
                       DIGICASH - NUMBERS THAT ARE MONEY
                                       
The ultimate electronic payment system for any application

   
     _________________________________________________________________
   
   Copyright (c) 1994 by DigiCash bv.
   
   
     _________________________________________________________________
   
Electronic Cash. . .

   Electronic cash by DigiCash is a new concept in payment systems. It
   combines computerized convenience with security and privacy that
   improve on paper cash. It adds value to any service involving payment.
   And its versatility opens up a host of new markets and applications.
   
   Electronic cash is not just a step on the way to tomorrow's payment
   system technology. It is that technology, and it's here now.
   
. . .by DigiCash.

   DigiCash works with payment system and service providers in all phases
   of electronic cash innovation. We help you develop and refine the
   concept, and we see it through every step to final implementation.
   We're the experts.
   
   We're the experts first of all because our technology is unique--and
   we invented it. But we're also world-class experts in our fields. The
   DigiCash team brings together top cryptographers and payment-system
   specialists with some of Europe's best software and hardware
   specialists. DigiCash is young but experienced, innovative but here to
   stay.
   
   Our products have already proven successful. And we'd enjoy helping
   you find out how your firm can benefit.
   
Why Electronic Cash?

  VERSATILITY
  
   Wherever value is exchanged, between business, government, customer,
   client, or citizen, electronic cash is the medium of choice. For
   computerized payments over the phone, the user needs only our special
   software. Road toll payments can be made from moving vehicles--in less
   time than it takes a car going 200 km/h to travel a single meter. And
   users can pay directly at a counter, kiosk, or phone booth with
   current smart-cards as the platform; with the pocket-size card readers
   we've developed, they can even make payments to each other.
   
  SECURITY
  
   The security provided by electronic cash is unmatched in scope and
   cost-effectiveness. There's no need for an acquirer of value to
   contact a central system more than weekly, because the technology is
   secure against cheating and misuse even without on-line connections.
   Since electronic cash is digitally "signed" by the issuer, there's no
   room for dispute over payments, and no mutually trusted center is
   necessary. All parties need only select and protect their own
   hardware; our software does the rest.
   
  PRIVACY
  
   Electronic cash, unlike even paper cash, is unconditionally
   untraceable. The "blinding" carried out by the user's own device makes
   it impossible for anyone to link payment to payer. But users can prove
   unequivocally that they did or did not make a particular payment,
   without revealing anything more. Besides appealing to consumers, this
   level of privacy limits exposure to future data-privacy legislation
   and reduces record-keeping costs.
   
Electronic Cash Applications

   Here are some of the opportunities for electronic cash applications
   we've been working on:
   
   At the point of sale:
   
     * prepaid cards
     * credit cards
     * vending 
       
   For telepayment:
   
     * phone cards
     * teleshopping and telebanking
     * conditional access to services 
       
   In transportation:
   
     * automatic toll collection
     * parking systems
     * public transit
       
How Electronic Cash Works

   Electronic cash is based on the increasingly used cryptographic
   systems for "digital signatures" (see sidebar). One such system
   involves a pair of numeric keys that work like the halves of a
   codebook: messages encoded with one key decode with the other key. One
   key is made public, while the other is kept private. By supplying all
   users with its public key, a bank can allow them to decode any message
   encoded with its private key. If decoding by a user yields a
   meaningful message, the user can be sure that only the bank could have
   encoded it. These digital signatures are far more resistant to forgery
   than handwritten ones.
   
   In the basic electronic cash system, the user's equipment generates a
   random number, which serves as the "note". His equipment then "blinds"
   the note using a random factor (see sidebar) and transmits it to a
   bank. In exchange for money debited from the user's account or
   otherwise supplied, the bank uses its private key to digitally sign
   the blinded note, and transmits the result back to the user. The
   user's equipment unblinds the note, which it later pays with. The
   payee checks that the note's digital signature is authentic and later
   sends the note on to the bank, who in turn checks the signature and
   credits the payee accordingly.
   
Security--For All Concerned

   Neither the user nor the payee can counterfeit the bank's signature.
   But either can verify that the payment is valid, since each has the
   bank's public key; and the user can prove that he made the payment,
   since he can make available the blinding factor. But because the
   user's original note number was blinded when it was signed, the bank
   can't connect the signing with the payment. The bank is protected
   against forgery, the payee against the bank's refusal to honor a
   legitimate note, and the user against false accusations and invasion
   of privacy.
   
   What prevents users from spending the same note twice? One obvious
   method is checking the bank's signatures on-line against a database of
   spent notes. For most systems, which handle high volumes of low- value
   payments, this is too expensive. We've found better solutions. Before
   accepting an off-line payment, the payee's equipment issues an
   unpredictable challenge to which the user's equipment must respond
   with some information about the note number. By itself, this
   information discloses nothing about the user. But if the user spends
   the note a second time, the information yielded by the next challenge
   gives away his identity when the note is ultimately deposited. For
   enhanced practical protection, smart cards can also be programmed to
   prevent double spending at the moment it is tried.
   
More Possibilities

   We've devised a number of variations on these basic systems. For the
   bank to issue users with enough separate electronic "coins" of various
   denominations would be cumbersome in communication and storage. So
   would a system that required payees to return change. To sidestep such
   costs, we use an electronic "check"--a single number that contains
   multiple denomination terms sufficient for any transaction up to a
   prescribed limit, and to which the appropriate value is assigned at
   payment time. What's more, the values of the denomination terms can be
   made variable. In this way, users can receive interest on their
   unspent checks, the bank can receive interest on credit payments, and
   the same check can be spent in different currencies.
   
   Just as the form of electronic cash itself can be varied, so can the
   hardware configurations needed to apply it. Rather than having their
   accounts debited at a Bank, users can insert hard currency into
   terminal equipment. The user's equipment can be an ordinary smart
   card, a public-key-capable smart card, or a personal computer. We've
   also developed a pocketable smart card "reader" with its own keypad,
   display, and infra-red link.
   
   (Documentation and technical details for these and other options are
   available on request. Patents have been issued and are pending in
   most major markets.)
   
About Our Company

   DigiCash is headquartered in Amsterdam, on the national research
   campus for exact sciences. This puts us next door to CWI (the national
   center for research in mathematics and computer science), several
   physics laboratories, a supercomputer center, and the University of
   Amsterdam computer science faculty. We're also close to several other
   young hi-tech companies.
   
   Our location gives us capabilities beyond the ordinary. We draw on the
   skills of the CWI Cryptography Group, one of the acknowledged world
   centers of cryptographic expertise and invention. Our software
   designers, ACM European Programming Contest champions, enjoy the
   considerable resources available on campus. Likewise, our
   award-winning hardware designers find specialized support for in-house
   prototyping and testing.
   
   And all these areas--cryptography, software, and electronics--are
   finely integrated. We have demonstrated performance in each phase of
   payment system development--from conception, through feasibility
   studies, bread-boards, and prototypes, to production management.
   
   Before anything else, we're creative, innovative, and flexible, and
   we're growing fast. But we're also careful planners. We've taken care
   to give the company a base as solid as the reputation of our research
   team. That's because we want to drive the cutting edge of transaction
   system technology for many years to come.
   
How We Work With You

   We like to develop solutions jointly right from the start. And, as we
   said before, we enjoy creating systems for new and challenging
   applications. So if you see possibilities for electronic cash in your
   firm's future, we invite you to explore those possibilities with us.
   
   
     _________________________________________________________________
   
Digital Signatures

   In the RSA public-key cryptosystem used for electronic cash, both
   encryption and decryption are done by raising the message--here, the
   note number--to a power that is the appropriate key. These
   exponentiations are done in a modular arithmetic system: one that
   saves only the result of division by a fixed number called a modulus.
   (This modulus needs to be quite large, usually at least 150 digits.)
   
   When the system is set up, the key-making bank generates two large
   primes p and q. Their product pq will be the modulus of the
   exponentiations. The basis of the RSA system is the fact that
   
   x^(p-1)(q-1) = 1 (mod pq)
   
   (provided x is divisible neither by p nor by q, which
   possibility can safely be ignored).
   
   Next, the keymaker chooses an e and d with
   
   ed = 1 (mod (p-1)(q-1)),
   
   where e will be its public key and d its private key.
   Consequently, anything encrypted with d can be decrypted with e:
   
   (x^d)^e = x (mod pq).
   
   The keymaker disseminates the public key e to all users, together
   with the modulus pq, while it of course never reveals p, q, or
   the private key d.
   
   
     _________________________________________________________________
   
Blind Signatures

   Suppose a user wants the bank's signature on x, but does not want
   the bank to find out what x is. This can be achieved with a blind
   signature protocol, as follows:
   
    1. The user chooses a blinding factor r independently and uniformly
       at random, and she presents the bank with xr^e (mod
       pq),where x is the note number to be signed.
    2. The bank signs it: (xr^e)^d = rx^d (mod pq).
    3. The user divides out the blinding factor: (rx^d)/r = x^d
       (mod pq).
    4. And finally, the user stores x^d, the signed note that she
       will pay with later. Since r is random, the bank cannot
       determine x, and thus cannot connect the signing with the
       subsequent payment.
       
   
     _________________________________________________________________
   
   For more information contact:
   
    info@digicash.nl
    
   
   
    tel +31 20 665 2611
    
   
   
    fax +31 20 668 5486
    
   
   
   
     _________________________________________________________________
