PCT
`
`WORLD INTELLECTUAL PROPERTY ORGANIZATION
`International Bureau
`
`
`
`INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`
`(51) International Patent Classification 5 :
`
`(11) International Publication Number:
`
`W0 91/ 16691
`
`
`
`G07F 7/10
`
`A1
`
`(43) International Publication Date:
`
`31 October 1991 (31.10.91)
`
`(21) International Application Number:
`
`PCT/GB91/00566
`
`(22) International Filing Date:
`
`10 April 1991 (10.04.91)
`
`(74) Agent: SMITH, Martin, Stanley; Stevens, Hewlett & Per-
`kins, 5 Quality Court, Chancery Lane, London WC2A
`lHZ (GB).
`
`(30) Priority data:
`90083627
`
`12 April 1990 (12.04.90)
`
`GB
`
`(71) Applicant (for all designated States except US): JONHIG LI-
`MITED [GB/GB}; 20 Old Broad Street, London EC2
`(GB).
`
`(72) Inventors; and
`(75) Inventors/Applicants (for US only) :JONES, Timothy, Lloyd
`[GB/GB]; 81 Wilbury Crescent, Hove, East Sussex BN3
`6FH (GB). HIGGINS, Graham, Robert, Leslie [GB/
`GB]; Flat 3, Abbeydale House, Bathampton Lane, Ba-
`thampton, Bath, Avon BA2 68] (GB).
`
`(81) Designated States: AT, AT (European patent), AU, BB, BE
`(European patent), BF (OAPI patent), BG, BJ (OAPI
`patent), BR, CA, CF (OAPI patent), CG (OAPI patent),
`CH, CH (European patent), CM (OAPI patent), DE,
`DE (European patent), DK, DK (European patent), ES,
`ES (European patent), FI, FR (European patent), GA
`(OAPI patent), GB, GB (European patent), GR (Euro-
`pean patent), HU, IT (European patent), JP, KP, KR,
`LK, LU, LU (European patent), MC, MG, ML (OAPI
`patent), MR (OAPI patent), MW, NL, NL (European
`patent), NO, PL, RO, SD, SE, SE (European patent),
`SN (OAPI patent), SU, TD (OAPI patent), TG (OAPI
`patent), US.
`
`Published
`With international search report.
`Before the expiration of the time limit for amending the
`claims and to be republished in the event of the receipt of
`amendments.
`
`
`
`(54) Title: VALUE TRANSFER SYSTEM
`
`(57) Abstract
`
`A value transfer system which allows value to be trans-
`ferred between electronic purses comprises computer which
`controls the loading of purses with value and the redemption of
`value from purses, a special bulk purse or purses and a value
`meter securely linked thereto which registers the total net value
`issued to the bulk purse or purses. Draw-down of value and re-
`demption of value transactions are effected with the bulk
`purses.
`
`
`
`lilllli
`
`
`
`i
`fl
`
`___l
`
`I.
`
`
`
`
`
`
`
`GROUPON - EXHIBIT 1004
`
`GROUPON - EXHIBIT 1004
`
`

`

`FOR THE PURPOSES OF INFORMATION ONLY
`
`Codes used to identify States party to the PCT on the front pages of pamphlets publishing international
`applications under the PCT.
`
`Monaco
`
`Spain
`Finland
`France
`Gabon
`United Kingdom
`Guinea
`Greece
`Hungary
`Italy
`Japan
`Democratic People's Republic
`of Korea
`Republic of Korea
`Liechtenstein
`Sri Lanlsa
`Luxembourg
`
`AT
`AU
`BB
`BE
`BF
`36
`BJ
`BR
`CA
`CF
`CG
`CH
`Cl
`CM
`CS
`DE
`DK
`
`Austria
`Australia
`Barbados
`Belgium
`Burkina Faso
`Bulgaria
`Benin
`Brazil
`Canada
`Central African Republic
`Congo
`Swiuerland
`(Sole d‘lvoire
`Cameroon
`(hechoslovakia
`Germany
`Denmark
`
`Madagascar
`Mali
`Mongolia
`Mauritania
`Malawi
`7
`Netherlands
`Norway
`Poland
`Romania
`Sudan
`Sweden
`Senegal
`Soviet Union
`(‘had
`Togo
`United States of America
`
`

`

`wo 91/1669]
`
`PCT/GB91/00566
`
`_
`
`1
`
`_
`
`VALUE IRANfiFER §Y§TEM
`
`The invention
`
`relates
`
`to
`
`a value transfer
`
`5
`
`system for cashless transactions.
`
`Several kinds of
`
`cashless financial transaction services are available.
`
`These include credit cards and debit cards which
`
`customers may use with a wide range of retailers.
`
`Each transaction is accompanied by the provision of
`customer account details required for the actual
`
`10
`
`transfer of funds between the specific customers and
`
`the specific retailers.
`
`Another form of cashless card system is the pre-
`
`payment card system, where a card is purchased prior
`to a series of
`transactions and a value record
`
`15
`
`recorded on it is appropriately decremented on each
`
`transaction.
`payment card.
`
`A 'phone card is an example of
`
`a pre-
`
`Such prior systems are inflexible and are no
`
`20
`
`general substitute for cash in low value high volume
`
`transactions. Various proposals have been put forward
`
`to allow the interchange of money values between
`
`"electronic purses".
`
`For example, United States
`
`Patent No 4839504 (Casio Computer Co Ltd) discloses a
`
`25
`
`system where a user is able to load money value on tc
`
`an integrated circuit
`
`(IC) card, etherWise known as a
`
`smart card, by communication with his bank.
`
`At
`
`the
`
`bank the same value is applied to a separate l
`
`account set up for the user.
`
`Purchases are able to be
`
`30
`
`made by transfer of money values from the IC card t:
`
`retailer equipment off-line from the bank.
`
`Each
`
`transaction requires transmiSSion to the retailer and
`
`retention by him of details which include the
`
`purchaser's identity. Ultimately,
`
`in claiming funds
`
`35
`
`from the bank the retailer presents a list cf
`
`

`

`W0 91/ 16691
`
`PCT/GB91/00566
`
`transaction details
`
`and'
`
`there
`
`is
`
`account
`
`reconciliation to allow the IC account of
`
`the
`
`appropriate purchaser to be adjusted.
`
`require ultimate
`Procedures which, as above,
`account reconciliation for every transaction are
`
`5
`
`attended by two disadvantages.
`
`The first is
`
`practical.
`
`The storing,
`
`transmitting and reconciling
`
`of purchaser details for every transaction places an
`
`impossible burden on equipment if all cash type
`transactions are contemplated.
`Processing all
`such
`
`10
`
`transactions efficiently in an acceptable time is not
`
`possible, even with the most modern equipment.
`
`The
`
`second objection is social.
`
`The anonymity of cash
`
`would be lost and potential would exist for details of
`
`15
`
`personal spending habits to be derived.
`
`The second of
`
`the above objections has been
`
`addressed by Chaum in "Controlling your
`
`Information
`
`with a Card Computer"
`
`("Concepts Applications
`
`Activities" published by TeleTrust March 1989).
`
`Chaum
`
`20
`
`proposes a system of "blind signatures" of money value
`
`items effected by an authorising entity such as a
`
`bank.
`
`This
`
`is
`
`a way
`
`of preventing ready
`
`identification of purchasers. However,
`
`a problem
`
`remains in that double payment by a purchaser must be
`
`25
`
`detectable and Chaum meets this difficulty by
`
`including,
`
`in the data transferred in an off-line
`
`transaction, encrypted information concerning the
`
`purchaser.
`
`This information is relayed to the bank
`
`when the retailer claims credit and is used a:
`
`the
`
`30
`
`bank to detect double use of
`
`the same ”electronic
`
`cash". Also, each Signed item is recorded at the bank
`
`to make possible ultimate reconciliation of claims
`
`against
`
`these items, albeit Without customer
`
`identification.
`
`The problems of storage,
`
`transmiSSion
`
`35
`
`and processing of individual
`
`transaction information
`
`

`

`wo 91/1669]
`
`PCT/GB91/00566
`
`remain. Additionally, Chaum introduces another
`
`difficulty. His system requires that each item of
`
`signed “electronic cash" should be treated as a unit
`
`that
`and is incapable of division. Again this means
`the system is inappropriate for small value high
`volume transactions.
`
`The present
`
`invention seeks to provide a
`
`practical solution to the problem of providing a
`
`10
`
`framework suitable for cashless small value high
`volume transactions.
`
`15
`
`20
`
`According to the invention there is provided a
`
`value transfer system having a computer;
`
`a plurality
`
`of electronic purses; exchange devices whereby purses
`
`may communicate with each other to transfer value in
`
`transactions which are off~line from the computer;
`
`draw-down means for loading purses with value under
`
`control of
`
`the computer;
`
`redemption means for
`
`redeeming value from purses under control of
`
`the
`
`computer;
`
`a value meter; one or more of said purses
`
`being bulk purses which are capable of having value
`
`loaded and redeemed via the value meter,
`
`the value
`
`meter recording one or more float value re-ords
`
`whereby the net value released to the bulk purse or
`
`purses may be derived,
`
`the net value being the
`
`25
`
`difference between the total of values drawn down to
`
`the bulk purse or purses and the total of values
`
`redeemed from the bulk purse or purses,
`
`the float
`
`value record being non—specific with regard tc
`
`individual draw—downs and redemptions.
`
`The value meter may have an interface whereby the
`
`float value record may be adjusted on command 5: as 2:
`
`create or destroy value within the bulk purse or
`
`purses.
`
`Preferably there 18 prov1ded,
`
`in each purse,
`
`storage means which stores a purse value record which
`
`3O
`
`35
`
`

`

`W0 91/ 1669]
`
`PCT/GB91/00566
`
`in eaCh purse or associated
`is accumulative and,
`exchange
`device,
`a microprocessor,
`transactions
`being conducted between purse pairs, one of which,
`the
`sending purse,
`sends value and the other of which,
`the
`receiving purse, receives value,
`the microprocessors
`being programmed so that in each off—line transaction
`the purse value record in the sending purse is
`decreased by a chosen and variable transaction value
`and the purse value record in the receiving purse is
`increased by the same transaction value.
`By providing a float value record which is non-
`specific anonymity is ensured and reconciliation with
`customer accounts for all subsequent purse to purse
`transactions is unnecessary.
`
`The above combination of features allows
`transactions to be effected and entirely completed
`without subsequent recourse or reference to any third
`party, and in particular without reference to the
`computer.
`The advantages in terms of anonymity and
`computer proceSSing time are clear.
`A retailer,
`for
`example, may make claims to redeem value from time to
`time,
`the nature and identity of all
`the off-line
`transactions which contribute to the retailer purse
`value record playing no part in the claim.
`Preferably the purses have means whereby a
`transaction between a pair of purses is given a unique
`identifier and the microprocessors are
`rogrammed to
`respond to the identifiers to prevent
`a given
`transaction being repeated.
`No reference 15 then
`required to the computer to determine whether the same
`"electronic cash" is being used thCE.
`In claiming to
`redeem value the computer is accessed and it Will be
`possible to determine whether the same claim is being
`made twice, either directly or, since a claim may be
`Simply another transaction, by means of
`a
`transaction
`
`U1
`
`10
`
`_.
`
`\Jl
`
`20
`
`25
`
`30
`
`35
`
`

`

`W0 91/1669]
`
`PCI‘/GB91 /00566
`
`The transaction identifier is preferably
`identifier.
`sent
`from the transmitting purse to the receiving
`purse, being conveniently derived from data
`
`identifying the receiving purse and a receiving purse
`transaction sequence number or electronic date/time
`stamp obtained from the receiving purse in a
`preliminary "hand-shaking" operation.
`In this way the
`receiving purse can monitor the transaction and any
`attempt
`to transmit
`the same value record twice will
`be foiled.
`
`Security of the system demands that cryptographic
`techniques be employed to prevent fraud.
`The most
`
`in
`effective cryptographic techniques are asymmetrical
`that
`they require different keys to encrypt and
`decrypt
`information.
`One well-known and suitable
`
`cryptographic technique is that attributed to Rivest,
`Shamir and Adleman, known as the RSA system.
`It is
`envisaged that both purses of a communicating pair may
`employ the RSA system equally in a balanced way for
`algorithmic processing. However, whereas RSA
`
`straight-forward, relatively powerful
`encryption is
`computing facilities are requ1red to execute RSA
`
`decryption conventionally in a short time.
`
`In order
`
`to overcome this difficulty,
`
`in the interests of
`
`economy and speed, it is proposed in accordance with a
`feature of the invention that an unbalanced system be
`used in which the processing capability required by
`consumer purses is Significantly less than that
`
`required by retailer purses.
`
`Each user of an asymmetrical key cryptographic
`system has a key pair, namely a public key and a
`secret key. Messages to another are encrypted uSing
`the other's (remote) public key which is made
`
`available, perhaps by a key exchange procedure.
`
`Received messages are decrypted uSing the local secret
`
`10
`
`15
`
`20
`
`25
`
`3O
`
`35
`
`

`

`W0 91/ 1669]
`
`PCT/GB91/00566
`
`key. Use of a public key is far less demanding of
`computing power
`than use of a secret key so that
`conventionally encryption requires less computing
`overhead than decryption. Therefore,
`in implementing
`an unbalanced system of
`the kind described it is
`
`expedient
`
`to remove the requirement that the consumer
`
`purse performs conventional RSA decryption.
`
`A first way of reducing the cryptographic burden
`in the consumer purse is to provide it with a simpler,
`symmetrical, cryptographic system.
`Such a system uses
`the same key for encryption and decryption.
`An
`example is the DES cryptographic system (Data
`Encryption Standard - US FIPS 46,1976). Retailer
`
`purses retain the full power of the RSA system.
`
`A second method is to use the consumer purse's
`own public key / secret key system for
`the
`interchange of data.
`In an exchange of keys the
`consumer purse sends its secret key to the retailer
`
`purse.
`
`In the transmission of data to the retailer
`
`purse the consumer purse would encrypt using its own
`public key and the retailer purse would decrypt using
`the consumer purse's secret key.
`
`Security can be enhanced by using electronically
`certified data,
`for example digitally signed data,
`in
`the transaction process.
`Each purse on issue will be
`
`allocated a characteristic number and will have that
`
`global
`
`cryptographic system.
`
`The result will be a
`
`global signing of the number and this is stored in the
`
`the
`purse. All purses will carry the public key of
`global pair so that on receipt of another's globally
`signed number it will be possible to verify that it is
`valid. The numbers can be regarded as globally
`certified.
`Since transactions will require the
`exchange of encryption keys it is convenient, although
`
`10
`
`15
`
`2O
`
`3O
`
`35
`
`

`

`wo 91/1669]
`
`PCI'/GB91/00566
`
`not necessary,
`
`to arrange that the globally certified
`
`numbers are the encryption keys to be exchanged.
`
`The electronic purses may take a number of
`
`include computer processing
`They will
`physical forms.
`facilities which may be incorporated in IC or "smart"
`
`cards, key fobs, wallets or the like or built into
`
`electronic equipment such as point-of-sale equipment
`or calculators, for example.
`
`Communication with the computer will generally be
`established by
`telephone and purses may
`be
`incorporated in telephones or modems, since it is
`
`possible that desired transactions may be conducted
`
`entirely by telephone. However,
`
`a more generally
`
`convenient arrangement
`
`is to have a portable purse
`
`such as an IC card which is loaded via modem
`
`connection either by a device specific to the
`
`individual or by automatic teller machine,
`example.
`
`for
`
`Purses may communicate with each other for the
`
`transfer of values by means of communication devices.
`
`These may have slots for two purses or may each hold a
`
`purse and communicate with each other by infra-red
`
`light or electromagnetic radiation,
`
`for example.
`
`Reference was made above to the difficulty of
`
`providing fast asymmetrical cryptographic facilities
`
`in very small and inexpensive devices such as
`
`IC
`
`cards. Clearly,
`
`it is more readily possible to
`
`provide such facilities in a communication device or
`
`in a modem.
`
`Therefore,
`
`even though consumer purses
`
`may lack full computing power
`
`themselves,
`
`this may be
`
`provided by communication deVices which have access to
`
`the consumer purse memories and public keys.
`
`Thus,
`
`while it is readily possible to exchange value records
`
`person to person if all purses have full asymmetrical
`
`cryptographic facilities this is also possible if the
`
`10
`
`15
`
`20
`
`25
`
`3O
`
`35
`
`

`

`wo 91/1669]
`
`PCT/GB9l/00566
`
`purses are simple and intelligent communication
`devices are used.
`
`At least the retailers' equipment will generally
`have the capability to store transaction information.
`This may be in memory or on disk or on another card or
`by some other means.
`Indeed,
`the equipment may
`
`The
`the consumer's IC card to a retailer's IC card.
`storage capacity of the retailers' equipment need not
`be large since it is only an accumulated total which
`needs to be stored. However, it is envisaged that in
`addition to the transaction values, other information,
`for example about
`the identity of
`the consumer and/or
`retailer may be exchanged to allow a
`transaction
`print—out to be derived locally for analysis purposes.
`Codes for the goods may be included.
`
`As well as the usual point-of-sale terminals
`either attended or unattended,
`the retailers'
`equipment may include automatic vending machines,
`travel ticket dispensers, car parking machines,
`road
`toll booths, etc. Although security to use a purse
`may be provided by the requirement
`to key a PIN code,
`this is not essential and a preferred arrangement
`dispenses with this requirement
`to facilitate use.
`However, it is envisaged that each purse may have a
`PIN protected memory and an unprotected memory,
`the
`system being such that by use of a terminal or pocket
`exchange deVice, value records may be transferred by
`use of
`the PIN code from the protected to the
`unprotected part of the purse.
`
`As mentioned above,individuals may carry their
`own pocket exchange devices to allow interchanges of
`transaction values person to person. Refunds may be
`given or cheques "cashed" by retailers in an
`equivalent manner.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`

`

`W0 91/ 16691
`
`PCT/GB9l/00566
`
`Value records may be loaded on to the purses in
`selected currencies for use in appropriate countries.
`
`While it is possible that the system of
`
`the
`
`present invention could be run by a single financial
`institution it is envisaged that various financial
`
`institutions of a federal, national or international
`
`nature would have
`
`their own computers with
`
`value
`
`the
`the totality of
`meters and float value records,
`float value records representing the total value in
`
`the funds represented
`circulation (in all purses),
`thereby being apportioned between the participating
`institutions as agreed on the basis of
`their
`
`respective regulated float files.
`
`The invention will further be described with
`
`reference to the accompanying drawings, of which:
`
`a banking
`is a schematic drawing of
`Figure 1
`computer system in accordance with the invention;
`Figure 2
`is a diagram illustrating the value
`meter;
`
`is a diagram illustrating an example of'
`Figure 3
`a value transaction procedure using a full RSA
`cryptographic system;
`
`is a diagram illustrating an example of
`Figure 4
`a value transaction procedure using a secret key
`transmission technique;
`
`Figure 5 is a diagram illustrating an example of
`a value transaction procedure using a mixed RSA/DES
`cryptographic system;
`
`Figures 6 and 7 depict one possible embodiment of
`
`typical devices of the invention.
`
`Referring to Figure 1
`
`there are shown three
`
`2 and 3 with respective computers
`clearing banks 1,
`1a, 2a and 3a.
`The computers have files containing
`account details of
`the banks“
`consumer and retailer
`
`1O
`
`15
`
`2O
`
`25
`
`30
`
`35
`
`

`

`W0 91/1669]
`
`PCT/GB91/00566
`
`Each computer alSo has a value meter 1b,
`customers.
`2b, 3b which shows a float value record.
`The actual
`funds represented by the non-specific float value
`records may reside in one or more of banks 1,
`2 or 3,
`or elsewhere.
`
`Each bank has a bulk purse 1c, 2c, 3c which is
`connected to the respective value meter and which has
`a memory with a purse value record. Terminals 5 are
`
`These cards have microprocessors and
`cards 6.
`In the memory of each card is stored a
`memories.
`purse value record 7.
`The cards have contacts 8,
`whereby the cards can interact with terminals 5 via
`card readers 9.
`By making appropriate requests at the
`keyboard of
`the terminal,
`a consumer may be connected
`to the computer of his bank,
`1,
`2 or 3 and may request
`a value record to be loaded to his purse.
`If the bank
`authorises the request,
`the bulk purse is instructed
`to institute a draw-down of value to load purse value
`record 7 with the value requested.
`The card is now
`ready for use.
`
`Further electronic purses are contained in
`terminals 10,
`11 which are equipped with IC card
`readers 9,
`located at different
`points—of-sale.
`To
`use his card the consumer presents it tC the retailer
`where it is inserted into reader 9.
`The required
`value of
`the transaction is keyed in and by agreement
`the total held in the
`purse value record of
`the purse
`6
`is reduced by the amount of
`the transaction.
`The
`
`10
`
`_1 U]
`
`20
`
`25
`
`30
`
`35
`
`

`

`W0 91/ 16691
`
`PCI‘/GB9] /00566
`
`use the card up to the total held in the purse value
`
`record of his purse in other retailers' equipment.
`
`Periodically a retailer may redeem value
`
`represented by the purse value record held in the
`purse of his terminal
`10 or 11,
`irrespective of
`the
`consumers'
`identities and without presenting any
`details of the individual transactions that have given
`rise to the total accumulated value. This may be done
`by connecting the terminal
`10 or
`11
`to the retailer's
`bank 1,
`2 or
`3 as appropriate and requesting a
`redemption of value.
`The bank's computer
`then
`
`instructs a redemption transaction which accepts value
`from the terminal purse.
`The bank computer credits
`the retailer's account with funds.
`The value meters
`form the basis for allowing control of
`the total
`
`amount of value in circulation in all the purses and
`for apportioning,
`on
`an agreed basis,
`funds
`representing the total value.
`
`5
`
`10
`
`15
`
`The bulk purses 1c, 2c, 3c differ from the other
`purses in being capable of having value loaded and
`
`20
`
`redeemed via the value meter, as well as by purse to
`purse transactions.
`In all other respects the purses
`are technically similar,
`it being understood in
`
`the same cryptographic techniques for
`particular that
`bulk purse to other purse transactions (on-line)
`used
`
`25
`
`Figure 2
`are the same as for off-line transactions.
`shows
`the value meter as including an indicator 12
`
`which shows a float value record.
`
`This is,
`
`in this
`
`the net value released to the bulk purse 1c,
`case,
`being the difference between the total of values drawn
`
`30
`
`down via the meter and the total of values redeemed
`
`via the meter.
`
`It will be appreciated that
`
`the
`
`individual gross draw-down and redeemed values may be
`indicated as well as or instead of
`the net value, it
`being readily possible to derive the net value from
`
`35
`
`

`

`W0 91/ 1669]
`
`PCT/GB91/00566
`
`The
`the gross values, even if not directly indicated.
`link 13 between the value meter and that of each of
`its bulk purses is secure.
`The purse may be
`physically adjacent
`to the value meter and security
`ensured by physical
`locks etc. Alternatively,
`the
`bulk purse may be remote from the value meter and
`security is achieved by cryptographic techniques.
`It
`is important
`to ensure that the value meter always
`accurately represents the value released to the bulk
`purse and no fraudulent alteration can take place.
`Each value meter has an interface 14 which may be a
`link to the bank computing facility or a keyboard
`unit. Authorised personnel may enter values to be
`added to or subtracted from the float value record,
`representing a creation or destruction of value to be
`circulated.
`Thus, value to be circulated may be
`adjusted in bulk, perhaps daily,
`instead of on demand
`in response to individual draw-downs and claims.
`
`float value record in this way allows
`Using the
`off-line interchange of value, given suitable
`terminals, between consumers and retailers, retailers
`and consumers and consumers and consumers, without
`the
`need to maintain large numbers of accounts or detailed
`account to account reconciliations.
`
`purse value
`Consumers themselves may adjust the
`records in their purses by person to person
`interchange or by refunds etc from retailers.
`It is
`
`u1
`
`15
`
`m Ul
`
`30
`
`float value record in a similar manner as
`the
`retailers' claims.
`
`Purses may be used on an international basis by
`loading different currencies in them.
`It is envisaged
`that each country or group of countries will hold a
`float value record in the appropriate currency.
`
`(A) U!
`
`

`

`W0 91/ 16691
`
`PCI‘/GB91 /00566
`
`-13-
`
`Application by a consumer to load his purse with a
`foreign currency may result
`in his domestic account
`
`being debited by the appropriate amount
`
`in his own
`
`currency and the respective foreign currency float
`value record being increased.
`
`5
`
`A purse value record held in a purse may be
`converted to a different currency on request,
`the
`
`conversion being effected at
`
`the appropriate rate and
`
`float value
`resulting in a transfer of value from the
`record of one currency to that of another currency and
`a corresponding conversion of
`funds between the
`currencies.
`
`Figure 3
`
`shows the procedure during an off—line
`
`the invention.
`transaction in a first embodiment of
`Both purses have full RSA asymmetrical cryptographic
`capability.
`The sending purse has a store SS which
`
`holds an accumulative value record Svr and the
`
`following RSA keys: sender public and secret keys Pks
`and Sks and global public key Pkg.
`In addition there
`is a certified data message {Pks]*Skg.
`This is the
`
`sender purse‘s unique public key signed by the master
`
`The public
`computer with its global secret key Skg.
`key Pks is thus electronically certified as valid by
`the system.
`The receiver purse has a store RS which
`holds an accumulative value record er and the
`
`receiver purse's own RSA public and secret keys
`Pkr,Skr,
`the global public key Pkg and a certified
`
`public key data message [Pkr]*Skg.
`The first step of
`the transaction procedure 18
`for the receiving purse to issue a
`transaction
`
`identifier number R.
`
`This
`
`is derived from a
`
`combination of
`the receiving purse identity and a
`transaction sequence number for that purse.
`Two—way
`communication between the purses is established,
`perhaps locally by direct connection or by infra-red
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`

`

`W0 91/ 16691
`
`PCT/GB9l/00566
`
`-14_
`
`link or the like or remotely by modem and telephone.
`The following steps are followed:
`
`The receiving purse transmits a request
`1.
`message which is [Pkr]*Skg+[R]*Skr.
`2.
`The sending purse is able to check [Pkr]*Skg
`by use of the public global key Pkg. This gives the
`sending purse the authentic key Pkr
`to verify [R]*Skr
`and hence recover R.
`
`A value V which is required to be
`3.
`transferred is decremented from the purse value record
`Svr.
`
`4.
`
`The sending purse constructs a transaction
`
`value message VR from value V it wishes to transfer
`and from the request message R. This is signed with
`the sender's secret key and the following transaction
`value message is transmitted to the receiving purse:
`[Pks]*Skg+[VR]*Sks
`
`The receiving purse obtains the public key
`5.
`Pks by use of the public key Pkg thereby verifying the
`message [Pks]*Skg.
`
`6.
`
`Use of
`
`the public key Pks
`
`thus found
`
`verifies [VR]*Sks and hence recovers VR.
`
`7.
`R is checked to ensure that it carries the
`identity of
`the receiving purse and the appropriate
`transaction number.
`If not,
`the transaction is
`aborted.
`
`5
`
`10
`
`1:
`J
`
`20
`
`25
`
`8.
`
`If all is well,
`
`the value V is added to the
`
`purse value record of the receiving purse.
`
`A signed acknowledgement is sent
`9.
`sending purse.
`
`30
`
`to the
`
`Transaction logs Stl and Rtl are held by the
`sending and receiVing purse stores. The logs may carry
`such details as are required for analySis of
`transactions locally, but
`in the simplest
`form the
`
`logs carry records only of any transaction which has
`
`|l|
`
`LA)
`
`

`

`WO 91/1669]
`
`PCT/GB91/00566
`
`10
`
`failed for some reason. This can be used for checking
`
`in the event of a dispute.
`
`RSA encryption and decryption require calculation
`of the expression xy mod n where y is different for
`
`encryption and decryption.
`
`In particular the index y
`
`for encryption (embodied in the public key)
`
`is small
`
`and the corresponding index for decryption (embodied
`
`in the secret key)
`
`is very much larger.
`
`As
`
`a
`
`consequence, while modest computing power can handle
`
`encryption in an acceptably short
`
`time the same is not
`
`true for decryption.
`
`The creation of a certified (eg
`
`digitally signed) message has an equivalent processing
`
`overhead to decryption,
`
`the checking of such a message
`
`has an equivalent processing overhead to encryption.
`
`The embodiments illustrated in Figures 4 and 5 provide
`
`arrangements which allow one of
`
`the pair of
`
`communicating purses to be of lower computing power,
`
`and therefore less expensive,
`
`than the other.
`
`In
`
`these arrangements some purses of the system (retailer
`
`purses) have full RSA capability (encryption and
`
`decryption capability) whereas the remainder (consumer
`
`purses)
`
`include a symmetrical key cryptographic system
`
`for transmitting transaction value record messages.
`
`A
`
`suitable symmetrical key cryptographic system is the
`
`DES system.
`
`This requires for encryption and
`
`decryption a level of computing power similar to the
`
`power required for RSA encryption.
`
`Referring to Figure 4
`
`there is illustrated the
`
`30
`
`LA)
`
`\!'|
`
`transaction procedure between two purses where the
`
`sending purse is a consumer purse and the receiVing
`
`purse is a retailer purse.
`
`The retailer purse has
`
`full RSA capability whereas the consumer purse has a
`
`lower power computing facility.
`
`The sending purse has
`
`a store CS which holds an accumulative value record
`
`Cvr and the RSA global public key Pkg.
`
`In addition
`
`

`

`wo 91/1669]
`
`PCf/GB91/00566
`
`there is a
`
`DES key DES: and a certified data message
`
`[DESC]*Skg which is the sending purse's unique DES key
`
`signed by the master computer with its global secret
`
`5
`
`key Skg.
`The receiving purse has a store SR which is
`identical with the store SR of
`the Figure 3
`embodiment, holding Pkr,Skr,Pkg and [Pkr]*Skg.
`
`The first step in the transaction procedure is
`
`for the receiving purse to issue a
`
`transaction
`
`identifier R as in the embodiment of Figure 3. Then
`the following steps are taken:
`
`10
`
`1.. The receiving purse transmits its certified
`
`public key message [Pkr]*Skg.
`r‘
`The sending purse checks the signed message
`r.
`and derives Pkr.
`
`15
`
`3.
`
`The sending purse encrypts its certified
`
`message using Pkr.
`
`Since the index y of a public key
`
`such as Pkr
`
`is small, encryption with it is
`
`computationally easy.
`
`The message sent
`
`to the
`
`receiving purse is
`
`20
`
`m In
`
`[[DESC]*Skg]
`EPkr
`The receiving purse decrypts the message
`
`4.
`
`firstly with its secret key Sk:
`
`to derive [DESC]*Skg
`
`which itself is checked with Pkg to give verification
`and derive DESC.
`
`5.
`
`The receiving purse transmits the message
`
`[R]*DESc which is the transaction identifier R
`
`encrypted with a DES integrity algorithm.
`
`6.
`
`The receiving purse decrypts the message in
`
`DES, derives the transaction identifier R and
`constructs the transmission value message VR in the
`
`30
`
`same way as in the Figure 3 embodiment.
`
`7.
`
`The sending purse decrements the value V from
`
`its purse value record and sends the message [VR]*DESC
`
`to the receiving purse.
`
`35
`
`8.
`
`The receiving purse
`
`decrypts [VR]*DES and
`
`

`

`wo 91/161591
`
`PCT/GB91/00566
`
`-17..
`
`U1
`
`10
`
`checks that R is correct.
`
`If'not the transaction is
`
`aborted.
`
`9.
`
`If all is well
`
`the value V is added to the
`
`receiving purse's purse value record and an
`
`acknowledgement message is sent to the sending purse.
`
`Referring now to Figure 5
`
`there is shown a
`
`transaction procedure which allows the purses to have
`
`unbalanced computing power while using the keys of an
`
`the
`In Figure 5
`asymmetrical cryptographic system.
`store R8 of the receiving purse has the same keys as
`in the Figure 3 embodiment.
`The computing power of
`
`the sending purse is less than that of the receiVing
`
`purse and instead of
`
`the signed public key,
`
`the
`
`sending purse holds a signed secret key [Sks]*Skg
`(which also incorporates Pks).
`
`15
`
`A transaction procedure has the following steps:
`
`1.
`
`The receiving purse transmits the signed
`
`message [Pkr]*Skg.
`
`20
`
`25
`
`The sending purse checks the signed message
`2.
`with Pkg, verifying [Pkr]*Skg and hence recovering
`Pkr.
`
`3.
`
`The sending purse encrypts its Signed
`
`message with Pkr and sends EPkr [[Sks]*Skg].
`4.
`The receiving purse decrypts the message
`firstly with the use of its secret key Skr
`to give
`
`[Sks]*Skg and then uses the global public key Pkg to
`
`verify [Sks]*Skg,
`
`thereby recovering Sks.
`
`5.
`
`The receiving purse signs the transaction
`
`identifier R with Sks and sends [R}*Sks.
`6.
`The sending purse derives R by the use of
`
`30
`
`Pks.
`
`7.
`
`The sending purse decrements its purse value
`
`record by the required amount V,
`
`and constructs and
`
`[VR].
`sends a value message EPks
`8.
`The receiving purse decrypts the message with
`
`35
`
`

`

`W0 91/ 16691
`
`PCT/GB9l/00566
`
`R is checked and if
`the use of Sks to derive V and R.
`it is incorrect the transaction is aborted.
`
`9.
`If all is well
`the purse value record of the
`receiving purse is incremented by V,
`the key Sks
`in
`the
`receiving purse
`is
`discarded
`and
`an
`acknowledgement message is sent to the sending purse.
`Figure 6 shows one embodiment of the invention in
`the form the pocket exchange device referred to above.
`This device PED is