Check out the new USENIX Web site. next up previous
Next: Processes and Protocols Up: Model and System Architecture Previous: Databases, modules, components

General requirements and principles

A global requirement is the conservation of cash. This means that the total e-money in the system is equal to the total amount of real money that the issuer's logs show is in e-money.

A general principle is that any coin representation is seen by at most one participant other than the issuer. Thus, after an issuer issues a coin, the withdrawer is the only party who ``sees'' this coin. When the withdrawer makes a payment with it, the payee doesn't see the coin; it is in a digitally sealed envelope which goes straight to the issuer for validation. This implies ``on-line'' payments where the issuer is involved in every such transaction. In addition, the internal representation of the coin does not enable insiders with access to its database to use it--a coin is checked by a tamper-proof hardware for its validity.

Coins are treated as bearer instruments, like real currency. The user has the money if s/he has a (valid) coin; no questions asked.

The security requirements that we pursue are those of ``strong cryptography'' for the protection of financial transactions; the use of ``weak cryptography'' only (e.g., 40 bit-long keys and passwords) is insufficient for e-money. International usage of the system is possible if the encryption is not made ``general purpose,'' but is rather restricted to the use inside the user's software.


next up previous
Next: Processes and Protocols Up: Model and System Architecture Previous: Databases, modules, components
Juan A. Garay
7/20/1998