JPH0520344A - Electronic cash system - Google Patents

Abstract

PURPOSE:To prevent the wrong use and to permit transfer. CONSTITUTION:When a user 1 transfers electronic paper money, a node corresponding to the amount of money to be transferred in a hierarchical structure table corresponding to a minimum use unit of electronic paper money is determined, and the remainder power root of a value corresponding to this node and electronic paper money are sent to a user 2, and the user 2 verifies their validity to send question information to the user 1, and the user 1 obtains the remainder power root of the value of the pertinent node in the hierarchical structure table to generate a response text to this question and sends it to the user 2, and the user 2 confirms the validity of the response text from the user 1 to the question, and transfer of the amount of monmey with electronic paper money is recognized if it is correct.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a bank that issues electronic cash, a user who uses electronic cash, and a retail store that receives electronic cash from the user and makes payment with the bank. It is an electronic cash system that is configured using a communication system and realizes electronic cash.

[0002]

2. Description of the Related Art Electronic fund transfer using telecommunication systems is becoming popular. Generally, a certificate that can be exchanged for cash (such as bills and checks) is a symbolic function of the certificate (the person holding the certificate is entitled to the rights described in the certificate).
Is equipped with. When the certificate is handled in a telecommunication system, the certificate is digitized data, and it is possible to easily make a copy and redeem it multiple times. This problem also occurs when implementing electronic cash, such as prepaid cards. That is, by copying the prepaid card, it is possible to illegally redeem money or purchase the product multiple times. On the other hand, with a credit card, there is almost no risk of such double use, but instead, there is a drawback in that the entire usage history of the user is known to the card company (that is, privacy is guaranteed). Absent). As a solution to these problems, there is a method of ensuring privacy and detecting double use of the card by devising the exchange of data between the card reading device and the card at the time of cash conversion with a card having a calculation function. Proposed. For example, Chaum, Fiat, Naor:
"Untraceable Electric Cas
h ", Proc. of CRYPTO'88. However, in the method such as Chaum, electronic cash cannot be transferred to another user, and electronic cash issued once is divided and used (for example, (Use electronic cash of 10,000 yen many times until the total usage amount reaches 10,000 yen)
It is not possible. In addition, in the method such as Chaum, it is necessary to perform a considerable amount of communication and processing between the bank and the user at the time of issuing electronic cash each time.

[0003]

SUMMARY OF THE INVENTION An object of the present invention is to make electronic cash transferable to other users and to be issued once in an electronic cash system that guarantees privacy and prevents unauthorized use due to any collusion. Another object of the present invention is to provide an electronic cash system in which electronic cash can be divided and used up to a predetermined amount at the time of issuance and the processing procedure at the time of issuing electronic cash can be made efficient.

[0004]

According to the present invention, a user who newly opens an account in a bank uses a set of K (K) that is disturbed by random numbers from secret information (user information) including identification information of the user.
Is a whole number greater than or equal to 2) and the bank creates
Request the disclosure of L sets (L <K) of the blind information, and if the disclosed information is created correctly, create a blind signature for the remaining undisclosed set information and ask the user. Then, the user calculates the bank signature for the user information from the blind signature received from the bank, and the pair of the user information and the bank signature is used as a license,
When a user withdraws a certain amount of electronic cash (called an electronic bill) from a bank, the user generates authentication information from a secret random number and uses the authentication information and a license to withdraw the electronic bill. The blind information corresponding to the amount of is generated and transmitted to the bank, and the bank uses the blind information to
A blind signature corresponding to the withdrawal amount is created and transmitted to the user, and the user calculates the authentication information and the bank signature for the license from the blind signature received from the bank, and the user uses this authentication information and license. When a pair of a certificate and a bank signature corresponding to the withdrawal amount is used as an electronic banknote and the electronic banknote is used at a retail store, the user determines the amount of money within the usage balance of the corresponding electronic banknote and then A hierarchical structure table corresponding to the minimum unit of banknote usage is defined, a node corresponding to the amount of money used in the table is defined, electronic banknotes are presented, and the surplus power root of the value corresponding to the corresponding node is presented to the retail store. After confirming the legitimacy, the retailer sends the question information to the user, if correct, and the user
The response sentence corresponding to the question from the retail store is generated by finding the remainder square root of the value corresponding to the corresponding node in the hierarchical structure table and presented to the retail store. Check the validity of the response, and if it is correct, allow the payment of the applicable usage amount by electronic banknote, and at a later date, the retail store sends a mutual communication message between the user and the retail store to the bank for settlement, The bank checks the legitimacy of these mutual communication sentences, stores the information in the memory when it passes, and if the same electronic bill is illegally used, it will be stored in the memory of the user who used to generate the license. Calculate confidential information.

When the transfer source user transfers the electronic bill to the transfer destination user, after determining the transfer amount within the usage balance of the electronic bill, a hierarchical structure table corresponding to the minimum unit of use of the electronic bill is set. Furthermore, the node corresponding to the transfer amount in the table is determined, the transfer source user presents the electronic bill, and sends the surplus power root of the value corresponding to the transfer amount applicable node to the transfer destination user, The transferee user verifies its validity and sends question information to the transferee user, and the transferee user responds to the question from the transferee user with a corresponding response in the hierarchical structure table. It is generated by obtaining the modular exponentiation of the value corresponding to the node and presented to the transferee user. The transferee user receives the inquiry (question information) of the transferee user from the transferee user. response Check the validity of, acknowledge the transfer by the electronic bill of the corresponding amount of money if it is correct.

In order to detect unauthorized use in the above-mentioned usage form, it is not possible to use the modular exponentiation root by confirming the transfer source user and the transfer destination user, and by confirming the user and the retail store as described above. For example, it is to use an even power root modulo a composite number called Williams number. Here, the fact that two different types of even power roots can be used to perform prime factorization of a composite number that is a modulus is important. Play an important role. In other words, if the user makes an illegal use, I's secret information of the user is obtained through factorization of the modulus.
D is the trigger to reveal.

[0007]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS FIG. 1A shows a system to which the present invention is applied. The bank 100, user 1 (400) and user 2 (50).
0) and the retail store 300 are connected via a communication line or the like. The processing procedure common to the users 1 and 2 is shown as the processing procedure of the user 200, as shown in FIG. 1B.

(1) Issuing process of usage permit First, a user who newly opened an account at a bank (user 1,
The case where the user 2) has the bank issue a usage permit will be described. The user is the identification information IDp of the user
K sets of blind information are created by randomizing from secret information (user information) including (user's account number, etc.), and the bank creates L sets (L <K) of the blind information.
If the disclosed information is created correctly, a blind signature is created for the remaining undisclosed (K-L) set of information, and the blind signature is sent to the user. The bank signature for the user information is calculated from the blind signature received from the user, and the pair of the user information and the bank signature is used as the license.

The bank uses, as information corresponding to the usage permit, a private key (dA,
nA) and public key (eA, nA) pair is created, and public key e
Make A and nA public. On the other hand, the user creates a pair of the secret key (dP, nP) and the public key (eP, nP) of the RSA encryption used in the digital signature, and publishes the pair (eP, nP) with the IDp. deep.

Even if the user issues a license from the bank
The procedure for leap is as follows. Example of communication between bank and user
As shown in FIG. Of user (200) usage permit issuance processing
The structure is shown in Fig. 3 and that of a bank is shown in Fig. 4. Less than
Then, i = 1, 2, ..., K. Step 1 The user uses the random number generator 201 to generate a random number.
a_i,r_iIs generated and input to the coupler 204 together with IDp
And its output IDp ‖a_iOne-way hash function calculator
205, and the output g (IDp / | a_i)
Private key for signature of user (dP_,nP) with RSA signer 2
06, enter (g (IDp ‖a_i)) ^dPfind mod nP
It

Step 2 The output of the signer 206 is ID _P
Input to the coupler 207 together with ‖a _i , S _i = ID _P ‖
a _i ‖ _{(g (ID P ‖a i)} ) determine the ^dP mod nP. Furthermore, S _i is input to the divider 208, and S _i = S _{1, i} ‖S
_Find S _{1, i} and S _{2, i such} that _{2, i} . Step 3 Using the prime number generator 202, P _i ≡3 (mo
Two prime numbers P satisfying d 8) and Q _i ≡ 7 (mod 8)
_i, Q _i is generated and its product N _i =
Find P _i Q _i .

Step 4 S _{1, i} and S _{2, i} are input to the modular exponentiators 209 and 211 together with N _i , and I _{1, i} = (S _{1, i} ) ² mod N _i and I ₂ , _i. = (S ₂ , _i )
² modN _i are calculated, and these are input to the coupler 210, and I _i
= I _{1, i} ‖I _{2, i} is calculated.

Step 5 N _i, I _i is input to the concatenator 212, and its output I _i ‖N _i is input to the one-way hash function calculator 213 to obtain g (I _i ‖N _i ). On the other hand, r _i
Is input to the RSA encryptor 215 together with the public key (eA, nA) of the bank to obtain (r _i ) ^eA mod nA. Next, those outputs are input to the residue multiplier 214, and the blind information W _i =
(R _i ) ^eA g (I _i ‖N _i ) modnA is obtained, and W _i (i
, 1, 2, ..., K) to the bank.

Step 6 Next, the bank asks the user to set K / 2 pairs of a _i, P _i, Q _i (g (IDp ‖
a _i )) Disclose ^dP mod np, IDp, r _i to confirm that the user is performing steps 1 to 5 correctly. Therefore, the bank 100 randomly selects K / 2 from 1 to K and sends it to the user as a disclosure request (here, in order to simplify the notation,
It is assumed that K / 2 + 1, K / 2 + 2, ..., K are designated as disclosed). It may be a part of K instead of K / 2, but if it is K / 2, the processing efficiency is good.

Step 7 Upon receiving the disclosure request from the bank, the user 200 receives K / 2 pairs of a _i, P specified by the bank.
_i, Q _i, (g (IDp / | a _i )) ^dP mod np, IDp, r
Disclose _i . The bank performs the following steps when i is subject to disclosure. Step 8 From a _i, IDp received from the user 200
(g (IDp ‖ a _i )) ^dP mod The validity of the signature of nP is verified by _ai and I in the concatenator 104 using the public key (eP _, nP) of the user.
Dp is concatenated and the one-way hash function calculator 105 is connected to it.
On the other hand, (g (IDp ‖ a _i ) ^dP mod nP and nP, eP
Are input to the RSA encryptor 107 to be encrypted, and the result and the output of the arithmetic unit 105 are verified by the comparator 111. Here, if the verification is not passed, the processing is interrupted.

Step 9 a received from the user 200
_i, P _i, Q _i, (g (IDp ‖ a _i ) ^dP mod nP IDp is used to obtain N _i = P _i, Q _i using the multiplier 103, and the concatenator 108 calculates a _i and IDp. Concatenate into S _i ,
Dividing the S _i in the divider 109, respectively calculated N _i and the remainder should be the modulo exponentiation arithmetic unit 110 obtains the I _i by concatenating the result by coupler 111.

The I _i, N _i calculated in step 10 are concatenated by the concatenator 113 and further supplied to the one-way hash function calculator 114, and the received r _i and public keys eA _, nA are RSA.
It is supplied to the encryptor 117, and the output thereof and the output of the arithmetic unit 114 are supplied to the residue multiplier 115, and W ′ _i = (r _i ) ^eA g
Compute (I _i ‖N _i ) mod nA. Step 11 The value of W _{i and} the value of W ′ _i received before are compared by the comparator 116. If they match, the result is passed, and if not, the process is interrupted. The bank performs the above inspection for all K / 2 i's, and if any of the inspections fails, the bank stops further processing. If all inspections pass, the bank is not subject to disclosure i = 1, ..., K / 2
For this, a blind signature is made in the following procedure.

Step 12 Modulus multiplier 118 and RSA
Using the signature generator 119, the bank signature private key (nA,
dA) and W_iAnd from W = (Π W_i)^dAfind mod nA,
Create a blind blind signature and send this W to the user
It Step 13 When the user receives W from the bank,
_iAnd the public key (eA, nA), the remainder multiplier 216, the remainder division
Using the calculator 217, the usage permit B = W / (Πr _i) Mod
nA = (Π g (I_i‖N_i)^dAmod nA. To calculate. Π is
i = 1 to K / 2.

(2) Electronic Cash Issuing Process Next, a procedure for a user to issue an electronic bill from a bank will be described. First, the bank uses the private key (dA'n) used in the RSA digital signature as information corresponding to the amount of the electronic bill.
A pair of A ') and public key (eA'nA') is created, and (e
A'nA ') is disclosed with the amount. Here, an example of communication between the bank and the user is shown in FIG. 6A and 6B show the configuration of each electronic bill issuing process of the user 200 and the bank 100.
Are shown respectively. In the following, i = 1, 2, ..., K / 2.

Step 1 Random numbers b and r generated using the random number generator 201, the usage certificate B, and the public key (eA ', nA') of the bank corresponding to the issued amount of the electronic banknote, r and eA '.
nA ′ is supplied to the RSA encryptor 215 to generate authentication information, and from this and h and B, Z = r ^eA using the concatenator 204, the one-way hash function calculator 205, and the remainder multiplier 214. By calculating'g (B | b) mod nA ', blind information corresponding to the amount of the electronic bill to be withdrawn is obtained.

Step 2 This Z is sent to the bank together with the amount information of the electronic bill. Step 3 The bank receiving Z sends the RSA signature generator 1 the Z and the private key (dA′nA ′) corresponding to the amount of the electronic bill.
Input in 19 to obtain Z '= ZdA'mod nA', that is, create a blind signature corresponding to the withdrawal amount and send it to the user. At the same time, either withdraw the applicable amount from the user's account or receive the applicable amount from the user.

Step 4 The user who receives Z'from the bank receives the random number r, the information Z'received from the bank and the public key n.
'Input to modular division 217, authentication information, and use the signature C = Z banks for license' A Request / rmod nA '= (g ( B‖b) dA' mod nA '. Here, C is It corresponds to an electronic banknote.

(3) Payment of electronic cash Next, a case where the user pays at a retail store using electronic bills will be described. In addition, when transferring electronic cash to other users, we will explain later how to use the transferred electronic cash to pay at retail stores.Here, we used the original electronic banknote issued by the bank. Describe the payment method. First, a hierarchical structure table is defined in correspondence with the amount of electronic bill and the minimum unit of use (for example, a unit of 10 yen). For example, FIG. 7A shows a hierarchical structure table in the case of using a 100-yen bill in 25-yen units. Here, for example, when using 75 yen, node 00
And the node 010 becomes the corresponding node. This applicable node is defined by the following rules.

1. The sum of the applicable amounts of child nodes immediately below a certain node is the applicable amount of the node. 2. Once a node has been used once, all parent (ancestor) and child (descendant) nodes linked to it should not be used. 3. Each node may not be used more than once.

According to this rule, in the above example, only the node 011 (25 yen) can be used after the node 00 and the node 010 are used. In other words, by following the rules above, the total amount of money that can be used will be 100 yen at face value, and any amount of money can be used in 25 yen units. In this hierarchical structure table, if the denomination amount of the electronic bill is increased and the usage unit amount of money is further reduced, the number of layers increases. For example, in the case of electronic banknotes whose face value is 1 million yen and can be used in units of 1 yen,
The hierarchy is about 20 (log ₂ 100,000).
0≈20).

Next, an example of communication between the user and the retail store is shown in FIG.
Shown in. 9 and 10 show the processing configurations of the electronic cash use procedure of the retail store 300 and the user 200, respectively. In many cases, there are multiple corresponding nodes in the hierarchical structure table corresponding to the usage amount, but the processing corresponding to each node is basically performed by the same algorithm, and the processing of each node can be performed in parallel. In the following, only the process for one node will be described. This corresponding node is node j
Let ₁ j ₂ ... J _t (j _l ε {0, 1}) (FIG. 7B).
In the following, i = 1, 2, ..., K / 2.

The meanings of the symbols used in the following procedure are summarized here.

[0028]

[Equation 1] In the above, (/) means the Jacobian symbol. An efficient calculation method for the Jacobi symbol is, for example, "Departure to Number Theory (Special Issue in Mathematics Seminar)" by Fujisaki, Morita, and Yamamoto.
(Nippon Hyoronsha), page 166. Step 1 The user 200 first obtains Γ _{i, 0} from C, N _i using the random function Γ calculator 220.

[0029]

[Equation 2] Next, the nodes j ₁ ... J _t and N _i corresponding to C and the usage amount are
_Is input to the random function Ω calculator 221 and Ω _{i, j1 ... jl}
(L = 1, ..., T) is generated.

[0030]

[Equation 3] Furthermore, Γ _{i, 0} , Ω _{i, j1 ... jl} (l = 1, ..., t), N
_{From i} , the remainder exponentiation unit 222, the remainder multiplication unit 223, and the remainder exponentiation unit 224 are used to obtain the remainder exponentiation root X _{i, j1 ... jt} of the value corresponding to the node corresponding to the usage amount. Here, N _i is the Williams number.

[0031]

[Equation 4] Step 2 The user 200 uses (I _i , N _i , X
_{i, j1 ... jt} ) (i = 1, ..., K / 2) and (B, C) are sent to the retail store 300. Step 3 The retail store 300 uses the concatenator 304, the one-way hash function calculator 305, the remainder multiplier 309, the RSA encryptor 310, and the comparator 311 to open the public key (eA, nA).
The validity of the signature for I _i ‖N _i of B by (i.e., B ^eA = (whether _{Πg (I i ‖N i))} mod nA is established, from i = 1 to K / 2 [pi) , The public key (eA ′, nA ′) using the concatenator 312, the one-way hash function calculator 313, the RSA encryptor 314, and the comparator 315.
To verify the authenticity of C's signature on B ‖ b (that is, C
^{eA '} = (g (B | b)) mod nA' is checked. If this inspection fails, the subsequent processing is stopped.

Step 4 The retail store 300 uses the Jacobi symbol calculator 316 and the comparator 317 to determine X _{i, j1 ... jt.}
Verify that satisfies the following relation. If this inspection fails, the subsequent processing is stopped. (X _{i, j1 ... jt} / N _i ) = − 1, then using C, N _i , the random function Γ calculator 324,

[0033]

[Equation 5] Ask for. Further, C, j _{1 ...} j _t , N _i are input to the random function Ω calculator 321 and Ω _{i, j1 ... jl} (l = 1, ...,
generate t).

[0034]

[Equation 6] further,

[0035]

[Equation 7] Using the modular exponentiation calculator 322, the modular multiplier 323, the modular divider 319, and the comparator 320, it is verified whether X _{i, j1 ... jt} satisfy the following relationship. If this inspection fails, the subsequent processing is stopped.

[0036]

[Equation 8] Here, d _i is one of ± 1 and ± 2. Step 5 The retail store sends the value E _i ε {0,1} (i = 1, ..., K / 2) extracted from the random number generator 301 to the user as question information. Step 6 The user uses the random function Λ calculator 225 to calculate Λ _{i, j1 ... jt} from C, j _{1 ...} j _t , N _i .

[0037]

[Equation 9] Next, using the remainder square root calculator 226, Λ _{i, j1 ... jt}
And E _i , Y _{i, j1 ... jt} is calculated.

[0038]

[Equation 10] The user sends Y _{i, j1 ... jt} to the retail store. Step 7 The retail shop uses the Jacobian symbol calculator 325 and the comparator 326 to verify whether Y _{i, j1 ... jt} satisfy the following relationship. If this inspection fails, the subsequent processing is stopped.

[0039] _{(Y i, j1 ... jt /} N i) = (- 1) Ei _{Then, C, j 1 ... j t} , random function N _i lambda calculator 3
28, and the output and Y _{i, j1 ... jt} , N _i
On the other hand, the remainder exponentiation calculator 327, the remainder divider 329,
The comparator 330 is used to verify whether the following relationship is satisfied.

[0040]

[Equation 11] Here, d' _i is one of ± 1 and ± 2.
If this inspection is passed, the retail store considers the payment of the amount corresponding to the nodes j ₁ ... J _t of the electronic bill to be valid and receives it. (4) Transfer of electronic cash First, as described above, a hierarchical structure table is determined corresponding to the amount of electronic banknotes and the minimum unit of use thereof, and the node in the hierarchical structure table corresponding to the transfer amount is set. Establish.

Next, the case where the user 1 transfers the electronic cash to the user 2 will be described. An example of communication between the user 1 and the user 2 is shown in FIG. In the following, variables marked with “′” relate to the user 1 and variables marked with “″” relate to the user 2. Also, the meanings of variables shall follow the meanings defined so far, unless otherwise specified. Step 1 The transfer amount applicable node is node j ₁ j ₂ ... j
Let _t (j ₁ ε {0,1}) (FIG. 7B). User 1 (4
00) is a user of the electronic cash payment processing described in section (3), user 2 (500) is a retail store in section (3), and user 1 (400) is user 2 (500). ) to run in accordance with the payment procedure of the node j ₁ j ₂ ... the process to transfer an amount equivalent to the value of the j _t (3) clause. In many cases, there are a plurality of corresponding nodes in the hierarchical structure table corresponding to the transfer amount, but as shown in section (3), the processing corresponding to each node is basically performed by the same algorithm, The processing of each node can be performed in parallel.

Step 2 User 1 (400) creates a transfer certificate T as shown below and uses it for User 2 (500).
Pass to. T = (<g (C ‖j ₁ j ₂ ... j _t # ... # j ' ₁ j' ₂ ... j ' _t ′ ‖B ″)> _QR ) ^1/2 modN ₁ ′ where j ₁ j ₂ … j _t # ... #j ′ ₁ j ′ ₂ ... j ′ _t ′ represent all the nodes corresponding to the transfer amount.

Step 3 After confirming the validity of T, the user 2 (500) holds the history H'of the procedure (steps 1 and 2) as the transferred electronic cash. (5) Payment by Transferred Electronic Cash Next, a procedure in which the user 2 (500) uses the transferred electronic cash to make a payment at the retail store (300) will be described.

First, as described above, a hierarchical structure table is determined corresponding to the amount of electronic bill and the minimum unit of use, and further, among the nodes in the hierarchical structure table corresponding to the transferred electronic cash. Then, the node (amount of money) used for payment is determined. User 2 (500) and retail store (30
Fig. 12 shows an example of communication during 0). Step 1 User 2 (500) first sends the transferred electronic cash H'to the retail store (300). It also notifies the retailer of the payment amount and the corresponding node.

Step 2 At the retail store (300), H '
Verify the legitimacy of. The retail store (300) also verifies that the node corresponding to the payment is included in the corresponding node of the electronic cash transferred. If these verifications are not passed, the processing is stopped. Step 3 The user 2 (500) performs payment processing of the corresponding node according to the procedure of the above section (3).
In executing the procedure in section (3), C uses the transferred C, and N _i and B are the user 2 (500).
, N _i ″ and B ″.

(6) Settlement Finally, the settlement method between the retail store and the bank will be described. The retail store (300) submits the communication history H with the user (200) when using electronic cash to the bank, and receives the payment of the corresponding amount from the bank. The bank checks the legitimacy of H, and if it passes the check, remembers H and pays the relevant amount to the account of the retail store. When the bank finds an unauthorized use of electronic cash, it takes out H and determines the ID of the illicit person from the information.

[0047]

As in the method of Chaum et al., The present invention is characterized by being able to guarantee the privacy of the user and detect illegal use. Furthermore, the present invention enables transfer of electronic banknotes between users, which is not possible with the conventional method of Chaum et al. That is,
User 1 who has been issued an electronic banknote by a bank is another user 2
The electronic bill can be transferred to. Here, if the user 1 makes an unauthorized use such as transferring used electronic cash to the user 2 or transferring the same electronic cash to a plurality of users, the same electronic cash is used twice. The confidential information of the user 1 is exposed as in the case of.

[Brief description of drawings]

FIG. 1 is a block diagram showing an example of a system to which the present invention is applied.

FIG. 2 is a diagram showing an example of communication in a license issuance procedure.

FIG. 3 is a block diagram showing a configuration of a user's license issuance process.

FIG. 4 is a block diagram showing a configuration of a license issuing process in a bank.

FIG. 5 is a diagram showing an example of communication in an electronic bill issuing procedure.

6A and 6B are block diagrams showing respective configurations on the user side and the bank side in the electronic bill issuing process.

FIG. 7 is a diagram showing a hierarchical configuration table of electronic cash.

FIG. 8 is a diagram showing an example of communication in a procedure of using electronic cash.

FIG. 9 is a block diagram showing a configuration of electronic cash use processing by a user.

FIG. 10 is a block diagram showing a configuration of electronic cash use processing in a retail store.

FIG. 11 is a diagram showing an example of communication for transfer of electronic cash.

FIG. 12 is a diagram showing an example of communication for payment by electronic cash transferred.

Claims (3)

[Claims] 1. An electronic cash system comprising an institution that issues electronic cash (called a bank), a user 1 who transfers electronic cash, and a user 2 who transfers electronic cash. Open The above users 1 and 2 each create blind information of K sets (K is an integer of 2 or more) perturbed by random numbers from secret information (user information) including identification information of the user, and the bank Requesting disclosure of L sets (L <K) of the blind information, and if the disclosed information is created correctly, create and use a blind signature for the remaining undisclosed K-L set of information. The user calculates the bank signature for the user information from the blind signature received from the bank, receives the pair of the user information and the bank signature as a license, and the user 1 , Authentication information from secret random numbers Generated,
From the authentication information and the usage permit of the user 1,
Blind information corresponding to the amount of electronic cash to be withdrawn (called electronic bill) is generated and transmitted to the bank, and the bank creates a blind signature corresponding to the withdrawal amount from the blind information and transmits it to the user 1. , The user 1 calculates the bank signature for the authentication information and the license of the user 1 from the blind signature received from the bank, and the bank signature corresponding to the authentication information and license and the withdrawal amount. When the user 1 transfers the electronic banknote to the user 2, after the pair is set to an electronic banknote, the transfer amount within the usage balance of the corresponding electronic banknote is determined, and then the minimum usage unit of the electronic banknote is handled. The hierarchical structure table is defined, and the node corresponding to the transfer amount in the table is defined. The user 1 presents the electronic bill and displays the value corresponding to the transfer amount corresponding node. The surplus exponentiation root is sent to the user 2, the user 2 verifies its validity, and sends question information to the user 1, and the user 1 responds to the question from the user 2. Is generated by obtaining a modular exponentiation root of the value corresponding to the corresponding node in the hierarchical structure table and presented to the user 2,
Is an electronic cash system characterized by confirming the legitimacy of the response sentence of the user 1 in response to the inquiry of the user 2 and, if it is correct, permitting the transfer of electronic money of the corresponding amount. 2. An institution that issues electronic cash (referred to as a bank), a user who transfers electronic cash 1, a user to whom electronic cash is transferred 2, an institution that receives electronic cash from users 2 (a retail store and According to the invention of claim 1, the user 2 transfers electronic cash from the user 1, and the user 2 uses the transferred electronic banknote in a retail store. In this case, after determining the usage amount within the transfer amount, the node corresponding to the usage amount in the nodes of the hierarchical structure table corresponding to the transferred electronic bill is defined, and the user 2
While presenting the transferred electronic banknote, the surplus power root of the value corresponding to the relevant node is sent to the retail store, and the retail store verifies its validity and sends the question information to the user 2.
User 2 generates a response sentence by presenting the response sentence corresponding to the question from the retail store to the retail store by obtaining the modular exponentiation root of the value corresponding to the corresponding node in the hierarchical structure table,
The retail store confirms the validity of the response sentence of the user 2 to the inquiry of the retail store, and if it is correct, the payment by the electronic bill of the applicable usage amount is accepted, and the electronic cash system. 3. An institution that issues electronic cash (referred to as a bank), a user who transfers electronic cash 1, a user to whom electronic cash is transferred 2, and a bank that receives electronic cash from user 2 According to the invention of claim 1, the user 2 is assigned electronic cash by the user 1, and the user 2 of claim 2 According to the invention,
The transferred electronic cash is paid to the retail store, and at a later date, the retail store sends a mutual correspondence between the user 2 and the retail store to the bank for settlement, and the bank verifies the mutual correspondence. If the electronic bill is illicitly used, the confidential information of the user used when generating the license can be calculated. Cash method.