JPH09128465A - Electronic cashing method aided by trust organization - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce the information processing quantity when issuing electronic paper moneys to reduce the information processing quantity when issuing utilization permits by dividing the procedure for issuing electronic paper moneys into the issue procedure of utilization permits and the issue procedure of electronic paper moneys. SOLUTION: A trust organization 100 can divide its function into plural organizations as well and a user 200 registers anonymous open information on the trust organization 100. When the name of the user is confirmed, the trust organization 100 delivers the anonymous open information with signature corresponding to the information. The user 200 preserves the anonymous open information and the signature of the trust organization 100 as the utilization permit. Besides, the trust organization 100 secretly manages the correspondence between the name of the utilized company and the anonymous open information. Only when the reliable third person (a court, for example,) requests the investigation of flow of information, the trust organization 100 opens the correspondent relation between the anonymous open information and the user's name to the public. Further, the issue procedure of electronic paper moneys is divided into the issue procedure of the utilization permits and the issue procedure of electronic paper moneys.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an electronic cash method for realizing electronic cash using a telecommunication system.

[0002]

2. Description of the Related Art Electronic cash is widely used in the form of an IC card as a wallet for electronic cash (electronic wallet). In that case, it is desirable that the electronic cash is stored in the electronic wallet in a form that the information itself becomes electronic cash without depending on any physical medium.

One implementation of electronic cash is a method of ensuring security by physical means. For example, a prepaid card using a magnetic card such as a telephone card is based on the fact that it is difficult to physically copy the magnetic state on the card to another card. However, this safety premise changes significantly with the transition of the manufacturing technology level in the world. Further, since this system is always realized integrally with a physical medium (such as a magnetic card), it cannot be transferred through a communication line like electronic cash in the form of information.

Another solution is to use an electronic ID card such as a credit card (electronic credit card or electronic check) to make a payment at a later date. Electronic credit cards use a digital signature instead of a handwritten signature to make the process completely electronic (informatization).
The payment information can be transferred through the communication line.
However, a drawback of this scheme is that it cannot guarantee the privacy of the user (this is also true of current credit cards and checks). In other words, the institution that issues / settles credit cards can obtain the purchase history of the user freely, and also the retailer can know the credit card number and signature of the user.

On the other hand, a blind signature (details will be described later)
By combining online check at the time of payment (the retail store inquires online to the management center whether the information presented by the user is duplicated / unauthorized use) It can solve the problems of sex and privacy. However, if each retailer always accesses the center when purchasing each user, considering the processing time (user waiting time), communication cost, online processing cost at the management center, database maintenance cost, etc., It is not a realistic solution. Therefore, it is desirable that the processing at the time of cash payment can be processed offline.

[0006] As an electronic cash system capable of off-line processing with an emphasis on privacy, for example, D.Chaum, A.Fiat an
d M. Naor, “Untraceable Electronic Cash,” Advances
inCryptology-Crypto'88, Lecture Notes in Computer
Science 403, pp.319-327, Springer-Verlag, Berlin (1
988) and T. Okamoto et al. “Disposable Zero-Knowledge.
Authentications and Their Applications to Untracea
ble Electronic Cash, ”Advances in Cryptology-Cryt
o'89, Lecture Notes in Computer Science 435, pp.48
1-496, Springer-Verlag, Berlin (1989), Japanese Patent Application No. 2-
No. 88838 “Electronic Cash Enforcement Method and Apparatus”.

First, the blind signature, which is a basic technique for guaranteeing the privacy of the user, will be described. In blind signatures, the signer signs the document while keeping the contents of the document secret. A method based on the RSA method is described in D. Chaum, “Security without Identification: Tra
nsaction Systems to Make Big Brother Obsolete, ”Co
mm. of the ACM, 28, 10, pp. 1030-1044 (1985), a blind signature based on zero-knowledge dialogue proof is described in T. Okamot.
o etal. “Divertible Zero-Knowledge Interactive Pr
oofs and Commutative Random Self-Reducible, ”The
Proc. Of Eurocrypt'89 (1989).

The requester of the signature disturbs the document (m) with the random number (r) by the blind signature preprocessing to generate the blind message (x). The signer calculates a temporary signature (y) corresponding to x using the private key. At this time, m
Is perturbed by r, the signer is document (m)
Can't know. The requester removes the influence of the random number (r) from y by blind sign post-processing, obtains the true signature (y ′) for the original document (m), and sends the pair of m and y ′ to the verifier. Send. The verifier uses the signer's public key to verify that y'is the signature of m. Here, the verifier cannot know the correspondence between y and y '. The blind signature procedure A is the signer, P is the signer, and e _A is the public information of the signer A. F for blind signature preprocessing algorithm, D
Is a multiple blind signature algorithm, and G is a blind signature post-processing algorithm. Using these functions, the signature of the temporary created from F _eA and _{D eA Ω (= D eA (} F eA
(M _1), ..., F in _eA (m _k))) is subjected to G _eA, k-number of messages m _1, ..., a true signature of A to m _k B = D
Calculate _eA (m ₁ , ..., _{M k} ). Signer A and Requester P
Creates a multiple blind signature according to the following procedure.

Step 1: P is a blind signature pre-process and k messages {m _i | i = 1, 2, ..., K}
To k blind messages x _i = {F _eA (m _i ).
| I = 1, 2, ..., K} is generated and transmitted to A. Here, each x _i = F _eA (m _i ) is calculated independently, and the function F _eA uses random numbers to hide m _i . Step 2: A is a temporary signature Ω = D _eA (F _eA (m ₁ ),
_,, F _eA (m _k )) is k blind messages F _eA
Generate from (m ₁ ), ..., _{Fe A} (m _k ), and send to P.

Step 3: P is G_eABrine
M by post signature processing₁ , ..., m _kTrue of A corresponding to
Digital signature B = D_eA(M₁ , ..., m_k)
You. If the RSA method is used for blind signatures,
Lined message (blind signature preprocessing), x_i
= F_eA(M_i) = R_i ^eA× m_imod n, where r_iIs
Random numbers and temporary signatures to disturb

[0011]

(Equation 1) Blind sign post-processing,

[0012]

(Equation 2) In each, the signature is

[0013]

(Equation 3) Becomes At this time, the verification equation V _eA (m ₁ ,..., _{M k} , B)
Is

[0014]

(Equation 4) In the case of, a pass (OK) is output. Where (e _A , n)
Is the public key of the RSA method used by A, and satisfies the following equation. n = P × Q e _A × d _A {1 (mod L) where L = LCM {(P−1), (Q−1)} where L = LCM {a, b} is the minimum of a and b The common multiple, a≡b (mod n), indicates that (ab) is a multiple of n. It may represent the d _A and 1 / e _A is later.
In the following Chaum / Fiat / Naor method, a case of k> 1 is assumed, and in an example described later, a case of k = 1 is assumed.

An example of the configuration of the RSA encryption is described in Rivest, R.
L. et al. “A Method for Obtaining Digital Signature
s and Public-Key Cryptosystems ”, Communications o
f the ACM, Vol. 21, No. 2, pp. 120-126, (1978). The method of constructing a blind signature is, for example, Chaum,
D. “Blind Signature Systems”, US Patent No.:4,7
59,063 and Ohta, K. et al. “Authentication System a
nd Apparatus Therefor ”, US patent No.:4,969,189
Is shown in

By using a blind signature, the privacy of the user can be guaranteed at the user's own risk. That is, since the user adds and removes the random number r for disturbance, as long as r is kept secret, anyone
Note that we cannot know the correspondence between = Ω and y '= B. However, the literature S. von Solms and D. Naccac
he, “On Blind Signature and Perfect Crimes”, Co
As described in mputers and Security, 11, pp.581-583 (1992), this method can make the flow of money completely untraceable, and thus can be misused for money laundering and complete crimes of kidnappers. It has been pointed out.

Here, Cha, which is a typical electronic cash system, is used.
This section describes the process of issuing electronic cash between a bank and a user, the payment of electronic cash at a user's retail store, and the approval process between the retail store and a bank under the um / Fiat / Naor method. Electronic cash issuance processing A procedure for a user P to have the bank A issue electronic cash C is shown. Here, the ID is the identification information of the user P, e
_A is a bank's digital signature public key corresponding to the amount of electronic cash (for example, 10,000 yen) designated by the user. The procedure for a user to issue an electronic cash from a bank is as follows.

Step 1: User P generates a random number a _i (where i = 1, ..., K) and uses the published one-way function g: x _i = g (a _i ) y _i = g (a _i (+) ID) is calculated. (+) Indicates exclusive OR.

Step 2: P calculates W _i = F _eA (f (x _i , y _i )) using the published one-way function f and the blind _signature preprocessing function F _eA , and Present. Step 3: Bank A randomly selects K from 1 to K
/ 2 subsets U = {i _j }, (where 1 < j < K /
Select 1 < i _j < K) for 2 and send it to the user as a disclosure request. (Hereinafter, in order to simplify the notation, description will be made assuming that U = {K / 2 + 1, K / 2 + 2, ..., K)} is designated as the disclosure request. ) A procedure for randomly requesting the disclosure of K / 2 subsets out of K is called an “unannounced inspection”.

Step 4: When the user P receives the disclosure request from the bank A, the user P uses the random number used in the function F _eA to create the designated K / 2 a _i and W _i as A. Disclose. Step 5: Bank A verifies the legitimacy of all of the disclosed K / 2 pairs, and if any of the inspections fails, the subsequent processing is stopped. If all inspections pass, Bank A is not subject to disclosure i (here:
i = 1, 2, ..., K / 2), the following procedure is performed.

Step 6: Bank A calculates Ω = D _eA (W ₁ , ..., W _{K / 2} ) and sends it to user P. Step 7: User P calculates electronic cash C from the received data Ω from the bank as follows.

C = G _eA (Ω) = D _eA (f (x ₁ , y
₁ ), ..., f (x _{K / 2,} y _{K / 2} )) Payment by electronic cash Next, when user P uses electronic cash C issued by bank A to make payment at retail store V explain. The following processing is executed for each i (where i = 1, 2, ..., K / 2).

Step 1: User P uses electronic cash (C)
To retail store V. Step 2: Retail store V is random number bit e_iTo generate
Send to user P. Step 3: User P is e_iWhen = 1 a_iAnd y
_iTo e_iX = 0_iAnd a_i(+) ID to retail store V
Send to Step 4: Retail store V uses bank A's public key e_AUsing
And C has message f (x₁ , Y₁ ), ..., f (x
_{K / 2} , Y_{K / 2} ) That the signature is correct. settlement Finally, explain the payment method between retail store V and bank A
I do. The retail store V is to communicate with users when using electronic cash.
Submit history H to the bank. The bank checks H's legitimacy and
If you pass the check, remember H and the retail account
Pay the amount corresponding to (or by some means
Pay the applicable amount to the retail store). Bank of electronic cash
If fraudulent use is found, H and communication already remembered
A is stored from history corresponding to C_iAnd a_i(+) ID
To identify the identification information ID of the illicit person.

The above is the Chaum / Fiat / Naor method, but it is used
If a person illegally uses C twice, e _iWhen = 1 a_i,
e_iA = 0_i(+) ID is stored in the bank
So the first and second e_iAre different from each other, a
_i(+) (A_i(+) ID) = ID holds, so silver
The row can calculate this to find the ID. The bank is K / 2
Since the bit is queried, double use of C cannot be detected.
The probability is 2^{-K / 2}Becomes (Usually, K = 20 is recommended.
Have been. )

[0025]

SUMMARY OF THE INVENTION The above-mentioned electronic cash method is as follows. There is a problem that electronic cash can be unconditionally untraceable, and as a result, money laundering and complete crimes of kidnappers are permitted. (Unconditional untraceability). 2. "Unannounced inspection technique" that inspects that the user operates as specified each time the electronic cash is withdrawn
(Presentation of K pieces of information and answering K / 2 pieces of disclosure request) is required, and it is inefficient because it is necessary to exchange twice the amount of information that is actually used (inefficiency when issuing electronic banknotes). sex). 3. The user cannot divide the issued electronic cash and use a part of it (non-splitability). 4. Users cannot transfer the issued electronic cash to other users (non-transferability).

An object of the present invention is to provide an electronic cash method which solves all of the above 1 to 4 while leaving the function of detecting double use and unauthorized use.

[0027]

According to the present invention, in order to prevent the privacy of the user from being leaked except in an emergency,
The trust institution J is used, and the trust institution J may have functions divided into a plurality of institutions. The user registers the anonymous public information N with the trust institution J, and the trust institution J is the user name. Is confirmed, the signature is associated with the anonymous public information N and the signature is given to the user. The user is anonymous public information N, trust organization J
Save the signature as a license. Trust organization J secretly manages the correspondence between the user name and anonymous public information. Only when a reliable third party (for example, a court) requests tracking of the flow of information, the trust organization J publishes the correspondence between anonymous public information and user name.

Further, according to the present invention, the electronic bill issuing procedure is
By dividing the procedure for issuing a license and the procedure for issuing electronic banknotes, it is possible to reduce the amount of information processing at the time of issuing electronic banknotes (the license can be used for a certain period of time) and By limiting the privacy of the user to the issuing trust institution J, the amount of information processing when the usage permit is issued is reduced.

Further, in the present invention, the user can set the amount x (x <
The electronic bill C corresponding to the amount X is divided and used by performing a signature that guarantees the payment of X). When the user gives a signature that guarantees the transfer of the amount x (x < X), the user who has transferred the amount x further uses it for payment or transfer.

[0030]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of the present invention will be described below. FIG. 1 shows elements necessary for implementing the present invention, including a trust institution 100, a user 200, and a bank 30.
0, a retail store 400, and a user 500, which are connected via a communication line, for example, but may be connected via an IC card or the like capable of recording information. Preparation In the electronic cash method of the present invention, a user of electronic cash first has an organization called a trust organization issue a usage permit. Bank (Here, the issuer / settler of electronic cash is called a bank, but in fact, it can be any institution)
Issues a certain amount of electronic cash (or electronic bill) to the user according to the user's request. The user uses the electronic bill for payment at various retail stores as many times as the face value. Finally, each retailer makes a payment at the bank for each payment made by the user.

Now, the signatures of trust agency J, bank A, and user U
All algorithms are RSA and their secret keys are
And the public key is (dj, nj) and (ej, nj), (dc
 , N _C) And (ec, n_C), (D, N) and (e, N)
(The public key of the user U is anonymous public information). Faith
The signature of Trustee J and the signature of Bank A are each a license
It is used to check the legitimacy of electronic bills and electronic bills.

In the signature for the user, e in the public key is common
However, N is determined for each user. Bank A departs
If you want to make more than one electronic banknote amount, you can
Corresponding amount of money (dc, n_C) And (ec, n_C) Make a pair
The amount of money and (ec, n _C) Together
deep. In addition, the one-way functions g and h for signature are also determined.
I will make it public.Issuance process of license User U asks trust organization J to issue a usage permit.
How to get the user to issue a license from the bank
Is as follows (see FIG. 2). This procedure
Each user does this only once when registering N.

Step 1 The user U is the prime number generator 21.
Two large prime numbers P and Q are generated by using 0, a composite number N (N = P × Q) is calculated by using the multiplier 211, and this is set as anonymous public information N. Another RSA public key e
Is common to all users, and e = 3, for example. In addition, e,
From P and Q, d = e ⁻¹ mod LCM (P−1, Q−1) (1) is calculated using the remainder inverse calculation calculator 212, and d and N are stored in the memory 250.

Step 2 User U sends N to trustee J. Step 3 The trust institution J confirms the identity of the user U by some method, and if the result is acceptable, secretly manages the correspondence between the users U and N using the correspondence table 111. Step 4 The trust organization J generates information I such as the expiration date, and uses the g calculator 112 and the modular exponentiation calculator 113 to perform the following signature calculation.

B = g (N | I) ^dj mod nj (2) The signatures B and I are transmitted to the user U. Step 5 The user U uses the received data B, I from the trust organization J and the anonymous public information N as a usage permit (B, I, N).
Is stored in the memory 250. Note: When performing the above communication on a communication line, it is better to use encryption processing together. Electronic Banknote Issuing Process Next, a procedure for the user U to issue the electronic banknote C from the bank A will be described. Here, (ec, n _C ) is the public key for the digital signature of the bank corresponding to the amount (for example, 10,000 yen) of the electronic bill designated by the user. The procedure for the user U to issue the electronic banknote C from the bank A is as follows (see FIG. 3).

Step 1 User U selects random number generator 22
Generate a random number b using 0, store it in the memory 250,
On the other hand, from the random number b and the usage certificate (B, I, N) read from the memory 250, g using the g calculator 221
Calculate the (B ‖b) and then issue the usage limit X
The public key (ec, which corresponds to the amount information: 10,000 yen, for example)
n _C ), and a modular exponentiation calculator 222 and a modular multiplication 223
Thus, blind signature preprocessing is performed by the following equation.

Z = g (B | b) r ^ec mod n _C (3) The processing result Z is transmitted to the bank A together with the amount information of the electronic bill, that is, the usage limit amount X. Step 2 The bank A uses the secret key (dc, n _C ) corresponding to the amount of the electronic bill and the exponentiation remainder calculator 310 to perform a temporary signature on the received information Z by the following calculation.

Θ = Z ^dc mod n _C (4) This provisional signature Θ is transmitted to the user U. At the same time, user U
Withdraw the applicable amount from the account or receive the applicable amount from the user U by other means. Step 3 The user U uses the public key (ec
, N _C ) and the received information Θ, the remainder inverse calculator 2
12. Using the remainder multiplier 223, the blind signature post-processing is performed by the following equation to obtain the electronic bill C of the specified amount.

C = Θ / r mod n _C (5) Note that C = g (B / b) ^dc mod n _C. Payment by Electronic Bill Next, a case where the user U uses the electronic bill C issued by the bank A to pay at the retail store V will be described (FIG. 4).
And FIG. 5).

Step 1 The user U uses I, N, B,
b and C are sent to the retail store V400. Step 2 The retail store V400 uses the g calculator 410, the modular exponentiation calculator 411, and the comparator 412 to determine the validity of the signature B for (I, N), that is, the validity of the license, as follows. Confirm by checking the expression. B ^ej ≡g (N / I) (mod nj) (6) Further, the validity of the signature C with respect to (B, b), that is, the validity of the electronic banknote C, is calculated by the modular exponentiation calculator 411 and the comparator 41.
2 is used to confirm whether C satisfies the following equation.

C ^ec ≡g (B / b) (mod n _C ) (7) If any of the inspections fails, the subsequent processing is stopped. Step 3 If both of the inspections are passed, the retail store V uses the random number generator 413 to generate a random number E ′, and sends it to the user U together with the identifier ID _V of the retail store _V and the time stamp T.
Further, by the h calculator 414, E = h (ID _V ‖T‖
E ') is calculated.

Step 4 The user U decides to use the amount x of the electronic banknote C, and uses the h calculator 230, the g calculator 221 and the power remainder calculator 222 for the x and the received information. , Sign by the following formula. _{S = g (x‖h (ID V} ‖T‖E ')) d mod N (8) sends the signature S and x retailers V.

Step 5 The retail store V knows the usage limit amount X of the electronic bill C from the public key (ec, n _C ) that has passed the validity check of the electronic bill C, and x does not exceed X. Is confirmed by a comparator, and if this inspection fails, the subsequent processing is stopped. If the result is acceptable, the validity of the signature S is verified by the following equation using the modular exponentiation calculator 411 and the comparator 412.

S ^e ≡g (x‖E) (mod N) (9) If this verification is passed, the retail store V considers the payment of the amount of money corresponding to the user's x to be valid, and regards it as the justification. To receive. The settlement method between the settlement retailer V and the bank A will be described (see FIG. 6). The retail store V has a communication history H with the user when using the electronic bill, that is, I, N, B, b, C from the user U, ID _V , T, E'from the retail store V to the user U, Further, x and S from the user U are submitted to the bank A. Bank A checks the legitimacy of H and, like the check at the time of payment with electronic banknotes,
That is, each of the expressions (6), (7), and (9) is verified, and if all the inspections are passed, H is stored and the amount of money corresponding to the account of the retail store V is paid, or , Pay the corresponding amount to the retail store V by other means.

The bank A manages the history H so that the electronic bill C is not used in excess of the limit amount X. For example, only C and the amount x are stored in the first database, and the electronic bill C
The second database that holds the payment history H under C is set to be searchable using C as a key. Whether the total payment amount under C exceeds the limit X can be found by searching the first database. If the limit is exceeded, search the second database and submit the entire payment history under C as evidence of fraudulent use. The trust institution J searches the user name U from N included in H using the correspondence table 111 to identify the illicit person. Transfer by electronic banknote Finally, electronic banknote C issued by bank U by user U ₁
The case of transferring to the user U ₂ will be described with reference to FIGS. 7 to 9. Let the usage permit of the user U _{1 be} (B ₁ , I ₁ , N ₁ ), the electronic bill (C, b), and the usage permit of the user U _{2 be} (B ₂ , I ₂ , N ₂ ). .

Step 1 The user U ₁ sends the usage permit (B ₁ , I ₁ , N ₁ ) and the electronic bill (b, C) to the user U 1.
Send to ₂ . Step 2 The user U ₂ determines the validity of the signature B ₁ (validity of the usage permit) for (I ₁ , N ₁ ) by the g calculator 5
10, using the modular exponentiation calculator 511 and the comparator 512,
It is verified whether B ₁ satisfies the following equation.

B ₁ ^ej ≡g (N ₁ ‖I ₁ ) (mod nj) (10) Further, the validity of the signature C with respect to (B ₁ , b) (the validity of the electronic bill) is calculated by the g calculator 510, Magnitude remainder calculator 51
1. The comparator 512 is used to verify whether C satisfies the following equation. C ^ec ≡ g (B ₁ ‖b) (mod n _C ) (11) When any of these inspections fails, the subsequent processing is stopped.

Step 3 If both of the inspections are passed, the user U ₂ uses the random number generator 513 to generate a random number E ', which is given to U together with the signature B ₂ and the time stamp T for the user U ₂ . Send, and further, E = h by the h calculator 514
Calculate (B ₂ ‖T‖E ′). Step 4 The user U ₁ decides to transfer the amount x of the electronic bill C, and the h calculator 514 and the g calculator 51
The following signature is performed using 0 and the power remainder calculator 511.

S ₁ = g (x‖h (B ₂ ‖T‖E ′)) ^d1 mod N ₁ (12) This signature S ₁ and the amount x are sent to the user U ₂ . Step 5 The user U ₂ uses the comparator 512 to determine x
However, it is confirmed that the usage limit amount X of the electronic bill C is not exceeded, and when this inspection fails, the subsequent processing is stopped.

When the result is acceptable, the validity of the signature S ₁ is verified by the following equation using the modular exponentiation calculator 511 and the comparator 512. S ₁ ^e1 ≡g (x‖E) (mod N ₁ ) (13) If this verification is passed, the user U ₂ considers the transfer of the amount of money corresponding to the user x to be justified, and To receive.

[0051] Step 6 user U _2, the license _{(B 2, I 2, N} 2) and, communicating at the time of electronic bill transfer of the user U ₁ history _{H 1 (I 1, N 1} , B 1 , B, C, x,
Send T, E ', S ₁ ) to retail store V. Step 7 The retail store V400 uses the g calculator 410, the modular exponentiation calculator 411, and the comparator 412 to determine the validity of the signature B ₂ (validity of the license) for (I ₂ , N ₂ ). It is verified whether B ₂ satisfies the following equation.

B_Two ^ej≡g (N_Two‖I_Two) (Mod nj) (14) Furthermore, communication history H₁Also confirm the legitimacy of
Validity of transfer, same as inspection of payment by electronic banknote). This
When the inspection of 1 fails, the following processing is stopped. Step 8 If these inspections are passed, the retail store V
A random number E is generated by using the random number generator 413._V′ And generate it
Identifier ID of retail store V_VAnd user U with time stamp T '
_TwoTo the E calculator by the h calculator 414._V= H (I
D_V‖T′‖E _V′) Is calculated.

Step 9 The user U ₂ decides to use the amount y of the transferred amount x, and the g calculator 51
Using the 0, h calculator 514 and the modular exponentiation calculator 511,
Sign the following formula. _{S 2 = g (y‖h (ID} V ‖T'‖E V ')) d2 mod N 2 (15) sends the signature S ₂ and y retailers V.

Step 10 The retail store V400 uses the comparator 412 to confirm that y does not exceed the transfer amount x of the electronic banknote C, and when the inspection fails, the subsequent processing is stopped. . If it passes, the validity of the signature S ₂ is verified by using the modular exponentiation calculator 411 and the comparator 412 by satisfying S ₂ ^e2 ≡g (y‖E _V ) (mod N ₂ ) (16) .

If this verification is passed, the retail store V considers the payment of the amount of money corresponding to the user y to be valid and receives it. As described above, when the divided use (payment, transfer) of electronic banknotes, the receiving side only compares with the payment limit amount of electronic banknotes, but fraud is discovered by managing the history of the electronic banknote at the bank. be able to.

In the above embodiment, the correspondence between the user name and the anonymous public information is realized as one trust institution J. The function of the trust organization J may be divided into a plurality of departments so that the correspondence between the user name and anonymous public information can be known only when these departments cooperate with each other. Although the signature methods of the embodiments are all based on the RSA signature, the present invention can be realized by an arbitrary one-way function g, h, a digital signature method, or a signature method capable of blind signature (a blind signature other than RSA is possible. For detailed signature methods, refer to the document T. Okamoto et al. "Divertible
Zero-Knowledge Interactive Proofs and Commutative
Random Self-Reducible, "The Proc. Of Eurocrypt'89
(1989). Also, a digital signature method,
For one-way functions, Eiji Okamoto "Introduction to Cryptography"
(See Kyoritsu Publishing). Further, when the fraud is detected, the bank A may send all the anonymous public information N related to the corresponding electronic bill C to the trust institution J, and does not necessarily have to send the entire history H.

[0057]

The effects of the present invention described above are as follows. Privacy protection and anti-crime measures With a credit card, the user name is directly visible to the retail store V, so privacy cannot be guaranteed.

In the Chaum / Fiat / Naor method, since blind signature is used, the privacy of the user is protected, but it is pointed out that this is a hotbed of crime. In the present invention, only the trust organization knows the correspondence between the anonymous public information I and the user name, but the retail store can see only the anonymous public information I. Therefore, unless the trust organization colludes with the retail store, The privacy of the person is protected.

Further, when the trust institution is divided into a plurality of institutions, even the trust institution cannot violate the privacy of the user unless a plurality of departments collude.
In order to deal with money laundering and crimes of kidnappers, trust institutions will disclose the relationship between the user name and N (or B) at the request of a reliable third party (eg, a court). This will stop trading by N. Alternatively, tracking the transactions by N will allow the criminal to be arrested. Regarding traffic volume In the Chaum / Fiat / Naor method, the user has to be blind-signed and have the user correctly embed the ID in the coin. Therefore, each time the electronic cash is withdrawn, the user operates as decided. “Unannounced inspection technique” (representing K pieces of information and answering K / 2 pieces of disclosure requests) is required, and it is inefficient because it is necessary to exchange twice the amount of information that is actually used. .

According to the present invention, the procedure for issuing an electronic bill is divided into a procedure for issuing a usage permit and a procedure for issuing an electronic bill to reduce the amount of information processing at the time of issuing an electronic bill (the usage permit is fixed. The amount of information processing at the time of issuing the license is reduced by limiting the privacy of the user to the trust institution J that issues the license (Chaum. In the Fiat / Naor method, K = 20 is usually recommended from the viewpoint of safety.
In the present invention, according to the Chaum / Fiat / Naor method, this can be set to K = 1, so that the communication amount in the process of issuing a license can be reduced to 1/20). Double use, division, and transfer In this invention, since the communication history is converted into cash by returning to the bank, if the user uses the electronic cash C more than once (it is good when divided), the bank will use C Based on, you can search the contact history file to detect this fact. Since the communication history information H includes N together with C, the bank can know the user name U corresponding to N from the trust agency J under the permission of a third party (for example, a court). , Can identify fraudulent persons.

In the present invention, the double use detection algorithm can be used as it is to perform division and transfer, which cannot be done by the Chaum / Fiat / Naor method. In fact, by giving a signature that guarantees payment (/ transfer) of the amount x (x < X), the electronic bill C corresponding to the amount X can be divided (/ transferred) and used.

[Brief description of the drawings]

FIG. 1 is a block diagram showing components for implementing the present invention.

FIG. 2 is a block diagram showing a license issuing process between a user and a bank in FIG.

FIG. 3 is a block diagram showing an electronic bill issuing process between a user and a bank in FIG. 1.

FIG. 4 is a block diagram showing the processing of the user in FIG. 1 and the user regarding the payment processing by the electronic bill at the retail store.

FIG. 5 is a block diagram showing processing of a retail store regarding payment processing with electronic banknotes at the user and the retail store in FIG. 1.

6 is a block diagram showing a settlement process between a retail store and a bank in FIG.

FIG. 7 is a block diagram showing the processing of the user 200 regarding the transfer processing by electronic banknote by the user 200 and the user 500 in FIG. 1.

8 is a block diagram showing a process of a user 500 regarding a transfer process by electronic banknotes by the user 200 and the user 500 in FIG. 1. FIG.

FIG. 9 is a block diagram showing processing by the user 500 in FIG. 1 and processing by the user 500 regarding payment processing by electronic bill at a retail store.

─────────────────────────────────────────────────── ─── Continuation of the front page (51) Int.Cl. ⁶ Identification number Office reference number FI technical display location H04L 9/32 G06F 15/30 330 H04L 9/00 675A

Claims (4)

[Claims] 1. A user U sends public information N corresponding to secret information P for a digital signature (hereinafter referred to as a signature) to a trust institution J composed of at least one department, and the trust institution J uses it. The correspondence between the person U and the public information N is secretly managed (hereinafter, N is referred to as anonymous public information), the signature B of J for the anonymous public information N is generated and transmitted to the user U, and the user U The anonymous public information N and the signature B of the trust institution J are stored as a usage permit together with the secret information P corresponding to N (issue of the usage permit), and then the user U sends the usage permit to the bank A. (B, N)
And requesting the issuance of an electronic bill C of the amount X by indicating the amount X, and the bank A signs the electronic bill C corresponding to the usage permit (B, N) to the user U and corresponding to X. Issued by (issue of electronic banknote), the user U sends a usage permit (B, N) to the retail store V.
And the electronic bill C, and using the confidential information P corresponding to the anonymous public information N, the payment is made with a signature that guarantees the payment of the amount x (x < X) (payment of the electronic bill). V transfers the payment history information H to the bank A to obtain an amount corresponding to the amount x (cashing of electronic banknotes), and the bank A limits the total amount of payment under the electronic banknote C. Confirm that the amount does not exceed X (management of electronic banknotes), and if the total exceeds X, disclose at least anonymously the entire payment history under electronic banknote C to trust institution J. Information N
The trust institution J can publish the correspondence between the user U in the management information and the anonymous public information N by using the received anonymous public information, but without revealing the user name during normal payment. An electronic cash method with a trust institution, characterized in that payment is possible. 2. The electronic cash method with a trust institution according to claim 1, wherein the user U ₁ presents the user's U ₁ license (B ₁ , N ₁ ) and the electronic bill C to the user U ₂ . Furthermore, the secret information P corresponding to the anonymous public information N ₁ of U _{1
Use 1} to make a transfer with a signature that guarantees the transfer of the amount x (x < X) (transfer of electronic banknotes), and the user U ₂ sends the transfer history to the retail store V at the time of transfer. H ₁ and own usage permit (B ₂ , N ₂ ) are shown, and it is guaranteed that the amount of money y (y < x) is paid using the secret information P ₂ corresponding to the anonymous anonymous information N ₂ of own. An electronic cash method characterized in that payment is made by using a signature (payment / transfer of electronic banknotes). 3. The user U sets two large prime numbers P and Q.
Generate and use these to calculate the composite number N (N = P × Q)
Further, from e (common to users), P and Q, d = e^-1mod LCM (P-1, Q-1) is calculated, d and N are stored in the memory, and N is the trust institution J.
Send (LCM (a, b) is the least common multiple of a and b) Trust organization J uses the correspondence table to show the correspondence between users U and N
And secretly manage it, generate information I such as expiration date, and
Seki J's signature secret key (dj, nj), B = g (N | I)^djThe signature of mod nj is calculated (g is a one-way function), and the signature B is obtained.
And I are transmitted to the user U, and the user U receives the received data (B, I,
N) is stored in the memory as a usage permit, and then the user U generates a random number b and stores it in the memory.
Then, the random number b and the license read from the memory
Calculate g (B | b) from (B, I, N), and then the amount
Public information of the bank A corresponding to the information (for example, 10,000 yen) (e
c, n_C), Z = g (B | b) r^ecmod n_C Is calculated, and this calculation result Z is combined with the above-described amount information of the electronic bill.
Both are sent to Bank A, and Bank A receives the secret information corresponding to the received information Z and the amount of the electronic bill.
Key (dc, n_C) And Θ = Z^dcmod n_C And sends the result to the user U, who receives the received information Θ and the public key (ec, n_C) And
Using C = Θ / r mod n_C The electronic money C of the specified amount is calculated by
The user U sends I, N, B, b, C to the retail store V, and the retail store V trusts the legitimacy of the signature B against (I, N).
Using the signature public key (ej, nj) of institution J, B^ej≡g (N | I) (mod nj) is inspected, and the electronic bill C for (B, b) is checked.
The justification is based on the public key of bank A (ec, n_C) Using C
Is C^ec≡g (B ‖b) (mod n_C) Is checked, and if both these tests fail, then
If you stop the process and pass both inspections, retail store V
Generate a random number E ′ and use it as the identifier ID of the retail store V _Vas well as
Send it to user U with time stamp T, and
E = h (ID_V‖T‖E ′) is calculated (h is a one-way
Number), the user U uses the amount x of the electronic banknote C to be used and the retail
For the information received from the store V, the secret key (d,
N) and S = g (x || h (ID_V‖T‖E '))^dmod N is calculated and signed, and this signature S and x are sent to the retail store V, and the retail store V determines that x exceeds the usage limit amount X of the electronic banknote C.
If the inspection fails, follow the steps below.
If S is S and S is S^eVerification is performed by satisfying ≡g (x‖E) (mod N), and if this verification is passed, the retail store V confirms that the user U has x
We regard the payment of the applicable amount as legitimate and consider it
Next, the retail store V receives the communication slips when the user U uses the electronic bill.
Submit the history H to the bank, and the bank will check the legitimacy of H and if it passes the inspection,
The bank A manages the history H of each electronic banknote C and limits
Examine whether it has been used beyond the amount x, and if it exceeds the limit,
Of at least N in the total payment history H for the electronic bill C of
Submit to Trust Organization J, and Trust Organization J will use the submitted N from the correspondence table.
A message characterized by finding the person name U and identifying the illicit person
Electronic cash method with a depository. 4. The electronic cash method with a trust institution according to claim 3.
By the way, user U₁Is the license (B₁, I₁, N₁), Electronic
Banknote (b, C) User U_TwoSent to user U_TwoIs (I₁, N₁Signature B for₁Legitimate
Sex, B₁ ^ej≡g (N₁‖I₁) (Mod nj) to B₁Inspection by filling, (B₁, B)
If C is C^ec≡g (B₁‖B) (mod n_C) Is checked and one of these tests fails
If you stop the following processing and pass both these tests,
User U_TwoGenerates a random number E ′ and uses it for the user U _TwoTo
Signature B_TwoAnd user U with time stamp T₁Sent to
And E = h (B_Two‖T‖E ′) is calculated and the user U₁Is the amount x of the electronic banknote C to be transferred.
And signature calculation S₁= G (x || h (B_Two‖T‖E '))^d1mod N₁ And the signature S₁And x for user U_TwoSent to user U_TwoMeans that x exceeds the usage limit X of the electronic banknote C.
If it does not pass this inspection,
Cancel the process, and if it passes, sign S₁The legitimacy of S₁
Is S₁ ^e1≡g (x | E) (mod N₁) Is verified, and if this verification is passed, user U_TwoIs the user U₁X
Consider the transfer of the amount of money to be justified, and
User U_TwoIs the license (B_Two, I_Two, N_Two), And
User U₁History H at the time of electronic bill transfer with₁(I₁, N
₁, B₁, B, C, x, T, E ', S₁) To retail store V
Send, retail store V, (I_Two, N_TwoSignature B for_TwoLegitimacy of
To B_TwoBut B_Two ^ej≡g (N_Two‖I_Two) (Mod nj) to confirm (validity of license), and
And communication history H₁If any of these inspections fail, the subsequent processing is stopped.
However, if both inspections are passed, the retail store V determines that the random number E_V′ Is born
Created and set it as the retailer V identifier ID_VAnd time stamp T '
User U together_TwoTo E,_V= H (ID_V‖
T′‖E_V′) Is calculated and the user U_TwoIs the amount y to be used out of the amount x transferred
Signature calculation for S_Two= G (y‖h (ID_V‖T′‖E_V′))^d2 mod
N_Two Do this signature S_TwoAnd x are sent to the retail store V, and the retail store V determines that y exceeds the transfer amount x of the electronic bill C.
Check that there is no such error, and if this inspection fails, take further action.
If you pass the signature S_TwoThe legitimacy of S_TwoIs S_Two ^e2≡g (y‖E_V) (Mod N_Two) Is satisfied, and if it passes this verification, the retail store
V is user U_TwoPayment of the amount corresponding to y
A belief characterized by taking it as something and receiving it
Electronic cash method with a depository.