Presentation is loading. Please wait.

Presentation is loading. Please wait.

Micropayments Revisited Ronald L. Rivest (with Silvio Micali) MIT Laboratory for Computer Science RSA Conference 2002.

Published byDarleen Bishop Modified over 9 years ago

Similar presentations

Presentation on theme: "Micropayments Revisited Ronald L. Rivest (with Silvio Micali) MIT Laboratory for Computer Science RSA Conference 2002."— Presentation transcript:

1 Micropayments Revisited Ronald L. Rivest (with Silvio Micali) MIT Laboratory for Computer Science RSA Conference 2002

2 Outline u The need for micropayments u Dimensions in micropayment approaches u Previous work u The “Peppercorn” proposal

3 What is a “micropayment”? u A payment small enough that processing it is relatively costly. Note: processing one credit-card payment costs about 25¢ u A payment in the range 0.1¢ to $10. u Processing cost is the key issue for micropayment schemes. (There are of course other issues common to all payment schemes…)

4 The need for small payments u “Pay-per-click” purchases on Web: –Streaming music and video –Information services u Mobile commerce ($20G by 2005) –Geographically based info services –Gaming –Small “real world” purchases u Infrastructure accounting: –Paying for bandwidth

5 Payment schemes u Dominant today: –Credit cards –Subscriptions –Advertisements u Other possibilities: –Electronic checks –Anonymous digital cash –Micropayments FOR SALE

6 Why aren’t micropayments already here? u The market need is still nascent. u Rolling out a new payment system requires the coordination of many players. u Fundamentally: COST ! Existing micropayment schemes are too costly to implement.

7 Payment scheme costs: u Customer acquisition and support u Disputes and chargebacks: –User says he didn’t place order –User says goods were poor or missing u Overspending (more than authorized, or more than user can afford) u Communication, computation, equipment u Fraud/Attacks on system

8 Payment Framework: Payment System Provider (PSP) User Merchant Payment(s) Authori- zation Deposit(s)

9 Dimensions to consider: u Level and form of aggregation u On-line PSP vs. off-line PSP u Interactive vs. non-interactive u Ability to handle disputes u Ability to handle overspending u Computation/communication cost u Robustness against fraud

10 Level of Aggregation u To reduce processing costs, many small micropayments should be aggregated into fewer macropayments. u Possible levels of aggregation: –No aggregation: PSP sees every payment –Session-level aggregation: aggregate all payments in one user/merchant session –Global aggregation: Payments can be aggregated across users and merchants

11 Form of Aggregation u Deterministic aggregation: Accounting is exact. u Statistical aggregation: Value flow is accurately estimated (looks good for micropayments) u Our Peppercorn proposal makes aggregation look deterministic/non- existent to user but statistical to merchant and bank.

12 On-line PSP vs. Off-line PSP u On-line PSP: PSP authorizes each payment or each session. u Off-line PSP: User and merchant can initiate session and transact without participation of PSP. (e.g. pay taxi) u PSP should be off-line if scheme has global aggregation. u If multiple PSP’s involved, off-line is better.

13 Interactive vs. Non-interactive u Interactive: Payment protocol is two-way dialogue u Non-interactive: Payment protocol is one-way (e.g. anti-spam payment in email):

14 Ability to handle disputes u User claims he didn’t approve payment Solution: use digital signatures u User claims goods are poor quality or were never sent. Solution: let user complain to merchant directly. u A micropayment PSP can’t afford to handle any such disputes!

15 Ability to handle overspending u User may refuse to pay PSP for payments he has made. Solution: prepayment u User may spend more than he was authorized to spend. Solution: penalties/deterrence

16 Computation Cost u Digital signatures are still relatively “expensive” --- but much cheaper than they used to be! u Today, it seems reasonable to base a micropayment scheme on digital signatures. (E.g. Java card in cell phone) u User and merchant are anyways involved with each transaction; digital signatures only add a few milliseconds. u On-line/Off-line signature can also help.

17 Communication Cost u Communication costs can be minimized by: –Keeping PSP off-line; both authorization and deposits are aggregated, so PSP only has overall view of value flow –Making payment protocol non-interactive (e.g. reduce number of round-trips needed when buying with pay-per-click using browser)

18 Robustness against Fraud u Any party (user/merchant/ PSP) may try to cheat another. u Any two parties may try to cheat the third.

19 Previous Work: Digital Cash u Example: Chaum’s digital coins u Emphasis on anonymity: Withdrawals use blind signatures u Problem of double-spending handled by having doubler-spenders revealed (e.g. Brand’s protocol) u No aggregation: every coin spent is returned to the PSP.

20 Previous Work: PayWord u Rivest and Shamir ’96 u Emphasis on reducing public-key operations by using hash-chains instead: x 0 x 1 x 2 x 3 … x n u User signs x 0 and releases next x i for next payment u Session-level aggregation only.

21 Previous Work: MicroMint u Rivest and Shamir ’96 u Eliminates public-key operations entirely; each digital coin is a four-way hash collision: y x 0 x 1 x 2 x 3 u No aggregation: each coin is returned to PSP.

22 Previous Work: Millicent u Manasse et al. ’95 u User buys merchant-specific scrip from PSP for each session. u Requires PSP to be on-line for scrip purchase u Session-level aggregation only

23 Previous Work: Lottery Tickets u “Electronic Lottery Tickets as Micropayments” – Rivest ’97 (similar to “Transactions using Bets” proposal by Wheeler ’96; see also Lipton and Ostrovsky ’98) u Payments are probabilistic u First schemes to provide global aggregation: payments aggregated across all user/merchant pairs.

24 “Lottery Tickets” Explained u Merchant gives user hash value y = h(x) u User writes Merchant check: “This check is worth $10 if three low-order digits of h -1 (y) are 756.” (Signed by user, with certificate from PSP.) u Merchant “wins” $10 with probability 1/1000. Expected value of payment is 1 cent. u Bank sees only 1 out of every 1000 payments.

25 Our “Peppercorn” Proposal u Under English law, one peppercorn is the smallest amount that can be paid in consideration for value received. u Peppercorn scheme is an improvement of basic lottery ticket scheme, making it: –Non-interactive –Fair to user: user never “overcharged”

26 Non-interactive payment u Revised probabilistic payment: “This check is worth $10 if the three low-order digits of the hash of your digital signature on this check are 756.” u Merchant’s deterministic signature scheme is unpredictable to user. u Merchant can convince PSP to pay.

27 Non-interactive payment (cont) u Optimization: “This check is worth $10 if the three low-order digits of the hash of your digital signature on the date of this check are 756.” u Merchant’s server only needs to apply signature function once a day.

28 User Fairness: No “Overcharging” u With basic scheme, unlucky user might have to pay $20 for his first 2 cents of probabilistic payments! u We say payment scheme is user-fair if user never need pay more than he would if all payments were non-probabilistic checks for exactly expected value (e.g. 1 cent)

29 Achieving User-Fairness u Assume for the moment that all payments are for exactly one cent. u Require user to sequence number his payments: 1, 2, … u When merchant turns in winning payment with sequence number N PSP charges user N – (last N seen) cents User charged three cents for

30 User-Fairness (continued) u Note that merchant is still paid $10 for each winning payment, while user is charged by difference between sequence numbers seen by PSP. u Users severely penalized for using duplicate sequence numbers. If user’s payments win too often, he is converted to basic probabilistic scheme. PSP can manage risk.

31 Conclusions u Peppercorn micropayment scheme –Is highly scalable: bank can support billions of payments by processing only millions of transactions (1000x reduction) –Provides global aggregation –Supports off-line payments –Provides for non-interactive payments –Protects user from statistical variations –Uses digital signatures, but overhead for merchant and bank can be minimized

32 (The End)

Download ppt "Micropayments Revisited Ronald L. Rivest (with Silvio Micali) MIT Laboratory for Computer Science RSA Conference 2002."

Similar presentations

M-PAYMENT SYSTEM (e–WALLET ).

M-PAYMENT SYSTEM (e–WALLET ).
Micropayments Revisited Written by Silvio Micali and Ronald Rivest Presented by Charles Song and Michael Wasser.

Micropayments Revisited Written by Silvio Micali and Ronald Rivest Presented by Charles Song and Michael Wasser.
Micropayments Revisited Ronald L. Rivest & Silvio Micali RSA Conference 2002 Seminar 89-957, CS Dept., Bar Ilan University By Sharon Haroni.

Micropayments Revisited Ronald L. Rivest & Silvio Micali RSA Conference 2002 Seminar , CS Dept., Bar Ilan University By Sharon Haroni.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
PAYWORD, MICROMINT -TWO MICROPAYMENT SCHEMES PROJECT OF CS 265 SPRING, 2004 WRITTEN BY JIAN DAI.

PAYWORD, MICROMINT -TWO MICROPAYMENT SCHEMES PROJECT OF CS 265 SPRING, 2004 WRITTEN BY JIAN DAI.
Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.

Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.

Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)

Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
1 Towards Decentralized and Secure Electronic Marketplace Yingying Chen, Naftaly Minsky, Constantin Serban, and Wenxuan Zhang Dept of Computer Science.

1 Towards Decentralized and Secure Electronic Marketplace Yingying Chen, Naftaly Minsky, Constantin Serban, and Wenxuan Zhang Dept of Computer Science.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:

Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 10 Micropayments II.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 10 Micropayments II.
1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.

1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.
Your Presenter Amer Sharaf Electronic Payments: Where do we go from here? ByMarkus Jakobsson David Mraihi Yiannis Tsiounis Moti Yung.

Your Presenter Amer Sharaf Electronic Payments: Where do we go from here? ByMarkus Jakobsson David Mraihi Yiannis Tsiounis Moti Yung.
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.

Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.

Similar presentations

Ads by Google