About Information Security in Electronic Payment Systems

Otto Poszet Iosif Ignat

University of Oradea Technical University of Cluj-Napoca
[email protected] [email protected]

Abstract In Fig.1. we present the model of our EPS - the

main roles and the relations and transactions
In this paper we would like to propose, to between them.
study and to implement an Electronic Payment
System based on untraceable, one-spendable 1.1. Main characteristics
electronic coins. This system guarantees the
advantages of the traditional payment systems, but Specification of the EPS:
includes many enhancements like portability, • It is an off-line payment system - there is no
distance payments, untraceability, off-line need for a Trusted Third Party (Judge) for
payments, different fraud detection mechanisms, transactions monitoring.
reliability and low additional costs. To ensure high- • It is realized based on the model of electronic
level security and to protecting privacy we will wallet (intermediary computer) with observer
invoke different withdrawal protocols based on (smart card - SC) - the smart card is issued by
blind signatures. Each protocol uses the bank.
cryptographically primitives based on public key • Uses prepaid electronic coins for different
cryptography. We will try to obtain a values represented in three parts format:
mathematically expression of the probability of (secret_key, public_key,
breaking the proposed withdrawal protocol and we public_key_certificate);
will demonstrate that the chance of break down the • Uses one-spendable electronic coins.
system is very small. • Users have local accounts and shadow accounts
at the bank;
• The transactions are untraceable but if someone
1. Electronic Payment Systems crack the SC and pays twice with same coin,
the bank must be able to detect the cracker
An Electronic Payment System (EPS) consist
from a network of electronic devices that play the
roles of buyers, sellers, banks (transmitter and 1.2. Participants
receiver authorities, clearing) and includes all the
relations, transactions between the parties. The main
1.2.1 Bank
scope of an EPS is to ensure the efficient exchange
of values between the parties with respect of the
1. Has a pair of secret and public master keys
interests of each participating role.
(SB, PB);
There are many kind of EPS's and they can be
classified by the payment instrument, the payment 2. Permits coins with different, fixed
mode and the payment scope (on-line, off-line, denominations and for each value the bank has a
credit based, debit based, electronic coins, pair of secret and public key (SBi, PBi);
electronic tokens, prepaid or postpaid systems, etc.). 3. By convention the coins value depends of
In this paper we will present an off-line EPS based the key which the bank uses for signing it.
on untraceable electronic coins, because this kind of
EPS can ensure the most properties of a 1.2.2. Payers
traditionally payment systems, and can offer many 1. Have a secret identifier IDC and a pair of
enhanced security issues like: untraceability, secret and public keys: (SC, PC);
security, confidentiality, fraud detection, double 2. Have the bank’s certificates for the payer’s
spending and double deposit detection mechanism, public keys σB(PC) and for the payer’s identifier
integrity, and data privacy.
σB(IDC);
 3. Have the bank’s public keys for verifying 2. Have the bank’s certificates for the seller’s
the different coin values. public key σB(PS) and for the seller’s identifier
σB(IDS);
1.2.3. Sellers 3. Have the bank’s public keys for verifying
1. Have a secret identifier IDS and a pair of the different coin values.
secret and public keys (SS, PS);

Balance Bank Balance

Issuer Receiver
Traditional
payment for
electronic coins
Electronic coins
Electronic coins validation
(certification) Deposition Balance
generation and
blindness
Payment
Payer Seller
Goods and services
supply

Payer Seller

Payer Seller

Figure 1. General model of an EPS based on

untraceable electronic coins.

for the payer’s public key σB(PC) and for the

2. Registration Phase buyer’s identifier σB(IDC).

2.1. Sellers (Payees)

3. Identification Transaction
1. Are registered based on official documents
at the bank office after an identification Before executing of electronic coin extraction
procedure. protocol (withdrawal protocol), the buyer must be
2. An account is opened for each seller. identified by the bank, in order to prevent the
money extraction from the user’s account by a
possible cracker. This identification cannot lay on a
2.2. Buyers (Payers) simple signature SC(IDC), because it is easy for a
cracker to “read”, learn and use it later. That's way
1. Are registered based on official documents it will be used a three step identification protocol, or
at the bank office after an identification an enhanced three step identification protocol
procedure; (Schnorr) (Fig.2.). The identification message has to
2. A local (in the smart card) and a shadow (at be built will use each time a new random number. If
the bank) account is opened for each payer; the identification succeeds, the next step is the
3. Each payer gets a smart card SC as an electronic coin extraction protocol (withdrawal)
observer from the bank. The SC contains: an (Fig.3.).
unique identifier IDC, the payer’s secret and
public keys (SC, PC) and the bank’s certificates
 S ig n e r (S ) R e c e iv e r (R )

T h e s ig n e r’s s e c re t k e y is S ig n e r’s p u b lic k e y : P ∈ G q

S ∈ Z q su ch a s P = g S m o d p
T h e m e s s a g e w a itin g to b e
s ig n e d : m ∈ M
C h o o s e s ra n d o m
ω ∈ Z q a n d c o m p u te s th e
engagem ent a← gω m od q

C o m p u te s th e m o d ific a tio n
c ← H (m ,a ) a n d th e
re s p o n s e r← (ω -c S ) m o d q

T h e s ig n a tu re fo r th e
m e s s a g e m is : s ig n ← (c , r) (m , s ig n )
V e rifie s if c = ? H (m , g r ⋅ P c )
S to re s th e p a ir: (m , s ig n )

c = ? H (m , g r ⋅ P c )
= H (m , g ω -c S (g S ) c )
= H (m , g ω ) = H (m , a ) = c
Figure 2. The Schnorr identification protocol

In this paper we'd like to present three techniques:

4. Withdrawal Protocol
temper resistant hardware (SC), the base and the
generalized cut and choose protocol.
The withdrawal protocol is used by the payer in For ensuring the untraceability of the coin and
order to obtain electronic coins from the bank. For of the transactions the payer will use a so-called
this purpose the payer account must fulfill the "blind signing protocol" with respect to the bank.
condition, that the value of his account must be For this goal the payer applies the blinding factor
greater than or equal to with the value of the coin rR(PM) to the public key of the coin and sends it to
(pre-paid coins).
the bank for certification (digitally signature).
The payer will generate the coin, but this coin
The bank will sign blind the public key of the coin:
has no value yet. The value of the coin will depend
σB(rR(PM)) and sends it back to the client
on the signature of the bank applied to the coin. So,
the payer generates the coin, and the bank must sign decrementing simultaneously the shadow account of
it, to certify the value of the issued coin. the payer.
The payer using a SC generates the (SM, PM) The payer extracts then the blinding factor:
rR(σB(rR(PM))) = σB(rR(rR(PM))) = σB(PM) and
coin such as the secret key contains on the last 80
bits the users identifier (tracking information) so obtains an untraceable coin signed by the bank
completed with a random redundancy string red. (the coin’s public key certificate). Because the
The most important thing in this system is the protocol uses blind signature strategy, the coins
insertion of this identifier in each coin, because obtained and the future transactions will be
the system uses blind signing protocols, so the bank untraceable and unbounded to the identity of a
cannot simply verify the structure of the coin. If the honest user. That's way it must be introduced a so
identifier of the payer is not included in the money, called "double-spending-detection-mechanism",
the payer can do everything with his money, for what permits to the bank to compute the secret
example double spend or falsify them without identifier of a dishonest user, who cracked the smart
punishment. To prevent this, there are many card, and who could spent the coin twice or more.
possibilities, for example: This security mechanism doesn’t affect any honest
1. using tamper resistant hardware (smart user, because it permits the computation of the
cards) which inserts (or force the insertion of) user's secret identifier only in the case of double
the users identifier in the coin, spending (see point 8.).
2. using the cut and choose protocol
(generating and blind n coins, but reveal n-1 4.1. The withdrawal protocol based on
coin chosen arbitrary for verification), tamper resistant hardware
3. the generalized cut and choose protocol
(generating and blind n coins, and revealing n/2 The protocol chosen for coin extraction is
arbitrary chosen for verification), a presented in Fig.3.
4. using the restrictive blind signature (the
coin has a restricted, blinding invariant
structure, and so the bank can verify the
insertion of the secret identifier in the coin).
 Alice (SC)

Generates randomly r∈Z2|q|-80 and calculates S Generates the secrest identifier

using r and IDA: S←(r, IDA)∈Zq. of Alice IDA and records it in
Chooses randomly ω∈Zq. Alice’s SC
The secret key is (S, ω).

Calculates P←gS and a←gω mod p.

The public key for coin is (P, a).
Chooses randomly blinding factor ρ∈Znb* and
calculates the commitment:
M←ρeb⋅[red, H(P, a)] mod nb M

Generates the blind signature for

σ' M: σ'←Mdb mod nb

Eliminates the blind factor and obtains the bank’s Substracts the coin’s equivalent
signature for coin’s public key: value from Alice’s account
σdb(P, a)←ρ-1σ' mod nb=[red, H(P, a)]db mod nb

Verifies the signature σdb(P, a)

Records the electronic coin

(S, ω), C={(P, a), σdb(P, a)}

Figure 3. The withdrawal transaction - inserting the payer's ID in the electronic coin by the SC.

The base protocol is presented in the fig.4.

and the generalized cut and choose protocol in fig.5.
4.2. The base and the generalized cut and The probability of breaking down this test
choose protocol (the bank must chose L/2 terms formed correctly
from L terms, in which k terms are correctly
In this case there is no need for tamper resistant formed, and L-k incorrectly, but from the remaining
devices, because the bank can verify with good L/2 the majority must be incorrectly formed) is
probability the inclusion of the secret identifier in
the blindly signed coin. For this, the user generates
P(L, k, L/2) =
L coins, applies a blinding factor to each coin, then
send them all to the bank. The bank chooses L 
k −  − 1
k k −1 2  Ck
L/ 2
k ⋅ (k −1)m(k − L / 2 + 1)
arbitrarily L-1 (base protocol) or L/2 coins for ⋅ m  = L/ 2 =
verification (generalized), and ask the user to open L L −1  L  CL L ⋅ (L − 1)m(L / 2 + 1)
them (to reveal the blinding factors for the chosen L −  − 1
 2 
blinded coins). Now, the bank can verify for the L-1
or L/2 chosen coins the fact, that they are generated If L is: L = 4r sau 4r+2;
correctly, or not (they contain the users' ID or not). L-k = nr. of incorrectly formed terms
If they all contains the requested ID, then the bank
L 
is convinced with acceptable probability, that the + 1
= 2  L + 2  = r or r+1, and
remaining 1 or L/2, blinded and closed coins,   =  
contains the users ID too, so they probably are  2   4 
correctly generated.  
In this case the coin has 1 or L/2 terms (multi k = correctly formed terms = L-(L-k) =
term coin) (is built from the remaining L/2  L + 2  =  L − L + 2  =  3L − 2  =  3L  =3r or 3r+1
L− 
unopened terms), and has the following form:  4  4   4   4 
coin = {(S, ω), (P, a), {γi}i∉R, σdb(P, a)} , The breakdown probability is
where R is the set of the verified coins. k ⋅ ( k − 1)m( k − L / 2 + 1)
The bank will digitally sign the coin. If later the P(L, k, L/2) =
L ⋅ ( L − 1)m( L / 2 + 1)
coin must be verified in an instance (by a judge),
each coin will be opened, and even if there are two  L   L    L 
  ⋅  − 1 m  + 1
or many ID-s in the L/2 terms, the judge will =  2   2    4  
consider ID, which appear in the majority of the   3L  
terms. ( L) ⋅ ( L − 1)m   + 1
 4  
For L=100=4⋅25=4r, k = 75, L-k = 25, L/2 = 50, This is a significantly smaller as the
P(100, 75, 50) = 50 ⋅ 49m26 = 5,2124⋅10-10, breakdown probability obtained for the base
100 ⋅ 99m76 protocol: Pbase(100) = 1/100 = 10⋅10-3
and if k=L/2=50, then P(100, 50, 50) = 9,911⋅10-30 The breakdown probability, in function of
the number of terms is presented in table 1.

k t r P 104 78 26 26 2,1991E-10
2 1 1 0 0,5 106 79 27 26 8,27279E-11
4 3 1 1 0,5 108 81 27 27 9,2779E-11
6 4 2 1 0,2 110 82 28 27 3,48985E-11
8 6 2 2 0,214285714 112 84 28 28 3,91429E-11
10 7 3 2 0,083333333 114 85 29 28 1,47219E-11
12 9 3 3 0,090909091 116 87 29 29 1,65141E-11
14 10 4 3 0,034965035 118 88 30 29 6,21044E-12
16 12 4 4 0,038461538 120 90 30 30 6,96717E-12
18 13 5 4 0,014705882 122 91 31 30 2,61989E-12
20 15 5 5 0,01625387 124 93 31 31 2,93939E-12
22 16 6 5 0,00619195 126 94 32 31 1,10521E-12
24 18 6 6 0,006864989 128 96 32 32 1,2401E-12
26 19 7 6 0,002608696 130 97 33 32 4,66238E-13
28 21 7 7 0,002898551 132 99 33 33 5,23183E-13
30 22 8 7 0,00109945 134 100 34 33 1,96685E-13
32 24 8 8 0,001223582 136 102 34 34 2,20725E-13
34 25 9 8 0,000463478 138 103 35 34 8,29732E-14
36 27 9 9 0,000516447 140 105 35 35 9,3121E-14
38 28 10 9 0,000195412 142 106 36 35 3,50029E-14
40 30 10 10 0,00021796 144 108 36 36 3,92865E-14
42 31 11 10 8,23995E-05 146 109 37 36 1,47663E-14
44 33 11 11 9,19808E-05 148 111 37 37 1,65744E-14
46 34 12 11 3,47483E-05 150 112 38 37 6,22931E-15
48 36 12 12 3,88146E-05 152 114 38 38 6,99251E-15
50 37 13 12 1,46545E-05 154 115 39 38 2,6279E-15
52 39 13 13 1,63785E-05 156 117 39 39 2,95003E-15
54 40 14 13 6,18058E-06 158 118 40 39 1,10861E-15
56 42 14 14 6,91102E-06 160 120 40 40 1,24457E-15
58 43 15 14 2,60679E-06 162 121 41 40 4,67681E-16
60 45 15 15 2,91607E-06 164 123 41 41 5,25065E-16
62 46 16 15 1,0995E-06 166 124 42 41 1,97297E-16
64 48 16 16 1,23039E-06 168 126 42 42 2,21516E-16
66 49 17 16 4,63764E-07 170 127 43 42 8,32325E-17
68 51 17 17 5,19138E-07 172 129 43 43 9,3454E-17
70 52 18 17 1,95617E-07 174 130 44 43 3,51128E-17
72 54 18 18 2,19036E-07 176 132 44 44 3,94266E-17
74 55 19 18 8,25137E-08 178 133 45 44 1,48128E-17
76 57 19 19 9,24154E-08 180 135 45 45 1,66334E-17
78 58 20 19 3,48058E-08 182 136 46 45 6,24901E-18
80 60 20 20 3,89913E-08 184 138 46 46 7,01733E-18
82 61 21 20 1,46819E-08 186 139 47 46 2,63624E-18
84 63 21 21 1,64508E-08 188 141 47 47 2,96049E-18
86 64 22 21 6,19325E-09 190 142 48 47 1,11214E-18
88 66 22 22 6,94071E-09 192 144 48 48 1,24897E-18
90 67 23 22 2,61251E-09 194 145 49 48 4,69174E-19
92 69 23 23 2,92831E-09 196 147 49 49 5,26919E-19
94 70 24 23 1,10205E-09 198 148 50 49 1,97929E-19
96 72 24 24 1,23546E-09 200 150 50 50 2,22297E-19
98 73 25 24 4,64889E-10 202 151 51 50 8,34996E-20
100 75 25 25 5,21239E-10 204 153 51 51 9,37828E-20
102 76 26 25 1,9611E-10 206 154 52 51 3,52257E-20
208 156 52 52 3,95651E-20
210 157 53 52 1,48606E-20 Table 1. The breakdown probability in function of the
number of the terms

Alice (SC) Bank (B)

For i = 1, ..., L generate random ri∈Z2|q|-80 and Generate the secret IDA for Alice and
compute the secret key Si based on ri and IDA: record it in Alice's smart card SC
Si ← (ri, IDA)∈Zq.
Choose arbitrary the numbers ωi∈Zq. The
secret keys for the coins will be (Si, ωi).
Compute Pi←gSi and ai←gωi mod p. The
coins' public keys will be (Pi, ai).
Choose randomly ρi∈Znb* and compute the
following commitments:
Mi←ρieb⋅[red, H(Pi, ai)] mod nb {Mi}i=1,L

Choose arbitrary the index k: 1≤k≤L

k

Alice will open all the terms Mi and will

compute the set Γ←{(ri, ωi, ρi)} for each i≠k
and 1≤i≤L.
For the unrevealed term k Alice will encrypt
the secret numbers (r k, ωk, ρk) with the judge's
public key and will obtain the encrypted
message E: E←EeJ(rk, ωk, ρk, 0len), where
len=2|nJ|-2|q|-|nb|. Γ, E

Verifies for each i≠k, 1≤i≤L:

Mi =?= ρieb⋅[red, H(g(ri, IDA), gωi)]
If the equality holds, then for the term
k will compute the blind signature

The blind signature for the

commitment Mk: σ'←Mkdb mod nb
σ'

Eliminates the blinding factor and obtains the

Decreases the account of Alice with
bank's signature for the coin's public key:
the value of the generated coin.
σdb(Pk, ak)←ρk-1σ' mod nb=[red, H(Pk, ak)]db mod nb
Records the IDA, E, σ'
Verifies the signature σdb(Pk, ak)
Records the electronic coin
(Sk, ωk), Ck={(Pk, ak), σdb(Pk, ak)}

Fig. 4. The base cut and choose protocol for single term coins.
 Alice (PC) Banca (B)

Generate at random S∈Zq and ω∈Zq. The Generates Alice's secret IDA and
secret key for the coin is (S, ω). sends it to Alice

Compute P←gS and a←gω. The public key of

the coin is the touple (P, a).
Choose the blinding factor at random ρ∈Znb*
and computes the commitment:
M←ρeb⋅[red, H(P, a)] mod nb
Generates at random L values αi∈Zq, β i∈Zq,
1≤i≤L
γi = EeJ (IDA, αi, 0len)1≤i≤L, len = |n J|-|q|-|IDA|.
Computes ξi←H(γi),
δi = H(ξi, β i) B, {δi}i=1..L
B←M⋅(Π li=1ξi) mod nb
Choose arbitrary L/2 indexes
and form the set R:
R={ij}, 1 ≤ ij ≤ L şi 1 ≤ j ≤L/2
R

Forms the set Γ←{(αi, β i)}i∈R

Γ

Verify for each i∈R:

γi ←EeJ (IDA, αi, 0len)
ξi←H(γi)
δi =?=H(ξi, β i)
Generates the blind signature for
the other unopened terms:
σ' σ'←(B (Π i∉R ξi-1))db mod n b.

Eliminates the blinding factor and obtains the

bank's signature for the coin's public key:
σdb(P, a)←ρk-1σ'
Verifies the signature σdb(P, a)
Records the electronic coin:
(S, ω), C={(P, a),{γi}i∉R , σdb(P, a)}

Fig. 5. Generalized cut and choose protocol for multi term coins

In fig.6. and 7. there is represented the choose protocol in function of the generated coins'
breakthrough probability of the generalized cut and number.
The breakdown probability for the generalised cut and
choose protocol
0.6
0.5
0.4
0.3 P
0.2
0.1
0
0 50 100 150 200 250
Number of coins

Fig. 6. The probability of the successful test in function of the generated coins number
 The breakdown probability for 40 coins

0.6

0.5

Probability
0.4

0.3

0.2
P
0.1

0
0 10 20 30 40 50

Coins number

Fig. 7. The breakthrough probability for 40 coins.

The security level increases exponentially The seller verifies the validity of the
with the number of the generated coins, but message and registers the payment document
increases also the overloading of the computer (containing the coin’s certified public key, the
network and the number of calculations. The main payment claim, the evidence of the payment claim).
advantage of the proposed protocol is that needs no
temper resistant hardware, and can be implemented
with PC-s! 6. The deposit transaction and clearing

Because the system is off-line, the coin

deposit transaction can be performed later. There
5. The payment transaction are some security mechanisms built in, and that's
way there is no need for a trusted third party, or for
The payer uses a browser to navigate on on-line transactions.
the Internet, and he examinees the content of the In this phase the shop wants to deposit to
web site of the seller (electronic shop). The payer the bank his acquired coins to obtain real money, or
can select any object from the list, and when he simple to increase his bank account. For this
starts the paying process, it will be executed the purpose the seller sends now each payment
following steps in the background. document to the bank (the electronic coin, the
The first step in the payment transaction is payment claim with the evidence produced by the
an identification: the seller must be identified, payer).
because the payer must know whom it sends the The bank checks the eventually multiple
electronic money. The payer must not be identified, spending of the electronic coin in two or more
because he uses prepaid electronic money, and he different payment transactions. For this scope the
wants to keep his secret identity (confidentiality, bank checks his database for other documents
privacy). For this purpose it will be used the signed with the same coin (same coin public key). If
Schnorr identification protocol. the bank finds two documents of this kind (signed
After the identification phase, the seller with the same coin), than (and only then) he can
specifies the exactly value of the good or the service extract the payer’s secret key from the payment
what will be provided. The payer will compute the document, and the last 80 bits of this secret key
number and the denominations of the coins what represents the payer's secret identifier. So, the bank
will be used for paying. If the payer don't have can compute the identity of the dishonest user from
sufficient electronic money, he must start some two different execution of the payment protocol
withdrawal transactions to the bank. using the same coin! That means implicitly that the
The seller will ask now for each coin. The payer cracked the SC. But even in this case his
payer sends for each coin the coin’s public key, and identity can be obtained by the bank. The following
the certificate for the public key to the shop. relation permits the computation of the coin's secret
The seller (shop) verifies the validity of key S:
each coin using the bank’s public key and sends to If m and m' (m≠m') are two different
the payer the payment claim as a message for payment claims generated with the same coin C:
signing (containing the shop’s ID, time stamp, the C = {(P, a), σdb(P, a)}, m, σ(S, ω)(m) = (c, r),
exact value of the goods or services, a unique C = {(P, a), σdb(P, a)}, m', σ(S, ω)(m') = (c', r'),
identifier for the payment claim). then:
The payer signs the payment claim using S = (c'-c)-1(r-r') mod q and
the Schnorr signature protocol and sends it back, ω = (r+cS) mod q.
signed, to the shop.
 The last 80 bits from S are the secret when the tamper resistance of the smart card is
identifier of the dishonest payer (double-spending- broken, using the double-spending-detection
detection-mechanism). Normally, the bank don't mechanism built in each coin, the bank can compute
accept the coin, and starts a process of punishment the identity of the dishonest user.
against the dishonest payer. To ensure the confidentiality of the users
The coin is verified against the double- and to obtain untraceable electronic coins and
deposit too. This means, that if there is found a coin transactions, the payer uses a blind signing protocol
twice in the database, and the ID of the shop, who to the bank in the withdrawal transaction.
deposited the coin is the same, then the shop was By all this mechanism this kind of EPS can
guilty about it, and not the payer was dishonest. In ensure the interest of all parties, and offer an
this case too, the bank didn't permits the deposit of efficient, new alternative for the traditional money.
the coin.
If the coin is not in the bank's database,
8. References
that means that it was spent and it will be deposit
only once. In this case the bank accepts the coin,
records the coin and the payment document in his [1]. Boian Florian Mircea, "Programarea
database, and after this will increase the account of distribuită în Internet, metode şi aplicaţii",
the seller. Editura Albastră, Ed. doua, Cluj Napoca, 1999
For the implementation of this EPS we [2]. Brands S., "Untraceable off-line cash in
used interactive web pages and Java applets for the wallet with observers", Adv. in Cryptology,
electronic shops, we implement the bank server and Proc. Crypto '93, LNCS 773, Stinson D. Ed.,
the electronic wallet with observer as standalone Springer-Verlag, 1994, pp. 302-318
Java applications, who knows the withdrawal and [3]. Brands Stefan, "Electronic Cash", Brands
the payment protocols. The double-spending and Technologies, The Netherlands, Handbook on
double-deposit-detection mechanisms are Algorithms and Theory of Computation, 1998,
implemented in the bank software, and the bank CRC Press, ISBN 0849326494
uses Oracle databases which can be queried by the [4]. Chaum D., "Blind signatures for
applications by SQL interrogations. The bank keeps Untraceable Payments", in Adv. in Cryptology -
the evidence of each transaction (payment Crypto '82, Rivest R.L., Sherman A., Chaum
documents) for a predetermined period of time, to D.ed, Vol.0, Plenum Press, pp. 199-203., 1983
prevent the inflation of the used databases. After [5]. CyberCash, on http://www.cybercash.com
this period of time all the data can be saved [6]. Menzes A., Oorschot P.van, Vanstone S.,
(backup) and then deleted from the main database. “Handbook of Applied Cryptography”, CRC
Press Inc., University of Waterloo, 1997.
[7]. Patriciu V. V., Ene-Pietrosanu M., Bica I.,
7. Conclusions Vaduva C., Voicu N., "Securitatea comerţului
electronic", Editura All, Bucureşti, 2001
The electronic business over the Internet is [8]. Radu C., Govaerts R., Vandewalle J, "A
growing in importance, and the main request are: restrictive blind signature scheme with applic. to
security, privacy, confidentiality, untraceability, electronic cash", Communications and
reliability, payment for far distances, efficiency. Multimedia Security II, Proc. of the IFIP
The conventional money and the simple inter- TC6/TC11 International Conf, Horster P., Ed.,
banking payment instructions can't fulfill all this Chapman & Hall, 1996, pp.196-207
requirements. That's way for this kind of [9]. Radu C., Vandenwauver M., Govaerts R.,
transactions we used a new alternative for the Vandewalle J., "An efficient traceable payment
traditional payment instruments: the electronic system", Proc. of the 16th Symp. on Information
money. There are many kind of electronic money - Theory in Benelux, Nieuwerkerk a/d Ijssel (The
electronic cheques, electronic tokens, electronic Netherlands), 1995, pp. 61-67
coins, and many others - but the electronic coins can [10]. Radu Cristian, "Analysis and Design of
imitate the best the traditional money, from every Electronic Payment Systems", Ph. D. Thesis,
point of view, and can offer increased security and Katholieke Universiteit Leuven, Belgium, 1997
confidentiality. [11]. Schnorr C.P., "Efficient signature
In this paper we presented such a kind of generation by smart cards", Journal of
EPS, based on untraceable electronic coins. For Cryptology, Vol.4., No.3., 1991, pp.161-174
increased security we decided to use electronic
wallets with observers - smart cards as observers -
to prevent the double spending of any coin. Even