the procedure then continues as described. However, if the coin register 4 reports an active status to the eMD C or a registration to the SEI or another SE, a transaction error (attempted manipulation) is assumed and the payment system is alarmed. A transaction data record from the SE2 is used as a receipt or the transaction data record from the SEI is requested for the eMD.

FIG. 5 shows a method sequence according to the invention of a transmission process 105 in an SEI, as has already been described in FIGS. 2 to 4.

Optionally, in step 301, an eMD is invalidated. In the following step 302 the eMD is sent. In optional step 303, a timer is started. Step 303 can optionally also be carried out before step 302. In a verify step 304, it is checked whether an acknowledgment of receipt has been received.

If step 304 is yes, in subsequent step 305 the eMD in the SEI is deleted from the SEI. Optionally, the deletion is displayed to the subscriber (user) in step 305a. In subsequent step 306, the SEI sends a deletion confirmation and in subsequent step 307 receives an activation confirmation. The yes case of step 304 depicts a successful transmission 105 .

If step 304 is no, a decision step 308 (also a check step) optionally follows in order to decide whether the transmission should be attempted again (no case of step 308) or whether transmission 105 should be terminated as unsuccessful ( Yes case of step 308). If step 308 is yes, the eMD is reactivated in subsequent step 309 and is available for transactions or actions in the SEI. If step 308 is no, the method from step 302 is repeated. This decision step 308 can also be omitted and a reversal or always a repeat can always be specified. As already explained in FIGS. 3 and 4, a counter value can be queried in step 308 in order to limit the number of retries to a predefined number.

The electronic coin data record can be requested in advance from an issuing entity and optionally received by a terminal or the issuing entity or a payment system. Steps 104 and 105 may correspond to steps 104 and 105 of FIG. An action (split, connect, switch, transfer, redeem, switch) on the eMD can correspond to one of the actions of FIGS. 6 to 12.

The display in step 305a can also be understood as reporting the eMD to the coin register 4 in order to track the transmission in the coin register.

A test value can also be entered as a data element in the eMD. This check value is incremented each time this coin data set is directly transmitted between terminals. A counter value can also be maintained or determined in the payment system, which includes the check value, for example as the sum of the previous (registered) counter value and the check value, in order to determine whether the coin data record is to be returned. Any action on the coin record increases this counter value. Different action types weight the counter value differently, so that, for example, a direct transfer of the coin data record has a higher weight than a modification (split, combine). In this way, the service life and the actions carried out in a coin data record are evaluated and criteria for its return are defined according to the actions carried out. The test value and also the counter value form the life cycle of the coin data set, which is then used to decide whether to return the coin.

6 shows an exemplary embodiment of a payment system with security elements SEI and SE2 according to the invention. The SEI and SE2 can be installed ready for operation in terminals M1 and M2 and be connected logically or physically.

In this case, an electronic coin data record Ci is generated in an issuing entity 1, for example a central bank. A masked electronic coin data record Zi is generated for the electronic coin data record Ci, provided with a concealed amount and registered as a coin register 4 in a “concealed electronic data record ledger”. In the context of this invention, a ledger is understood to be a list, a directory, preferably a database structure. The electronic coin data set Ci is output to a first terminal Ml.

For example, a genuine random number was generated as the concealment amount n. The concealment amount n is linked to a monetary amount Ui. An i-th electronic coin data set according to the invention could therefore read: Ci = {u,; r,j (1)

A valid electronic coin record can be used for payment. The owner of the two values Ui and r therefore owns the digital money. However, the digital money is defined by a pair consisting of a valid electronic coin data set and a corresponding masked electronic coin data set Zi. A masked electronic coin data set Zi is obtained by applying a homomorphic one-way function f (Si) according to equation (2):

Zi =f(C) (2)

This function f(Ci) is public, i.e. every system participant can call up and use this function. This function f(Ci) is defined according to equation (3):

Zi = Ό, - H + r, · G (3) where H and G are generator points of a group G in which the discrete logarithm problem is hard, with the generators G and H for which the discrete logarithm of the other base is unknown. For example, G and H are generator points of an elliptic curve encryption, ECC, - ie private keys of the ECC are. These generator points G and H must be chosen in such a way that the connection between G and H is not publicly known, so that:

G = n H (4) the link n must not be found in practice in order to prevent the monetary amount Ui from being manipulated and a valid Zi being able to be calculated. Equation (3) is a “Pederson commitment for ECC”, which ensures that the monetary amount Ui can be granted to a coin register 4, i.e. “committed”, without revealing it to the coin register 4. The public and remote coin register 4 is therefore only sent (revealed) the masked coin data set Zi.

Even if encryption based on elliptic curves is or is described in the present example, another cryptographic method which is based on a discrete logarithmic method would also be conceivable.

Due to the entropy of the amount of concealment n, equation (3) enables a cryptographically strong Zi to be obtained even with a small value range for monetary amounts Ui. Thus, a simple brute force attack by merely estimating monetary amounts Ui is practically impossible. Equation (3) is a one-way function, which means that computing Zi from Ci is easy because an efficient algorithm exists, whereas computing Ci from Zi is very difficult because there is no polynomial-time solvable algorithm.

In addition, equation (3) is homomorphic for addition and subtraction, i.e. the following applies: + Z _j = (v, H + r, G)+ (v _j H + h G) = (u, + u,) H (r, + h) G (5)

Thus addition operations and subtraction operations can be carried out both in the direct transaction layer 3 and also in parallel in the coin register 4 without the coin register 4 having knowledge of the electronic coin data records Ci. The homomorphic property of Equation (3) allows monitoring of valid and invalid electronic Münzdatensätzen Ci to lead on the sole basis of the masked Münzdatensätze Zi and to ensure that no new monetary amount U _j has been created.

Due to this homomorphic property, the coin data set Ci can be divided according to equation (1) into:

C i = C _j + C k = {v _j; r _j } + {vk; n} (6) where: v i = V j + V k (7) r i = /? + n (8)

For the corresponding masked coin data sets: Z, + Z* (9)

With Equation (9), for example, a "symmetrical or asymmetrical splitting" processing or a "symmetrical or asymmetrical splitting" processing step of a coin data set according to FIG. 8 or 11 can be checked in a simple manner, without the coin register 4 knowing , _Ck has. In particular, the condition of equation (9) is checked to validate split coin data sets and C _k and invalidate coin data set Ci. Such a partitioning of an electronic coin record Ci is shown in FIG. 8 or 11. FIG.

In the same way, electronic coin data sets can also be combined (connected), see Fig. 8 or 10 and the explanations thereto.

In addition, it is necessary to check whether (not permitted) negative monetary amounts are registered. An owner of an electronic coin data set Ci has to provide evidence to the coin register 4 that all monetary amounts r>i in a processing operation are within a value range of [0, n] without informing the coin register 4 of the monetary amounts u i . These range proofs are also called "range proofs". Ring signatures are preferably used as area verifications. For the present exemplary embodiment, both the monetary amount u and the obfuscation amount r of an electronic coin data set C are resolved in bit representation. The following applies:

Ui=Z ^a _j' 2 ^J for 0 < j < n and a _j e (0; 1 } (9a) and ri=Zb _j -2 ^J for 0 < j < n and b _j e (0; 1 } ( 9b)

A ring signature is preferably used for each bit

Cij- aj H + bj G (9c) and

Cij - aj H (9d), it being possible in one embodiment to carry out a ring signature only for certain bits.

In FIG. 6 an electronic coin data set Ci is generated by the issuer entity 1 and made available to the first security element SEI.

In FIG. 6, the electronic coin data set Ci is calculated by the issuing authority 1 using equation (3), a masked electronic coin data set Zi is calculated by the issuing authority 1 and this is registered in the coin register 4 together with at least the second check value pu. The transmission takes place wirelessly via WLAN, NFC or Bluetooth, for example. The transmission can be additionally secured by cryptographic encryption methods, for example by negotiating a session key or by using a PKI infrastructure.

In the second security element SE2, the transmitted electronic coin dataset Ci is received as Ci ^* . Upon receipt of the electronic coin data set Ci ^* , the SE2 is in possession of the digital money that the electronic coin data set Ci ^* represents. With the direct transmission, it is available to the SE2 for further actions. The method presented in FIGS. 2 to 4 is used for the transmission 105 . Due to the higher trustworthiness when using SEs, both SEI, SE2 can trust each other and in principle no further steps are necessary to end the transmission 105 . However, the SE2 does not know whether the electronic coin data set Ci* is actually valid. Further steps can be provided in the method to further secure the transmission, as will be explained below.

To check the validity of the received electronic coin data record Ci*, the masked transmitted electronic coin data record Zi* is calculated in SE2 using the—public—one-way function from equation (3). The masked, transmitted electronic coin data set Zi* is then transmitted to the coin register 4 and searched for there. If there is a match with a registered and valid masked electronic coin record, the validity of the received coin record Ci* is indicated to the SE2 and it is considered that the received electronic coin record Ci* is equal to the registered electronic coin record Ci. In one embodiment, the validity check can be used to determine that the received electronic coin data set Ci* is still valid, ie that it has not already been used by another processing step or in another transaction/action and/or has undergone further modification was.

A switching over of the received electronic coin data set preferably takes place afterwards.

It applies to the method according to the invention that the mere knowledge of a masked electronic coin data record Zi does not entitle the user to issue the digital money. The mere knowledge of the electronic coin data set Ci authorizes payment, i.e. to carry out a transaction successfully, in particular if the coin data set Ci is valid when the electronic coin data set Ci has an active status. As shown above, the status is preferably set to an active status only after receipt of the deletion confirmation from the SEI. There is a one-to-one relationship between the electronic coin data sets Ci and the corresponding masked electronic coin data sets Zi. The masked electronic coin data sets Zi are registered in the coin register 4, for example a public decentralized database. This registration first makes it possible to check the validity of the electronic coin data set, for example whether new monetary amounts have been (illegally) created.

A main distinguishing feature compared to conventional solutions is that the masked electronic coin data sets Zi are stored in the coin register 4 and all processing of the electronic coin data set Zi is registered there, whereas the actual transmission of the digital money is carried out in a (secret, i.e. not known to the public) Direct transaction layer 3 takes place. In order to prevent multiple dispensing or to ensure more flexible transmission, the electronic coin data records can now be processed in the method according to the invention. The individual operations are listed in Table 1 below, with the specified command also carrying out a corresponding processing step:

Table 1 - Number of operations per processing of a coin data set in the security element or

Editorial authority are feasible

Other operations not listed in Table 1 may be required, such as changing currency or cashing the monetary amount into an account. Instead of the implementation listed, other implementations are also conceivable which imply other operations. Table 1 shows that for each coin data set, each of the processing “Create”, “Return”, “Split”, “Connect” and “Switch” different operations “Create Signature”; "Create random number"; "Create Mask"; "Range check" can be provided, with each of the processing operations being registered in the coin register 4 and appended there in unalterable form to a list of previous processing operations for masked electronic coin data records Zi. The processing operations “Create” and “Return” an electronic coin data record are only carried out in secure locations and/or only by selected entities, for example the issuing entity 1, while the operations of all other processing operations are carried out on the terminals M1 to M3 or their security elements SEI, SE2, SE3 can be executed.

The number of operations for each processing is marked in Table 1 with "0", "1" or "2". The number “0” indicates that the security element or issuer entity 1 does not have to carry out this operation for this processing of the electronic coin data record. The number “1” indicates that the security element or the issuer entity 1 must be able to perform this operation once for this processing of the electronic coin data record. The number "2" indicates that the security element or the issuer entity 1 must be able to perform this operation twice for this processing of the electronic coin data record.

In principle, one embodiment can also provide for an area check to be carried out by the issuing authority 1 when creating and/or deleting. Table 2 below lists the operations required for coin register 4 for the individual processes: Table 2 - Number of operations that can be performed per processing of a coin record in the coin register

Other operations not listed in Table 2 may be required. Instead of the implementation listed, other implementations are conceivable which imply other operations. All of the operations in Table 2 can be carried out in the coin register 4 which, as a trustworthy entity, for example a decentralized server, in particular a distributed trusted server, ensures adequate integrity of the electronic coin data records.

Table 3 shows the components to be preferably installed for the system participants in the payment system of FIG. 1:

Table 3 - Preferred units in the system components Table 3 shows an overview of the components to be used preferably in each system participant, i.e. the issuer instance 1, a security element SEI and the coin register 4. The security element SEI can be used as a wallet for electronic coin data records Ci (with their test value pa pu) i.e. as an electronic purse , i.e. a data memory of the security element SEI, in which a large number of coin data records Ci can be stored, and implemented, for example, in the form of an application on a smartphone or IT system of a dealer, a commercial bank or another market participant and send an electronic coin data record or receive. Thus, the components in the security element as shown in Table 3 are implemented in software. The coin register 4 is believed to be based on a DLT and operated by a number of trusted market participants.

Fig. 7 shows an embodiment of a coin register 4 of the previous figures. FIG. 7 shows an exemplary database in the form of a table, in which the masked electronic coin data sets Zi and possibly their processing are registered. The coin register 4 is preferably arranged locally at a distance from the terminals M or their security elements SE and is accommodated, for example, in a server architecture.

Each processing operation for processing (creating, returning, symmetrical or asymmetrical splitting, connecting and switching) is registered in the coin register 4 and appended there in unalterable form to a list of previous processing operations for masked electronic coin data sets Zi. The individual operations or their test results, that is to say the intermediate results of processing, are recorded in the coin register 4 .

The “Create” and “Return” processings confirming the existence of the monetary amount u, _. per se, meaning the creation and destruction of money, require additional approval by the issuing authority 1 in order to be registered (ie logged) in the coin register 4 . The other processing operations (dividing, connecting, switching) do not require authorization by the issuer entity 1 or by the command initiator (=payer, for example the terminal or the security element).

A registration of the respective processing in the coin register 4 is implemented, for example, by corresponding list entries in the database according to FIG. Each list entry has additional markings 25 to 28 that document the intermediate results of the respective processing that must be carried out by the coin register 4 and a status display 29 that the coin register 4 logs. The markings 25 to 28 are preferably used as an aid and are discarded by the coin register 4 after the commands have been completed. What remains are markings on the validity of the (masked) electronic coin data records from columns 22a, 22b, 23a and/or 23b. These marks are one upon receipt Processing command, for example, in the status and are set to the status "1" after all tests have been successfully completed and to the status "0" if at least one test has failed. A possible structure for a list entry of a coin data record includes, for example, two columns 22a, 22b for a predecessor coin data record (Ol, 02), two columns 23a, 23b for a successor coin data record (Sl, S2), a signature column 24 for signatures from Issuer instance(s) 1 and signatures of terminals M, and four marking columns 25 to 28. Each of the entries in columns 25 to 28 has three alternative states "1" or "0". Column 25 (O-Flag) indicates whether a validity check on an electronic coin record in column 23a/b was successful, with status "1" meaning that a validity check revealed that the electronic coin record in column 23a/b is valid and the state "0" indicates that a validity check revealed that the electronic coin record of column 23a/b is invalid and the state indicates that a validity check has not yet been completed. Column 26 (C-Flag) indicates whether the calculation of the masked electronic coin record was successful, where state "1" means that a calculation was successful and state "0" indicates that calculation was unsuccessful and the state indicates that a validity check is not yet completed.

For example, the calculation to be performed in column 26 is:

(Zoi + Z02) - (Zsi + Zs2) == 0 (10)

Column 27 (R-Flag) indicates whether a check of the area evidence or the area evidence was successful, with the status "1" meaning that a validity check showed that the area evidence or the area evidence can be or is reproducible and the status "0" indicates that a validity check revealed that the area evidence or the area evidence could not or could not be reproduced and the status indicates that a validity check is not yet completed, was successful.

Column 28 (S-Flag) indicates whether a signature of the electronic coin data record matches the signature in column 24, with status "1" meaning that a validity check showed that the signature could be identified as that of issuing authority 1 and the "0" state indicates that a validity check revealed that the signature could not be identified as that of the issuing authority and the state indicates that a validity check has not yet been completed.

A change in the markings (also referred to as “flags”) requires the approval of the coin register 4 and must then be stored in the coin register 4 in an unchangeable manner. Processing is final if and only if the required marks 25 through 28 are passed the coin register 4 have been validated, ie changed from status "0" to status "1" or status "1" after the corresponding check.

To determine if a masked electronic coin record Z is valid, the coin register 4 looks for the last change affecting the masked electronic coin record Z. It applies that the masked electronic coin data record Z is valid if and only if the masked electronic coin data record Z is listed in one of the successor columns 23a, 23b for its last processing and this last processing has the corresponding final marking 25 to 28. It also applies that the masked electronic coin data record Z is valid if and only if the masked electronic coin data record Z is listed in one of the predecessor columns 22a, 22b for its last processing and this last processing failed, i.e. at least one of the correspondingly required states of markers 25 to 28 is set to "0".

It also applies that the masked electronic coin data record Z is not valid for all other cases, for example if the masked electronic coin data record Z is not found in the coin register 4 or if the last processing of the masked electronic coin data record Z was in one of the successor columns 23a , 23b but this last processing never became final or if the last processing of the masked electronic coin data set Z is in one of the predecessor columns 22a, 22b and this last processing is final.

The checks by the coin register 4 to check whether processing is final are represented by columns 25 to 28: The status in column 25 indicates whether the masked electronic coin record(s) according to predecessor columns 22a, 22b are valid are. The status in column 26 indicates whether the calculation of the masked electronic coin record according to equation (10) is correct. The status in column 27 indicates whether the area verifications for the masked electronic coin records Z could be verified successfully. The status in column 28 indicates whether the signature in column 24 of the masked electronic coin data record Z is a valid signature of the issuing authority 1.

In the case of symmetrical splitting, the modification “split” can be provided in column 24 for a signature generated by a terminal M1 to M3 or its SE to be entered in order to check or document the validity of a masked partial coin data record.

The status "0" in a column 25 to 28 indicates that the check was unsuccessful. The status "1" in a column 25 to 28 indicates that the check was successful. The status in a column 25 to 28 indicates that no check has taken place. The states can also have a different value, as long as there is a clear difference between success and failure test can be differentiated and it can be seen whether a specific test has been carried out.

Column 29 is provided to log a status of the coin record when directly transmitted between two SEs. The status is set in the SE and is reported to the coin register 2, as shown in FIGS. The status can have two states, Inactive "0" and Active "1", where an inactive coin record is not usable for any transaction or action since it is already part of a transfer process 105 .

Five different types of processing are defined as examples, which are explained in detail here. Reference is made to the corresponding list entry in FIG.

One processing is, for example, “creating” an electronic coin data record Ci. The generation in the direct transaction layer 3 by the issuer entity 1 includes choosing a monetary amount Ui, creating an obfuscation amount r, as already described with equation (1). As shown in FIG. 7, no entries/markings are required in columns 22a, 22b, 23b and 25 to 27 or 29 during the "generate" processing. The masked electronic coin data set Zi is registered in the successor column 23a. This registration preferably takes place before the transmission to a terminal M1 to M3 or its SE, in particular or already during the generation by the publishing entity 1, with equation (3) having to be carried out in both cases. The masked electronic coin data record Zi is signed by the issuing authority 1 when it is created, this signature is entered in column 24 to ensure that the electronic coin data record Ci was actually created by an issuing authority 1, with other methods also being possible. If the signature of a received Zi matches the signature in column 24, the marking in column 28 is set (from "0" to "1"). The markings according to columns 25 to 27 do not require a status change and can be ignored. The proof of area is not required since the coin register 4 trusts that the issuing authority 1 will not issue any negative monetary amounts. In an alternative embodiment, however, it can also be sent by the issuer instance 1 in the create command and can be checked by the coin register 4 . The status in column 29 is set to Active.

An example of processing is “Return”. The return, ie the money destruction, causes the masked electronic coin data set Zi to become invalid after the issuer entity 1 has successfully executed the return command. It is therefore no longer possible to further process the (masked) electronic coin data set to be returned in the coin register 4 . To avoid confusion, the corresponding (unmasked) electronic coin records Ci in the direct transaction layer 3 should be deleted. When "returning" the predecessor column 22a is written with the electronic coin data record Zi, but no successor column 23a, 23b is occupied. The masked electronic Coin data record Zi is to be checked when deactivating whether the signature matches the signature according to column 24 in order to ensure that the electronic coin data record Ci was actually created by an issuing authority 1, although other means can be used for this check. If the signed Zi, which is also sent in the return command, can be confirmed as signed by the issuer authority 1, the marker 28 is set (from "0" to "1"). The markings according to columns 26 to 27 do not require a status change and can be ignored. The markings according to columns 25 and 28 are set after appropriate examination. The status according to 29 is set to inactive.

An example of processing is “splitting”. The division, i.e. the division of an electronic coin data record Zi into a number n, for example 2, of electronic partial coin data records Z _j and Z _k takes place first in the direct transaction layer 3, as is shown in FIGS. 8 and 10, with the monetary amounts U _j and the concealment amount h are generated. V _k and r _k are given by equations (7) and (8). The markings 24 to 27 are set in the coin register 4, the predecessor column 22a is written with the electronic coin data set Zi, the successor column 23a is written with Z _j and the successor column 23b is written with Z _k . The status changes required according to columns 24 to 27 take place after the corresponding check by the coin register 4 and document the respective check result. The marking according to column 28 is ignored. Column 24 is used to enter a signature generated by the splitting terminal M1 to M3 or its SE. The status in column 29 is (remains) set to "Active".

An example of processing is "connecting". The connection, i.e. the joining together, of two electronic coin data sets Zi and Z _j to form an electronic coin data set Z _m takes place first in the direct transaction layer 3, as shown in FIG. 10, with the monetary amount u _m and the concealment _{amount r m being} calculated . The markings 25 to 27 are set in the coin register 4, the predecessor column 22a is written with the electronic coin data record Zi, the predecessor column 22b is written with Z _j and the successor column 23b is written with Z _m . The marks in columns 25 through 27 require status changes and coin register 2 performs the appropriate checks. Proof of area must be provided to show that no new money was generated. The marking according to column 28 is ignored. The column 24 is used to enter a signature generated by the connecting terminal M1 to M3 or its SE. The status in column 29 is (remains) set to "Active".

An example of processing is “toggle”. Switching is suggested if an electronic coin data set has been transferred to another end device Mx or its SEx. When switching over, also called “switch”, the electronic coin data record C _{k received} from the first terminal M1 or SEI is exchanged for a new electronic coin data record Ci with the same monetary amount. The new electronic coin dataset Ci is dated second terminal M2 or SE2 generated. This switchover is a further possibility for _{invalidating (making invalid) the electronic coin data set C k received} from the first terminal M1 or SEI, thereby avoiding the same electronic coin data set C _k being issued again. The switching is effected for example by adding a new fogging amount r to _add fogging amount r _k of the obtained electronic Münzdatensatz C _k, n is obtained whereby a fogging amount, known only to the second terminal M2 or the SE2. This can also be done in the coin register 4. In order to prove that only a new fogging amount r _add to the fogging amount r _k of the masked received electronic Münzdatensatzes Z was added to _k, the monetary amount is, however, remained the same, and therefore, equation (11): v k = true (11), so must the second Terminal M2 or the SE2 can prove that Zi-Z _{k can be represented} as a scalar multiple of G, ie as r _add *G. This means that only one obfuscation _{amount r add was} generated and the monetary amount of Zi is equal to the monetary amount of Z _k , i.e. Zi=Z _k +r _add *G. This is done by creating a signature with the public key Zi-Z _k =r _add *G.

The modifications "split" and "connect" to an electronic coin data record can also be delegated from a terminal M1 or SEI to another terminal M2, M3 or SE2, SE3, for example if a communication link to the coin register 4 is not available.

FIG. 8 shows an exemplary embodiment of a payment system according to the invention for the “split”, “connect” and “switch” actions of electronic coin data records C. In Fig. 8 the first terminal Ml or SEI has received the Münzdatensatz Ci and now wants a pay transaction do not perform _k with the total monetary amount Ui, but only a partial amount V. To do this, the coin data set Ci is divided. To do this, the monetary amount is first divided:

V, = Vj + Ok (12)

Each of the received amounts U _j , U _k must be greater than 0 because negative monetary amounts are not permitted.

In a preferred embodiment, the monetary amount Ui is divided symmetrically into a number n of equal monetary partial amounts Uj.

_{Vj =} vj/n (12a) The number n is an integer greater than or equal to two. For example, a monetary amount of 10 units can be divided into 2 installments of 5 units (n=2), or 5 installments of 2 units each (n=5), or 10 installments of 1 unit each (n=10).

In addition, new concealment amounts are derived: r, /? n (13)

If it is split symmetrically, an individual, unique concealment amount h is formed in the terminal Ml or the SEI for each coin portion, the sum of the number n of concealment amounts h of the coin portion data sets being equal to the concealment amount r, of the divided coin data set: r = lk = irj_k (13a)

In particular, it applies that the last partial amount of concealment h_ _{h is} equal to the difference between the amount of concealment n and the sum of the remaining partial amounts of concealment:

In this way, the obfuscation can h_i amounts to r, _n -i be arbitrarily selected and the procedure of the equation (13a) is by means of appropriate calculation of the "last" h_ individual fogging amount satisfies _h.

In the case of an asymmetric splitting, masked coin data sets Zj and Zk are obtained from the coin data sets C _k and C k according to equation (3) and registered in the coin register 4 . For the splitting, the predecessor column 22a is written with the coin data set Zi, the successor column 23a with Zj and the successor column 23b with Zk. Additional information for the area proof (zero-knowledge-proof) must be generated. The marks in columns 25 through 27 require a status change and coin register 4 performs the appropriate checks. Column 28 marking and Column 29 statuses are ignored.

In the case of symmetrical splitting, a signature is calculated in the respective terminal or SE. For this purpose, the following signature key sig is used for the k-th partial coin data set _k _{: sig = r, nr jk} (13c) Where n is the number of symmetrically divided coin part data sets. In the case of symmetrical splitting, the signature of the k-th partial coin data set _k can be checked according to (13c) with the following verification key Sig:

Sig = Zi - n _Zj (13d)

Where Z _{jk is} the masked k-th coin part data set and n is the number of symmetrically divided coin part data sets. This simplification results from the connection with equation (3):

Zi - n Z _j = (Oi- n V _jk )-H + fr,- nr _jj JG where the symmetry properties of the partition mean that:

( - n V _jk )-H = 0 so Equation 13e simplifies to:

Zi - n Z _jh = (r, - nr _jk )-G

(13g)

The simplification based on Equation 13f makes it possible to completely dispense with zero-knowledge proofs, which means that the use of a symmetrical distribution saves an enormous amount of computing power and data volume.

A partial coin data set, here C _k , is then transmitted from the first terminal M1 or SEI to the second terminal M2 or SE2. To prevent double spending, a switching operation makes sense in order to exchange the electronic coin data set C _{k received} from the first terminal M1 or SEI for a new electronic coin data set Ci with the same monetary amount. The new electronic coin data set Ci is generated by the second terminal M2 or SE2. The monetary amount of the coin data record Ci is adopted and not changed, see equation (11).

Then, according to equation (14) is a new fogging amount r r _add to the amount added concealment _k of the obtained electronic Münzdatensatz C _k, whereby an obfuscation amount n is obtained, which only the second terminal M2 knows. To prove Elm that only a new fogging amount r _add to the fogging amount r _k of the obtained electronic Münzdatensatz Z was added to _k, the monetary amount is, however, remained the same (u _k = ui), may have to the second terminal M2 prove to that Zi-Z _{k can be represented} as a multiple of G. This is done using the public signature R _add according to equation (15): Radd add V ^'G (15)

Zi- Zk=(vi-Vk) *H+(rk+r _add -n ) *G where G is the generator point of the ECC. Then, the coin data Ci to be switched is masked by the equation (3) to obtain the masked coin data Zi. _{The private signature r add} can then be used in the coin register 4, for example to sign the masked electronic coin data set Zi to be switched over, which is considered proof that the second terminal M2 or SE2 has only added an obfuscation _{amount r add} to the masked electronic coin data set and none additional monetary value, ie vi = Vk.

The proof is as follows:

Z _{k = V k} H + h G (16)

9 shows an embodiment of a payment system according to the invention for connecting (also called combining) electronic coin data sets. The two coin data sets Ci and are received in the second terminal M2 or SE2. Based on the splitting according to FIG. 8, a new coin data set Z _m is now obtained by adding both the monetary amounts and the concealed amount of the two coin data sets Ci and Ci. Then the obtained coin data C _{m to be connected is} masked and the masked coin data Z _m is registered in the coin register 4 . Then, when “connecting”, the signature of the second terminal M2 or SE2 is entered, since this has received the coin data sets Ci and .

In the case of a combination by the payment system 2, the highest of the two individual check values of the respective electronic partial coin data records Ci and Ci is determined. This highest check value is adopted as the check value Ci and the combined electronic coin record.

Alternatively, when combining (=connecting), a payment system 2 determines a new check value from the sum of all check values of the electronic coin part data records Ci and divides it by the product of the number (here two) of the coin part data records Ci and with a constant correction value. The correction value is constant throughout the system. The correction value is greater than or equal to 1. The correction value is preferably dependent on a maximum deviation of the individual test values of the electronic coin part data sets Ci and/or on a maximum test value of one of the electronic coin part data sets Ci and . More preferred is the Correction value less than or equal to 2. This new check value is accepted as the check value of the combined electronic coin data set C _m .

In the following, FIGS. 10 and 11 are described together in order to explain the actions “Create”, “Transfer”, “Switch”, “Connect” and “Split”. In the optional steps 101 and 102, a coin data record is requested and provided by the issuing entity 1 to the first terminal M1 or SEI after the electronic coin data record has been created. A masked electronic coin record is sent to coin register 4. In step 103, the received electronic coin data set Ci is masked according to equation (3). Then in step 104 the masked electronic coin data Zi is registered in the coin register 4 . Optionally, the terminal Ml or SEI can switch the received electronic coin data set. In step 105, the coin data record Ci is transmitted in the direct transaction layer 3 to the second terminal M2 or SE2 according to the method of FIGS If the coin register 4 confirms the validity of the coin data record Zi or Ci.

In step 108, a received coin data set C _k is switched over (the received coin data set Ci could of course also be switched over) to a new coin data set Ci, whereby the coin data set C _k becomes invalid and double dispensing is prevented. For this purpose, the monetary amount vu of the transmitted coin data record C _{k is used} as the "new" monetary amount Oi. In addition, as already explained with equations (14) to (17), the concealment amount n is created. The additional obfuscation _{amount r add} is used to prove that no new money (in the form of a higher monetary amount) was generated by the second terminal M2 or SE2. Then the masked coin data set Zi to be switched over is sent to the coin register 4 and the switching over from C _k to Ci is instructed.

In step 108 ', the corresponding examination in the Münzregister carried 4. In this case, Z is _k in the gaps 22a as shown in Table in Fig. Recorded 2 and in column 23b of the rewritten Münzdatensatz Zi. If it is effected then a check in the Münzregister 4 if Z _k is (still) valid, i.e. whether the last processing of Z _{k is} entered in one of the columns 23a/b (as proof that Z _{k was} not further split or returned or joined) and whether a test for the last processing failed . In addition, Zi is entered in column 23b and the markings in columns 25, 26, 27 are initially set to "0". A check is now made as to whether Zi is valid, in which case the check according to equations (16) and (17) can be used. If it is good, the mark in column 25 is set to “1”, otherwise to “0”. A check is now carried out, the calculation according to equation (10) shows that Z _k and Zi are valid and the marking in column 26 is set accordingly. Furthermore, it is checked whether the areas are conclusive, then the marking is set in column 27. If all tests were successful, and this is recorded in the coin register 4 in an unchangeable manner been switched, the coin data set is considered switched. Ie the coin data set C _k is no longer valid and the coin data set Ci is valid immediately.

In step 109, two coin data records C _k and Ci are connected to form a new coin data record C _m , as a result of which the coin data records C _k , Ci become invalid and double dispensing is prevented. For this purpose, the monetary amount u _m is formed from the two monetary amounts and U _k Ui. For this purpose, the concealment amount r _{m is formed} from the two concealment amounts r _k and n. _{In addition, the masked coin data set Z m} to be connected is obtained by means of equation (3) and this (together with other information) is sent to the coin register 2 and connection is requested as processing. In addition, a signature S _k and a signature Si are generated and communicated to the coin register 2 .

In step 109', the corresponding check is carried out in the coin register 4. In this case, Z _{m is} entered in the column 23b according to the table in FIG. The coin register 4 then checks whether Z _k and Zi are (still) valid, _{i.e. whether the last processing of Z k} or Zi is entered in one of the columns 23a/b (as proof that Z _k and Zi were not further split or disabled or merged) and whether a check for the last processing failed. In addition, the markings in columns 25, 26, 27 are initially set to "0". A check is now made as to whether Z _{m is} valid, in which case the check according to equations (16) and (17) can be used. If it is good, the mark in column 25 is set to “1”, otherwise to “0”. A check is now carried out, the calculation according to equation (10) shows that Zi plus Z _{k is} equal to Z _m and the marking in column 26 is set accordingly. Furthermore, it is checked whether the areas are conclusive, then the marking is set in column 27.

In step 110, a coin data set Ci is asymmetrically divided into two partial coin data sets C _k and , whereby the coin data set Ci is invalidated and the two asymmetrically divided partial coin data sets C _k and are to be validated. In an asymmetric splitting the monetary amount Ui is divided into different sized part monetary amounts U _k and U _j. For this purpose, the concealment amount r i is divided into the two concealment amounts r _k and h. In addition, the masked coin part data sets Z _k and Z _j are obtained using equation (3) and sent to the coin register 4 with further information, for example the range checks (zero-knowledge proofs), and the splitting is requested as processing.

In step 110', the corresponding check is carried out in coin register 4. Z _j and Z _{k are} entered in columns 23a/b according to the table in FIG. A check is then carried out in the coin register 4 to determine whether Zi is (still) valid, i.e. whether the last processing of Zi is entered in one of the columns 23a/b (as proof that Zi was not further divided or deactivated or connected) and whether a check for the last processing failed. In addition the markings in columns 25, 26, 27 are initially set to "0". A check is now made as to whether Z _j and Z _{k are} valid, in which case the check according to equations (16) and (17) can be used. If it is good, the marking in column 25 is set to "1". A check is now carried out, the calculation according to equation (10) shows that Zi is equal to Z _k plus Z _j and the marking in column 26 is set accordingly. Furthermore, it is checked whether the areas are conclusive, then the marking is set in column 27.

FIG. 12 shows an exemplary embodiment of a device M1 according to the invention, into which the SEI is introduced. The device Ml can store electronic coin data records Ci in a data memory 10, 10'. The electronic coin data sets Ci can be on the data memory 10 of the device M1 or be available in an external data memory 10'. When using an external data memory 10', the electronic coin data records Ci could be stored in an online memory, for example a data memory 10' of a provider for digital purses. In addition, private data storage, for example a network-attached storage, NAS could also be used in a private network.

In one case, the electronic coin record Ci is presented as a hard copy. The electronic coin data record can be represented by a QR code, an image of a QR code, or a file or a character string (ASCII).

The device Ml has at least one interface 12 available as a communication channel for issuing the coin data set Ci. This interface 12 is, for example, an optical interface, for example for showing the coin data set Ci on a display unit (display), or a printer for printing out the electronic coin data set Ci as a paper printout. This interface 12 can also be a digital communication interface, for example for near-field communication such as NFC, Bluetooth, or an Internet-enabled interface such as TCP, IP, UDP, HTTP or access to a chip card as a security element. This interface 12 is a data interface, for example, so that the coin data record Ci is transmitted between devices via an application, for example an instant messenger service, or as a file or as a character string.

In addition, the interface 12 or another interface (not shown) of the device M1 is set up to interact with the coin register 4. For this purpose, the device M1 is preferably online-capable.

In addition, the device Ml also have an interface for receiving electronic coin data records. This interface is set up to receive visually presented coin data sets, for example using a detection module such as a camera or scanner, or digitally presented coin data sets, received via NFC, Bluetooth, TCP, IP, UDP, HTTP or coin data sets presented using an application. The device M1 also includes a computing unit 13 which can carry out the method described above for masking coin data sets and the processing of coin data sets.

The device Ml is online capable and can preferably recognize by means of a location detection module 15 when it is connected to a network such as WLAN. A specific network can optionally be marked as preferred (=location zone), so that the device M1 only performs special functions if it is registered in this network. Alternatively, the location recognition module 15 recognizes when the device M1 is in predefined GPS coordinates including a defined radius and performs the special functions according to the location zone defined in this way. This location zone can either be introduced manually into the device M1 or via other units/modules into the device M1. The special functions that the device Ml performs when recognizing the location zone are, in particular, the transmission of electronic coin data records from/to the external data memory 10 from/to a vault module 14 and, if necessary, the transmission of masked coin data records Z to the coin register 4, for example within the framework of the above-mentioned processing of a coin data set.

In the simplest case, all coin data sets Ci are automatically linked to form a coin data set in terminal M1 upon receipt (see link processing or link step). That is, as soon as a new electronic coin data set is received, a connect or toggle command is sent to the coin register 4. The device M1 can also prepare electronic coin data records in algorithmically defined denominations and keep them in the data memory 10, 10', so that a payment process is also possible without a data connection to the coin register 4.

An overall system is shown in FIG. 13 for better understanding. The overall system according to the invention includes an issuing authority (central bank) la. In addition, further issuer instances lb, lc can be provided which, for example, issue electronic coin data records in a different currency. In addition, at least one payment system 2 is shown, in which at least one coin register 4 is provided as the central administrator of the payment system. In addition, a large number of participants, which are shown as terminals Mx (with respective SEx), are provided. The payment system 2 includes, for example, commercial banks and one (or more) central coin register 4, which registers the coin data sets Ci and checks and logs the modifications to the coin data set Ci.

The terminals Ml to M6 can directly exchange coin data records Ci in the direct transaction layer 3. For example, terminal M5 transmits a coin record to terminal M4. For example, terminal M4 transmits the coin record to terminal M3. For example, the terminal M6 transmits a coin data set to the terminal Ml. In each transmitting terminal Mx or each receiving terminal Mx, the test value of the data to be sent or used to be received coin data set to check whether the coin data set is displayed in the payment system and / or whether the coin data set is to be returned to the issuing authority la, see Fig. 2 to 4. The payment system 2 checks, for example, using the test value or one derived from the test value counter value for each coin record whether or not to return the coin record, see Figure 5 for more details.

In FIG. 13, a coin data record is transmitted from the terminal M1 to the terminal M2 via the payment system 2 (indirect transfer), as is described in FIGS. 2 to 4 (step 105).

Within the scope of the invention, all of the elements described and/or drawn and/or claimed can be combined with one another as desired.

REFERENCE LIST

1, la-c Publisher or Bank

2 payment system

21 command entry

22a, b Entry of an electronic coin data set to be processed (predecessor)

23a, b Entry of a processed electronic coin data set (successor)

24 signature entry

25 Validation Mark

26 Marking of calculation check

27 Area Evidence Check Mark

28 Marking of signature verification

29 Status Display

3 direct transaction layer

4 coin registers

5 application shared purse 10, 10' data storage

11 ad

12 interface

13 unit of account

14 vault module

15 Location Awareness Module

Mx xth device

Ci electronic coin data set, C _k split electronic coin part data set, k kth split electronic coin part data set with symmetrical split

Ci Electronic coin data record to be switched

Cm electronic coin record to be connected

Zi Masked Electronic Coin Record

Zj, Zk Masked Split Electronic Coin Part Record

Zi masked toggling electronic coin record

Z _m masked electronic coin record to be connected

S Signed Masked Electronic Coin Record

SEx umpteenth security element

Wow, monetary amount

Uj, Uj Divided monetary amount ui _, Monetary amount of an electr. to be switched/switched. Coin data set To, Monetary amount of an electr. to be connected/connected. Coin record n number of symmetrically split coin part records n spoof amount, random number h,h spoof amount of a split electronic coin record r _m spoof amount of an electronic coin record to be connected(s).

Ci* transmitted electronic coin record ^* , C _k ^* transmitted split electronic coin part record,

Zi ^* Masked Transmitted Electronic Coin Record Zj*, Z _k ^* Masked Transmitted Split Electronic Coin Record f(C) Homomorphic One-Way Function [Zi]Sig(PKi) Issuer Authority Signature

301-309 method steps in the security element according to an embodiment

Claims

PATENT CLAIMS

1. A method (105) in a first security element (SEI) for transmitting an electronic coin data record (C) to a second security element (SE2), the electronic coin data record (C) being registered in a coin register (4) of a payment system (2). (104), with the process steps:

- setting (301) a status of the electronic coin data set (C) from the first security element (SEI) to an inactive status,

- Sending (302) the electronic coin data set (C) from the first security element (SEI) to the second security element (SE2),

- Checking (304) whether an acknowledgment of receipt from the second security element (SE2) was received in the first security element (SEI); and

- Deleting (305) the transmitted electronic coin data set (C) if the checking step (304) shows that the acknowledgment of receipt was received from the first security element (SEI).

2. The method (105) according to claim 1, wherein at least one of the security elements (SEI, SE2) is introduced into a device (M1, M2) ready for operation.

3. The method (105) of claim 1 or 2, wherein the setting (301) of the status occurs immediately before or after the sending step (302).

4. The method (105) according to any one of the preceding claims, wherein the electronic coin data set (C) is sent cryptographically secured.

5. The method (105) according to any one of the preceding claims, wherein a transaction data set relating to the transmitted electronic coin data set (C) is stored in the first security element (SEI), preferably stored non-volatile.

The method (105) of claim 5, wherein the transaction record comprises at least:

- a transaction number,

- an identifier or address of the first security element (SEI),

- an identifier or address of the second security element (SE2), and

- an amount of the electronic coin record (C).

7. The method (105) according to claim 5 or 6, wherein in the event of a transmission error, the electronic coin data record (C) is resent (302) on the basis of the stored transaction data record.

8. The method (105) according to any one of the preceding claims, wherein after the deleting step (305) a successful transmission is indicated (305a) in the first security element.

9. The method (105) according to claim 8, wherein in the display step (305a) the electronic coin data record (C) is evaluated as an input parameter of an application (5) of a terminal (MI) containing the first security element (SEI).

10. The method (105) according to any one of the preceding claims, wherein the first security element (SEI) allows the second security element (SE2) or the coin register (4) to delete (305) the sent coin data record (C) after the deletion step (305 ) indicates (306).

11. The method (105) according to any one of the preceding claims, wherein the second security element (SE2) changes a status of the electronic coin data set (C) after the deletion step (305), preferably after the display step (305a), to an active -Status sets.

12. The method (105) according to any one of the preceding claims, wherein a status of the transmitted electronic coin data set (C) in the first security element (SEI) is reset to an active status in the event of a transmission error.

13. The method (105) according to any one of the preceding claims, wherein the first security element (SEI) queries a status of the transmitted electronic coin data record (C) from the coin register (4) in the event of a transmission error and:

- If the sent electronic coin data record (C) is registered on the first security element (SEI), a status of the sent coin data record (C) in the first security element (SEI) is reset by the first security element (SEI) to an active status; and

- In the event that the transmitted electronic coin data record (C) is not registered on the first security element (SEI), a transaction error is reported to the coin register (4) by the first security element (SEI).

14. The method (105) according to any one of the preceding claims, wherein the second security element (SE2) queries a status of the transmitted electronic coin data set (C) from the coin register (4) in the event of a transmission error and:

- If the transmitted electronic coin data record (C) is registered on the first security element (SEI), the transmitted coin data record (C) in the second security element (SE2) is deleted by the second security element (SE2); and - In the event that the transmitted electronic coin data record (C) is not registered on the first security element (SEI), a transaction error is reported to the coin register (4) by the second security element (SE2).

15. The method (105) according to any one of the preceding claims, wherein if the confirmation of receipt is not received, the first security element (SEI) re-registers the sent coin data set (C) in the coin register (4).

16. Having a security element (SE):

- a processing unit (13) set up for transmitting electronic coin data records (C) according to a method of claims 1 to 15

- Means for accessing a data memory (10, 10'), wherein in the data memory (10,

10') at least one electronic coin data record (C) is stored; and

- An interface (12) set up to output the at least one electronic coin data set (C) to another security element (SE2).

17. A terminal (Ml) with a security element (SE) according to claim 16, wherein the interface (12) is set up to output the at least one electronic coin data record (C) to the other security element (SE2) via an interface of the terminal (Ml) .

18. A payment system (2) having a coin register (4), at least one terminal (Ml) according to claim 17 and an issuing entity (1) which is designed to create an electronic coin data record (C) for the payment system (2), wherein a first security element (SEI) for executing the method (100) according to one of Claims 1 to 15 is set up in the terminal (M1).

19. A coin register (4) for a payment system (2), wherein the coin register (4) is set up to register (104) electronic coin data records (C) according to the method according to one of claims 1 to 15.