 
 
 
 
 
 
   
The Payment process involves the payer (e.g., a customer), the payee (e.g., a merchant) and the issuer. The requirements are as follows:
 field indicates which
option is being used. In addition, it includes whatever information is needed
for the option being used. For example, if it is refresh, the
 field indicates which
option is being used. In addition, it includes whatever information is needed
for the option being used. For example, if it is refresh, the  field
includes the type and number of the desired coins; if it is redemption, the
 field
includes the type and number of the desired coins; if it is redemption, the
 field includes the bank name, address and the account number.
 field includes the bank name, address and the account number.
The payment protocols have certain optional flows. They are indicated in
square brackets, for example ![$[\mbox{\bf S}_{{\em PY}}({\cal H}({\rm Com}))]$](img46.gif) means providing
this signature in the first flow is an option. The issue here is certificates.
The basic protocol does not need a certification authority: it is enough that
the issuer have the public keys of the participants. But for the extra
functionality of order protection and receipt, an external certification
authority is needed to provide the payer with the public key of the
payee.  We now describe how the flows are computed.
 means providing
this signature in the first flow is an option. The issue here is certificates.
The basic protocol does not need a certification authority: it is enough that
the issuer have the public keys of the participants. But for the extra
functionality of order protection and receipt, an external certification
authority is needed to provide the payer with the public key of the
payee.  We now describe how the flows are computed.
 whose total dollar value equals the amount to
be paid. (If the purse happens to not currently hold this amount, but holds
coins of total dollar value which is larger, the payer can go through a change
transaction to get change, and then resume the payment. If the purse has
insufficient funds, the payer will have to make a coin purchase, and, since this
is a lengthy process, he will probably stop the payment here and re-start when
he has the funds.)  The coins are put in an envelope by encrypting them (and
the identity of the payee) under the public key of the issuer. The
ciphertext is transmitted to the payee.
 whose total dollar value equals the amount to
be paid. (If the purse happens to not currently hold this amount, but holds
coins of total dollar value which is larger, the payer can go through a change
transaction to get change, and then resume the payment. If the purse has
insufficient funds, the payer will have to make a coin purchase, and, since this
is a lengthy process, he will probably stop the payment here and re-start when
he has the funds.)  The coins are put in an envelope by encrypting them (and
the identity of the payee) under the public key of the issuer. The
ciphertext is transmitted to the payee.
 which indicates whether he wants refresh, redemption or
aggregation. The payee also includes in
 which indicates whether he wants refresh, redemption or
aggregation. The payee also includes in  the amount, to guard against
the payer paying less than the agreed amount.  This is done, for privacy, under
cover of an encryption under the issuer's public key.  Also in the scope of the
encryption go the payer identity, the transaction id, and a number
 the amount, to guard against
the payer paying less than the agreed amount.  This is done, for privacy, under
cover of an encryption under the issuer's public key.  Also in the scope of the
encryption go the payer identity, the transaction id, and a number
 , chosen at random, which will be used to derive a session key.
, chosen at random, which will be used to derive a session key.
 . He then decrypts
. He then decrypts
 to get the coins which were sent by the payee. The validity of
these coins is checked, as also the fact that the total value of these coins
matches the amount claimed by the payee that is present in
 to get the coins which were sent by the payee. The validity of
these coins is checked, as also the fact that the total value of these coins
matches the amount claimed by the payee that is present in  . 
Now new coins are issued, of the type specified in
. 
Now new coins are issued, of the type specified in  , via two flows:
, via two flows: at random
and forms the session key
 at random
and forms the session key  . The session
key, together with
. The session
key, together with  , are encrypted under the public key
of the payee, and the resulting ciphertext is transfered to the payee.
Also the issuer encryptes the new coins under K; then MACs this
ciphertext and some other stuff as shown. The second ciphertext
and the MAC are also sent to the payee.
, are encrypted under the public key
of the payee, and the resulting ciphertext is transfered to the payee.
Also the issuer encryptes the new coins under K; then MACs this
ciphertext and some other stuff as shown. The second ciphertext
and the MAC are also sent to the payee.
Several spoiling attacks are possible. For example an attacker could flip some
bits in the MAC in the Issuance1 flow, making the payee reject.  In a
seemingly more sophisticated attack, he can remove the ValidationReq flow
sent by the payee and substitute a fake one which contains the same information
except that the value of  is different. (Note he is in possession
of all information except
 is different. (Note he is in possession
of all information except  so can indeed do this.) Then the payee
will again reject the Issuance1 flow since he will recover the wrong
session key. However, such attacks do not really help the attacker. These
kinds of spoiling attacks are unpreventable, and handled by appropriate
error handling and re-transmission.
 so can indeed do this.) Then the payee
will again reject the Issuance1 flow since he will recover the wrong
session key. However, such attacks do not really help the attacker. These
kinds of spoiling attacks are unpreventable, and handled by appropriate
error handling and re-transmission.
 
 
 
 
