Electronic Commerce Chapter 5 (Part 2)

Remote Micropayment
Shervin Erfani Fall 2012

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

Outline
1. 2. 3. 4. 5. 6. 7. What is Remote Micropayment? Remote Micropayment History MilliCent Architecture MicroMint Coins What is Statistical Payment? Micali-Rivest Schemes for Statistical Payment Summary

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

Recall Benefits of Micropayment

Replacement of cash
Cheaper (cash very expensive to handle) Electronic moves faster Easier to count, audit, verify

Small transactions
Beverages Phone calls Tolls, transportation, parking Copying Internet content Lotteries, gambling
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

Micropayment Types
Prepaid cards
Issued by non-banks Represent call on future service Not money since usable only with one seller

Electronic purse
Issued by bank Holds representation of real money In form of a card (for face-to-face or Internet use) In virtual form (computer file for Internet use) The two forms are converging, e.g. wireless
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

What is Remote Micropayment?

The efficient payment model for small amounts, without adding undue complications to users for mostly the sale of nonmaterial contents over the Internet:
Information Newspaper archives Job opening, pictures, horoscopes Music, video, etc.

A trusted third party involves to verify the needed security between the two parties of the transaction. The scheme commonly uses a virtual purse or a virtual jeton holder to carry the various monetary values available to the user.
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

Remote Micropayment
Remote micropayments characteristics
Buyer is not physically in sellers presence Cant insert card into vendors machine No physical goods, only information goods
If micropayment will work, goods must be cheap, e.g. $0.01

Subscriptions, credit cards, checks, ACH (even PayPal) too expensive

Examples: web pages, stock quotes, news articles, weather report, directory lookup Need instant service for large numbers of 1 transactions + reasonable profit to payment provider
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

A Bit of History (1)

IBM, Compaq, and Carnegie Mellon research on micropayments and by the World Wide Web Consortium (1990s) First Virtual (1994 1998)
Security without encryption
Using two network environments of the Internet and Public Switched Telephone Network (PSTN) Using two tools of browser and e-mail

MilliCent (1995 - )
To support transactions from as small as 1/10 of a cent up to $5.00 The payment system uses symmetric cryptography Associated with Compaq after that company purchased Digital Equipment Corporation

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: Sherif

A Bit of History (2)

NetBill (1995 - 2005)
A project at Carnegie Mellon University researched distributed transaction processing systems A variant of public-key Kerberos Seems to have died completely sometime after 2005

PayPal
Is a micropayment system that charges payments to user's paypal accounts Current pricing model is 5% of purchase plus 5 cents Touted as targeted for purchases under $10 U.S.

KLELine (1995 2000)

Combines bankcard payments with micropayments

MicroMint, PayWord (1997 - )

Based on a jeton economy
October 22, 2012 88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: Wikipedia

Main Electronic Purse Issues

Loading
Charging the purse with money

Making a payment
Removing money from the card

Clearance
Getting money into the sellers account
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

Concept of PayWord
Based on paywords*, strings will be accepted by vendors for purchases. User authenticates himself to a broker with one signature verification, establishes means of paying real money for paywords. User sets up with broker a linked chain of paywords to be used with a specific vendor.
Linking is used to make authentication of the paywords very cheap.

User pays vendor by revealing paywords to vendor.

Marginal cost of a payment: one hash computation
*R. Rivest and A. Shamir, PayWord and MicroMint: Two simple micropayment schemes, Lecture Notes in Computer Science, vol. 1189, pp. 69-87, 1997. October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

10

Concept of PayWord (Cont.)

User sets up Payword account with a broker
Pays real money

Broker issues user a virtual card. (certificate)

Broker name, user name, user IP address, user public key

Certificate authenticates user to vendor. User creates payword chains specific to a vendor
Typical length: 100 units
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

11

Millicent
The parties involved in a transaction are the buyer, vendor, and broker. Vendors produce vendor-specific scrip, sell to brokers for real money at discount. Brokers sell scrip from many vendors to many users. Scrip is prepaid: promise of future service from vendor. Users spend scrip with vendors, receive change.
USER EXCHANGES BROKER SCRIP FOR VENDOR SCRIP (AS NEEDED)

BROKER
USER BUYS BROKER SCRIP ($ WEEKLY)

BROKERS PAY FOR VENDOR SCRIP ($$$ MONTHLY)

USER SPENDS VENDOR SCRIP FOR INFORMATION

USER

( DAILY) TRANSFER OF INFORMATION (CHANGE IN MESSAGE HEADER)

VENDOR
SOURCE: COMPAQ
12

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

Millicent (Cont.)
Broker
issues broker scrip to user Exchanges broker scrip for vendor scrip Interfaces to banking system Collects funds from users Pays vendors (less commission)

User
Buys broker scrip from brokers Spends by obtaining vendor-specific scrip from broker

Vendor
Sells scrip to brokers Accepts vendor scrip from users Gives change to users in vendor scrip
October 22, 2012 88-590-02 E-Commerce, S. Erfani University of Windsor 13

Scrip Properties
Represents a prepaid value Represents any denomination of currency The security is based on the assumption of vendor-specific Can be spent only once Can be spent only by its owner Cannot be tampered with or its value changed Computationally expensive to counterfeit scrip Make no use of public-key cryptography Cannot provide full anonymity
October 22, 2012 88-590-02 E-Commerce, S. Erfani University of Windsor 14

MilliCent Components
Wallet
Integrated with browser as a proxy User Interface (content, usage)
Wallet Tokens Vendor Server

Vendor software
Easy to integrate as a web relay Utility for price management

New tokens

Spent tokens

User

Vendor

Broker Server

Broker software
Handles real money

Broker
SOURCE: MICHAEL I. SHAMOS, CMU

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

15

MilliCent System Architecture

Broker (tens?)

Broker Server

Vendor (thousands)
Price File

Price Configurator
Document Tree Site Map

User (millions of consumers) Browser

Browser Cache

HTTP

Wallet HTTP
Wallet Contents

Vendor Server

Web Server

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: MICHAEL I. SHAMOS, CMU 16

Millicent Scrip Verification

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: MICHAEL I. SHAMOS, CMU 17

Millicent Scrip Verification (Cont.)

Vendor

Value ID#

Cust ID#

Expires

Props

Stamp

Secret

wellsfargo.com / 0.005usd / 0081432 / 101861 / 19961218 {co=us/st=ca} 1d7f4a734b7c02282e48290f04c20

October 22, 2012 88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: MICHAEL I. SHAMOS, CMU 18

MilliCent Vendor Server

Vendor server acts as a proxy for the real Web server Vendor server handles all Vendor requests: Server
Millicent Relay to web-server Web Server

Millicent processing:
Validates scrip and generates change Sells subscriptions Handles replays, cash-outs, and refunds
October 22, 2012 88-590-02 E-Commerce, S. Erfani University of Windsor

Price File

Document Tree

Vendor Site

19

Drawback of MilliCent
Both broker and vendor must be trusted to issue the correct change
No way to prove that change scrip is owned

The user cannot independently verify the validity of a piece of scrip

Since the user cannot regenerate the scrip certificate

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

20

MicroMint
Developed by Rivest and Shamir in 1997 for micropayments. Brokers produce coins having short lifetimes, sell coins to users. Users pay vendors with coins. Vendors exchange the coins with brokers for real money. BROKER
NEW COINS

PURCHASE NEW COINS RETURN UNUSED COINS

EXCHANGE COINS FOR OTHER FORMS OF VALUE

SPENDING OF COINS

CUSTOMER
TRANSFER OF INFORMATION

VENDOR

SOURCE: SHERIF
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

21

Minting Coins in MicroMint

The scheme is based on the idea that to make coins that are easy to verify, but difficult to create (so there is no advantage in counterfeiting). In MicroMint, coins are represented by hash-function collisions, values x1, x2 for which H(x1) = H(x2). If H() results in an n-bit hash, we have to try about 2n/2 values of x to find a first collision. Trying c2n/2 values of x yields about c2 collision.s Collisions become cheaper to generate after the first one is found.

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

22

Minting Coins in MicroMint (Cont. 1)

A k-way collision is a set { x1, x2, . . ., xk } with H(x1) = H(x2) = . . . = H(xk) It takes about 2n(k-1)/k values of x to find a k-way collision. Trying c 2n(k-1)/k values of x yields about ck collisions. If k > 2, finding a first collision is slow, but subsequent collisions come fast. If a k-way collision { x1, x2, . . ., xk } represents a coin, easily verified by computing H(x1), H(x2), . . ., H(xk) A broker can easily generate 10 billion coins per month using one machine.
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

23

Minting Coins in MicroMint (Cont. 2)

Broker generates 10 billion coins and stores (x, H(x)) for each coin, having a validity period of one month. The function H changes at the start of each month. Broker sells coins { x1, x2, . . ., xk } to users for real money, records who bought each coin. At end of month, users return unused coins for new ones.

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

24

Spending MicroMint Coins

User sends vendor a coin { x1, x2, . . ., xk } Vendor verifies validity by checking that H(x1) = H(x2) = . . . = H(xk). (k hash computations) Valid but double-spent coins (previously used with a different vendor) cannot be detected at this point. At end of day, vendor sends coins to broker. Broker verifies coins, checks validity, checks for double spending, pays vendor.
We need to deal with double spending at this point.

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

25

MicroMint Forgery Issues

A forged coin is a k-way collision { x1, x2, . . ., xk } under H() that was not minted by broker. Vendor cannot determine this in real-time. Small-scale forgery is impractical. Forged coins become invalid after one month. New forgery cannot begin before new hash is announced. Broker can issue recall before the month ends. Broker can stay many months ahead of forgers.

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

26

What Is Statistical Payment?

During World War II, Cola-Cola raised the price of a bottle from 5 cents ($0.05) to 6 cents ($0.06). It was expensive to change the coin mechanism. Coca-Cola randomly removed 1/5 of the bottles from its machines but kept the 5-cent mechanism. 4/5 of the time a customer would receive a bottle for 5 cents. 1/5 of the time a customer would pay 5 cents and get NOTHING. The AVERAGE price of a bottle was 6 cents. Rarely, a user might pay a lot for a bottle (1 in 625 bottles cost 20 cents).
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: MICHAEL I. SHAMOS, CMU

27

Electronic Statistical Payment

User needs to pay Mapquest $0.01.

1/1000 FAIRNESS:
User, Merchant and Bank cannot cheat. Not always fair to User (might be overcharged). Fair to Merchant and Bank on average.

999/1000

$10

VOID

Enable 1000 Transactions at Cost of 1

October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

28

Micali-Rivest Scheme (MR1) For Statistical Payment

Three parties: user U, merchant M, bank B. For simplicity, assume every transaction is worth $0.01 but we only want to process transactions with probability 1/1000. U and M have public-private key pairs. Let F be a publicly available function (everyone can obtain the code) that returns a number between 0 and 1 uniformly. (The values of F are uniformly distributed between 0 and 1.) A transaction string T = User ID || Merchant ID ||Bank ID ||timestamp
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: RON RIVEST

29

MR1 Scheme (Cont.)

When User U wants to pay merchant M, he sends M his digital signature C for transaction string T: C = SigU(T) (hash of T encrypted with Us private key) Merchant M now signs C: D = SigM(C) (hash of C encrypted with Ms private key) Merchant M computes F(D)
If F(D) < .001, then C is worth $10; otherwise C is worth $0. This occurs 1/1000 of the time.

If C has value, M sends to bank C & D = SigM(C). Bank verifies signatures and F(D), charges U $10 and credits M with $10. No risk to bank; U may pay a lot more than the transaction value.
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: RON RIVEST

30

Properties of MR1 Scheme

Payment is off-line:
U and M do not have to be in contact during transaction U can send C by email M does not have to contact Bank during transaction

Bank only sees 0.1% of transactions. No risk to bank. Because of signatures, neither U nor M can cheat. (If protocol is implemented properly!) U may pay a lot more than the transaction value. We want a protocol in which U never pays more than the transaction value.
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: RON RIVEST

31

A Second Micali-Rivest Scheme: MR2

The objective is to make sure U never pays more than transaction value he uses. Shift risk from User to Bank. This is OK because Bank processes large number of transactions. U includes a serial number S as part of the transaction string. Let MaxS be the highest serial number the Bank has processed for user U so far (starts at 0). When Bank processes a payable transaction:
Credits M with $10 Debits U by S MaxS MaxS S
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: RON RIVEST

32

How Does MR2 Work?

User NEVER pays more than the number of transactions he creates. After n transactions, serial number S = n. Suppose he has to pay m times. Total payment =
m

S
i =1

MaxSi =

MaxS
i =1

m 1

i +1

MaxSi = S m = n

User can cheat (by not incrementing S), but Bank will catch him. Bank on average receives as much as it pay out.
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: RON RIVEST

33

Properties of MR1 and MR2

Highly scalable
Billions of transactions handled with only millions of payments.

Inexpensive Payments are offline Global aggregation

Can handle payments to many merchants from many customers.
October 22, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor

SOURCE: RON RIVEST

34

Summary
Micropayment systems must be fast and cheap. They MUST lack features of higher-value payment systems. They use of hashing instead of cryptography. Micropayment parties: buyer, seller, broker Micromint models minting coins.
High overhead to prevent counterfeiting

Fraud is not a serious problem with micropayments.

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

35

References
M. H. Sherif, Protocols for Secure Electronic Commerce. Boca Raton, FL: CRC Press LLC., 2004, Chapters 10.5 to 10.9. T. O. Lee, et al., An agent-based micropayment systems for e-commerce, pp. 247-263, E-Commerce Agents, Lecture Notes in Computer Science, J Liu and Y. Ye, (Eds.). Berling, Heidelberg: Spring-Verlag, 2001. R. Rivest and A. Shamir, PayWord and MicroMint: Two simple micropayment schemes, Lecture Notes in Computer Science, vol. 1189, pp. 69-87, 1997. S. Jarecki and A. Odlyzko, An efficient micropayment system based on probabilistic polling, Lecture Notes in Computer Science, vol. 1318, pp. 173-191, 1997. Electronic Payment Systems (20-763) Official Course Web http://euro.ecom.cmu.edu/program/courses/tcr763/2002pgh/cards7.ppt R. Parhaonyi et, al., Second generation micropayment systems: lessons learned, http://wwwhome.cs.utwente.nl/~pras/publications/2005-I3E2ndgeneration- payments.pdf

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

36

October 22, 2012

88-590-02 E-Commerce, S. Erfani University of Windsor

37