Executive Summary

The explosive growth projected for electronic commerce on the information superhighway-to over 200 billion dollars by the year 2000-has triggered the launch of various payment schemes that piggyback on the existing credit card and check payment systems.

The real opportunity for banks on the information superhighway, however, is cash. Low-value payments, where cash has traditionally been king, are expected to catalyze growth of the information superhighway and to capture a major market share. The business model on the superhighway is already shifting to favor cash, away from fixed relationships with monthly billing, towards the paradigm enabled by low transaction cost of being able to pay anywhere" as you go" and "only for what you use."

Cash on the superhighway is also strategic for banks. The reasons go beyond potential fees, continuing intermediation and filling gaps in delivery and product portfolios. Just as cash has been a key product that brought customers to bank branches and ATMs, electronic cash can be expected to bring them often to the bank branch on the information superhighway. These digital branch visits will be critical to continuing to be able to make the first offer, cross-sell products, and cultivate customer relationships.

The mobility of customers on the information superhighway means that they can choose between competing payment systems. Taking market leadership will require a new system fully suited to the new environment. It must at least provide all the properties of cash: ease of use, low transaction cost, finality, and privacy. There is only one system that can do all this--ecash.

Already trialed extensively by DigiCash, and with patents granted, ecash is established and ready for commercial introduction. This memorandum introduces a new entity, EcashCo, that will launch the ecash payment system on behalf of its owning banks.

Background

Ecash Ecash is a fundamentally new approach to consumer payments-a bearer instrument in a purely digital form. It was created by DigiCash, a leading developer of electronic payment technologies over the last five years. Simple in concept, ecash has almost all the attributes and advantages of paper currency and coins. Furthermore, ecash blends key advantages of checks and travelers checks, and can even be provided on credit. Unlike credit/ debit cards, consumers can exchange payments among themselves and transaction costs are low enough that payments well under $1 are practical. In addition, the security level for even a five cent ecash payment relies on the same cryptographic security technique used by S.W.I.F.T. to protect instructions for transfers of $100 million.
The Experiment The ecash technology has been tested extensively in a "monopoly-money" experiment that served as a software beta-test on the most popular computer systems, including MS Windows, Macintosh, and UNIX platforms. The currency, called "CyberBucks," is used by more than 10,000 people worldwide on the Internet with more than 75 merchants (some of whose logos are shown on the cover) selling information services and physical goods. Although the experiment focused on the increasingly popular World Wide Web, ecash can operate over any electronic delivery system, from e-mail to interactive television.
Licensing in Europe Introduction of ecash denominated in national currencies is already underway in Europe. In one country, a consortium led by an organization owned by major banks has committed substantial resources, including more than 20 staff members, to build a trial that will roll into an actual product launch early next year. In another, substantial commitments have been made by the leading retail bank.
Licensing in The U.S. In the United States, interest has been shown by banks and non-banks. DigiCash wishes to work with a consortium of leading banks in establishing ecash as the standard for the information superhighway. The consortium will operate through a new entity titled IEcashCo."
Business Proposition Forward-looking banks with strong retail presence are being invited to purchase equity in EcashCo. Other banks may later be allowed to participate in the new system under rules to be established by the owning banks. DigiCash and its affiliates will license their trademarks, extensive patent portfolio, and software, as well as commit key personnel, to EcashCo. Other technology firms will be invited to participate with special status. EcashCo will provide a complete service to its owning banks, who will be free to package ecash as their own product and later even take over their part of the processing.

Strategic Highlights

The Need for Superhighway Payments

"Competitive tension will focus on maintaining access and control of the customer interface .... The development of secure payment systems for the online environment is a prerequisite for the development of electronic commerce. Development of these new payment systems is being driven largely by nonbank entities. Banks need to playa more proactive role, either individually or through bank-owned industry utilities, in developing and deploying payment options. The time to act IS now."

- William S. Haraf, chairman, Bank Administration Institute "The Information Superhighway and Retail Banking," Bank Administration Institute, July 1995, p. vi .

The commercial potential of the information superhighway has attracted a great deal of attention in part because of the explosive growth expected in the number of consumers who will use it. The information superhighway may be composed of various overlapping delivery channels (e.g., Internet, Interactive Television, or screen phones), but it is clear in any case that two-way, interactive, digital communication is growing. For example, the Internet is projected to grow from an estimated 25 million users today, to 200 million by 2000.

As usage of the information superhighway grows, the potential for commerce increases rapidly. A number of existing commerce channels such as telepayments ($200 billion), home shopping ($2.5 billion), and information services ($11 billion) are likely to be challenged by the information superhighway. See Appendix D for more complete coverage of the potential for commerce on the information superhighway.

Just as new payment systems have appeared in the past and served as catalysts for commerce (e.g., minted coins, paper money, checks, credit cards), the information superhighway is waiting for a new payment system. This new system must exploit the opportunities of the new medium while protecting against new vulnerabilities.

Exploiting the opportunities of the new medium has two meanings: Protecting against the vulnerabilities in the new medium also has two aspects:

The Need For Low-Value Payments

Currently, credit and charge cards dominate payments on the information superhighway, but their limitations will prevent them from fully serving the expected market. For example, VISA International itself estimates that worldwide there are $1.8 trillion in transactions annually with a value of less than $10 each. These transactions are too small to be served at an acceptable price by the credit and charge card system.

Low-value transactions are also expected to constitute a major portion of commerce on the information superhighway. Specifically, most observers expect subscriptions to proprietary systems such as CompuServe, Prodigy, or America Online to decline as users gain access to pay-as-you-go systems. This will allow users to pick and choose only specific pieces of information and pay only for the information chosen. While high-value payments justify the extra time and cost of going outside the system to a more traditional channel (e.g., a phone authorization to consummate a payment), lowvalue payments need to meet user requirements for cost and speed. The shift to payas-you-go systems has already started, with providers of proprietary systems seeking to market their data and services to anyone on the Internet, not just those users who pay a monthly fee. Certain key attributes are needed to facilitate low-value transactions:

Other Essential Attributes

In addition to the attributes required for a system to process low-value transactions efficiently, certain other attributes will also contribute to a payment system being accepted on the information superhighway.

Attributes of Ecash

" ... our inescapable conclusion is that banks must quickly meet this [non-bank] competition by creating superior products and services that wrap information and other value-added elements around banking's traditional advantage: providing a universal, standardized, reliable, secure, safe, available, cost effective, and final transfer of value. This is the best way to enable banks to be paid for the real value of the payments system."

- The Bankers Roundtable and Furash & Company, "Banking's Role in Tomorrow's Payment System, Volume 1: Ensuring a Role for Banks," June 1994, p. 1-2.

Ecash is the ideal means of exchange for the emerging electronic marketplace: a new market with new payment system needs. Fifty years ago the new frontier was television. Thirty five years ago, banks launched credit cards. Ten years later, AT&T introduced toll-free calling with their 800 service. The combination of television, credit cards and 800 numbers revolutionized direct marketing, which is a $55 billion industry. Today, the new frontier is the electronic marketplace. Ecash will be catalytic for electronic commerce, just as credit cards and 800 service were for direct marketing.

Ecash has been carefully and thoughtfully crafted to be familiar and inviting to consumers. Its clean and simple properties and interface mimic the payment system used by everyone on the planet-cash. However, ecash is more than just familiar, it also provides the essential attributes needed for a consumer electronic payment system for the emerging digital networked world.

Bearer Instrument Payment Systems

Payment systems generally, and those proposed for the Internet, can be divided into two groups: bearer instrument systems and account based systems. The vast majority of proposed payment systems are account based, and, of these, most are merely repackaging credit cards for use on the Internet-either by encryption, or by keeping sensitive data (like credit card numbers) off the network. Credit card based payment systems are not attractive for the Internet because they lack four critical components: In fact, the only advantage these systems have is that the account infrastructure (Le., the credit card issuer to customer relationship) is already in place.

Ecash is different. It is the only digital bearer instrument. It provides licensable, controllable technology. And Ecash is the only system that meets the core set of requirements for a digital, general purpose, consumer payment system:
Security: Ecash is secure against technical fraud:
  • It is impossible to manufacture or counterfeit ecash.
  • Security does not rely on inviolability of user software, any hardware device, or any communication channel.
  • In fact, ecash is multiparty secure.
    • No one (buyer, seller, bank) can cheat anyone else, no matter how they might modify their software.
    • Even if two of these three parties collude against the third, they cannot cheat the third party.
Ecash uses proven cryptographic methods, the same as those used by S.w.I.F.T. and a host of other mission- and nation-critical applications. For example, the International Atomic Energy Agency uses public key cryptography to assure the integrity of seismic data recorders placed in nations to monitor compliance with SALT, and S.w.I.F.T. protects its $100 million payment messages with the same technology.
Low Cost: Ecash transactions are inherently inexpensive to process:
  • Ecash transactions have essentially no communications cost.
  • Payments as low as 1 cent are economically viable with ecash.
Ecash uses the Internet for all communications; there are no 800 or local calls to make. The cost of an ecash transaction consists of verification of the digital signature and a query to the spent coin database to validate each coin submitted. The only variable in the pricing equation is the cost of the interface with legacy back office systems. No other secure system can have a substantially lower cost.
Finality: Ecash is a digital bearer instrument. As with all bearer instruments (cash, transit tokens, movie tickets) possession is ownership.

Transactions involving bearer instruments settle and close in real time at an instant clear to both buyer and seller.
Software Only: No additional hardware is needed to use ecash. No special cards or boards are required.

Ecash is extremely inexpensive to distribute and easy for consumers to acquire. Ecash can be downloaded and installed in less than five minutes.
Privacy: Ecash provides buyers with privacy. But ecash never hides or in anyway obscures the identity of sellers. Ecash does nothing but discourage drug sales or money laundering.

Ecash implements one-way privacy: the identity of the buyer is not disclosed to the seller; however, the identity of the seller is known to the buyer. This is the analog of the real world where buyers know where they shop, and can ask for a receipt showing the date and amount purchased. There is, however, no guarantee with cash that a receipt will be issued.

If a store insisted on a shopper's name, say "for their records," one might be inclined to shop elsewhere. With ecash, every time a purchase is made the buyer's privacy is protected and he is automatically guaranteed a receipt that proves-undeniably-that the merchant received payment.

What does the bank know about the buyer? As in ATM transactions, the bank knows all deposits and withdrawals, but the bank does not know where or on what its customers spend the cash withdrawn from its ATMs. With ecash, the bank again knows its customers' deposits and withdrawals, but nothing about where they spend their ecash nor what they buy with it.

Unlike with cash, there are three parties to every ecash transaction: the buyer, the seller, and the bank. Ecash cannot be passed from person to person without the bank. The bank automatically authenticates each ecash transaction as it is received by the seller, and either credits the seller's account or issues new ecash to the seller. As a result the bank "sees" every payment as it flows to the seller, and therefore ecash is a poor tool for money laundering or any activity designed to hide income.

Ecash's automatic record keeping provides buyers a complete and irrefutable record of each payment made. This perfect record, which could later be used against a seller, makes ecash an unattractive method of payment for almost any illicit purpose.

Scaleability: Ecash's back-end systems have been designed to be scaleable to efficiently meet the needs of any number of customers, using 1990's technology.
Person-to-Person: Ecash, like physical cash, allows any user to buy or sell using the same client software. Like cash, no special status or devices are needed to accept ecash.

Using Ecash and How It Works

"One of the few sources of income from which most nonbank competitors are effectively excluded is in the broad category of transaction processing functions, where a banking license is often required for participation. "

- Salomon Brothers, "Transaction Processing-Pathway to Profitability?," October 1992, p . 1.


The Ease of Using Ecash

Overview

Ecash has been designed for ease of use. Consumers are given a simple "point-andclick" graphical user interface that is simpler to use than many bank ATMs. To demonstrate the ease of using ecash, various actual transactions involving two customers, Alice and Bob, are shown below.

Startup and Background Operation


Once Alice starts ecash, it runs on her PC in the background much like a memory monitor or clock program. While ecash is running, a small window is displayed that shows her the amount of ecash available to spend along with an optional toolbar that allows her to initiate various functions.

Withdrawing Ecash from the Bank

In order to use ecash to purchase goods or services, ecash must first be available on the payer's hard drive, just as cash is needed in a wallet to pay for goods or services in the physical world. Withdrawing ecash is as simple as withdrawing regular cash from an A 1M. Alice simply enters the amount to be withdrawn from the bank and clicks the "OK" button. This amount of ecash is then transferred to her hard drive. The screen below shows the actual dialog box' used to withdraw ecash that appears when the bank icon has been clicked on the toolbar.

Making a Payment

There are two ways to make a payment using ecash: responding to a payment request issued by someone else, or initiating a payment yourself.

Responding to a Payment Request
Bob may send a payment request to Alice who has asked to buy something. (Merchants' software will send such requests automatically.) For example, in the dialog box below, Alice is being asked to make a payment of $0.02 to start a tic-tac-toe game. If she wants to make the payment, the "Yes" button is clicked; similarly, clicking the "No" button will refuse the payment.

As an ease of use aid, Alice may also instruct her system to respond automatically to payment requests. When the policy button is clicked in the window above, the dialog box is extended downwards as shown in the window below, and she may set the policy under which payments are to be made automatically. This simplifies certain repetitive payments.


Initiating a Payment
To make an unsolicited payment directly, Alice brings up the payment dialog box from the toolbar and fills in the blanks, much like writing a check.

Receiving Ecash

When Alice pays Bob, he has the option of depositing ecash into the bank or retaining ecash on his hard drive for future use, as shown in the dialog box below.
Just as Alice could set a policy for automatic response to payment requests, Bob can also set a simple policy for automatic handling of incoming payments, as shown below.

Depositing Ecash in the Bank

Ecash can, of course, be deposited in the bank. Again a simple dialog box is used. (Actually this is the same box as used in Figure 1 for withdrawals.)

Receipts and Records

Ecash automatically tracks withdrawals, payments, receipts, and deposits, creating various electronic statements.


How Ecash Works Inside

Overview

Like banknotes, ecash can be withdrawn from and deposited to transaction demand deposit accounts. And like banknotes, one person can transfer possession of a given amount of ecash to another person. But unlike cash, during customer-to-customer transfers, banks will have an unobtrusive but essential role to play.

The following examples explain how a withdrawal works, followed by a payment to a retailer. Combining these two transactions, it is then illustrated how the system can be configured so that the customer perceives that ecash is paid from person to person without involving any accounts. Finally the withdrawal is explained in greater detail to illustrate the "blind signature" concept, which is the foundation of the privacy feature.

Simple Withdrawal of Ecash

Figure 10 shows the two participants in the withdrawal transaction: the bank and customer Alice. Also shown are the digital coins that have been withdrawn from Alice's account at the bank and are on their way to her PC. When they arrive, they will be stored along with the few coins left over on her hard disk.
Although of course no physical coins are involved in the actual system, the messages sent include strings of digits, each string corresponding to a different digital coin. Each coin has a denomination, or value, so that a portfolio of digital coins is managed automatically by Alice's ecash software. It decides which denominations to withdraw and which to use to make particular payments. (The ecash software contacts the bank in the rare event that change is needed before a next withdrawal, to let it restructure its portfolio of coin denominations.)

An Ecash Purchase

Now that Alice has some ecash on her hard drive, she can buy things from Bob's shop as shown in Figure II.

Once Alice has agreed by clicking on the "payment request" dialog shown in Fig. 12 to pay a certain amount to Bob's shop, her ecash software chooses coins with the desired total value from the portfolio on her hard disk. Then it removes these coins from her disk and transmits them over the network to Bob's shop. When it receives the coins, Bob's software automatically sends them on to the bank and waits for acceptance before sending the electronic goods to Alice.
To assure that each coin is used only once, the bank uses the serial number of each coin to point to where it should be stored in the spent coin database it maintains. If the coin serial number is already stored at that position, the bank has detected someone trying to spend the coin more than once and informs Bob that it is worthless. If, as will be the usual case, no serial number has been recorded at that position, the bank stores it at that position and informs Bob that the coin is valid and the deposit is accepted.

Person-to-Person Cash

When a consumer receives a payment, the process could be the same. But some people may prefer that when they receive money, it be made available on their hard disk immediately, ready for spending-just like when someone hands them a five dollar bill. This user preference can be realized as depicted in Figure 12.

The only difference between this payment from Alice to another consumer, Cindy, and the one Alice paid to Bob's shop in Figure 11, is what happens after the bank accepts the cash. In Figure 12, Cindy has configured her software to request the bank to withdraw the ecash and send it to her PC as soon as the coins are accepted. (Actually Cindy'S bank will check with Alice's bank to make sure that the coins deposited are good.) When Alice sends Cindy five dollars, that money is immediately available to spend from Cindy'S Pc.

How Privacy Is Protected

In the simple withdrawal of Figure 10, the bank created unique blank digital coins, validated them with its special digital stamp, and supplied them to Alice. This would normally allow the bank at least in principle to recognize the particular coins when they are later accepted in a payment. And this would tell the bank exactly which payments were made by Alice.

By using "blind signatures," however, a feature unique to ecash, the bank can be prevented from recognizing the coins as having come from a particular account. The idea is shown in Figure 13. Instead of the bank creating a blank coin, Alice's computer creates the coin itself at random. Then it hides the coin in a special digital envelope and sends it off to the banle The bank withdraws the requested dollar from Alice's account and makes its special "worth-one-dollar" digital validating stamp on the outside of the envelope before returning it to Alice's computer.
When Alice's computer removes the envelope, it has obtained a coin of its own choice, validated by the bank's stamp. When she spends the coin, the bank must honor it and accept it as a valid payment because of the stamp. But because the bank is unable to recognize the coin, since it was hidden in the envelope when it was stamped, the bank cannot tell who made the payment. Thus the blind signature mechanism lets the validating signature be applied through the envelope. The signer can verify thal it must have made the Signature, but it cannot link it back to a particular object signed.

How It All Works with Numbers

The coins form a close analogy to the way it actually works in the ecash software. When Alice's computer creates a blank coin it chooses a random number. The bank's validating stamp on the coin is a public key digital signature formed by the bank with the random coin number serving as the message signed. Checking the validity of a coin involves the verification of the digital signature using the bank's corresponding public key. The blinding operation is a special kind of encryption that can only be removed by the party who placed it there. It commutes with the public key digital signature process, and can thus be removed without disturbing the signature.

How Funds Flow

While for the consumer ecash is functionally equivalent to cash, to a bank its properties are somewhat different.

As can be seen in the top of Figure 14, the first step in each case is when value comes out of a customer's account. In an AIM transaction, the currency given to the consumer is a reduction in vault cash; in an ecash withdrawal, however, the value is moved within the bank and becomes an ecash liability that will be reversed when the ecash is presented for deposit.

The second step is the spending of the value. Here cash and ecash are very similar. In each case the merchant (or other party receiving it) has the option of accumulating cash or depositing it, as detailed later with reference to Fig 15.

When the merchant takes the final step and deposits the cash, it results in an increase in vault cash. A deposit of ecash reduces the ecash liability and increases deposit liability.


The chart below shows in more detail the difference in the actual transaction path for a cash payment and an ecash payment, particularly in the case where they are made from customer to customer. While the main difference is invisible to the consumer, it is necessary to protect the integrity of ecash.

Overview of EcashCo

"Now, whoever sets up the electronic store of the future owns the store and banks will just rent space as opposed to owning the store and selling lots of products and services"

- William Randle, Huntington National Bank, "The Threat of the Piper: Losing Customers to High-Tech Competitors," Bank Marketing, May 1995, p. 24.

This chapter summarizes the business plan of EcashCo and the potential roles of its owning banks.

Business Plan Summary

Below is a brief summary of the concepts, objectives, and milestones contained in EcashCo's business plan. EcashCo is a new entity owned by banks, DigiCash, and possibly other special status technology partners.
Mission EcashCo's mission is to create value for its owners and to provide the means for its owners to strategically enhance the consumer banking relationships of owning banks by manufacturing, operating and developing ecash products. It will do this by:
  • Providing shareholders with products and services that enable electronic commerce with electronic cash.
  • Establishing ecash as the standard for electronic cash.
  • Undertaking ongoing research and development, as well as operation of an electronic cash payment system, including validation of ecash coins.
Structure Organizationally, EcashCo will be structured as a profit making commercial firm. In parallel, a group of advisory committees, staffed by representatives of the owners, will be created to facilitate communication with bank and technology owners and the contribution of their expertise and concerns at key points within the organization. Financial contributions of the owners will be contingent upon attainment of milestones by EcashCo.
A rapid startup is critical to the success of the venture. It is expected that owners will "loan" selected personnel on a short-term basis during start-up. Outsourcing, in accordance with carefully-prepared specifications, will also be used. The bootstrapping procedure begins with formation of an interim board and single advisory committee, who initiate key executive searches and develop requirements for the remaining management and outsourcing.
Operational Phases Milestones are tied to achievement of the operational phases detailed in the business plan. There are distinct product phases. An initial product phase gets a pilot system live and "on the air" within a few months using existing technology and outsourced operations. A second phase entails a beta-test of the system without relying on completion of all the backend infrastructure needed for large-scale operation. After full operation begins, owner banks will be able to take over parts of the processing related to their transactions and to adapt the user software as they see fit.
Centralized Functions
  • Technology - included are all transaction processing operations. Supplier relations will also be important, and will be structured to remove bias toward internal versus outsource. The R&D function of evolving the technology, based on guidance of marketers, will be a critical one in this fast moving market.
  • Legal - Counsel will structure and maintain the rules for use of the product and risk management. Intellectual property, including trade-secrets, trademarks and patent protection, will be another key area of concern. Relations with regulators will require counsel with special skills.
  • Marketing-Market research will track user preferences to identify new opportunities. In the interests of effectiveness and cost efficiency, advertising promotion and public relations will be conducted on a shared-program basis.
The board of EcashCo will determine policy with respect to how other financial institutions can participate and about efforts that may be needed to develop various new networks or other market opportunities. The business development team will be involved in implementing such decisions, including sales and partnership formation.

Business Function Diagram


The interlinked functions performed by EcashCo and the degree to which they may optionally be in part taken over by each bank owner are shown in Figure 16. The technical operation of the system consists of a small number of basic functions. The figure details these basic functions, their interconnection by operational message flows, and who performs each. The functions and message flows are explained by the legend in the figure. The payor and payee each have a role, as does EcashCo and potentially each bank.

A particular bank may not play any technical role, in which case it has essentially outsourced the entire processing. Alternatively, a financial institution could perform parts of the processing that would otherwise be done by EcashCo. Two degrees of this processing by a bank are envisaged and indicated in the figure. The narrower involvement by the bank lets the bank essentially be a "repackager" for the EcashCo product: messages sent between the customer and EcashCo go through the processing center of the bank and are modified to customize the product and its user interface. A bank with the broader of the two involvements in effect becomes an "issuer" of its own ecash, but relies on EcashCo for certain central functions.

Appendices

Profile of DigiCash

Background

Founded in 1989, DigiCash has pioneered development of electronic payment mechanisms for open, closed and network systems which provide security and privacy. DigiCash's technology is based on patented advances in public key cryptography developed by the Company's founder and Managing Director, Dr. David Chaum. Throughout its history DigiCash has developed leading edge products and partnered with companies to provide advanced payment systems technology to the market.

DigiCash's first product was a road toll system developed for the Dutch government. It is now being tested in Japan and marketed in other countries. DigiCash has developed a number of other technologies. In each case, DigiCash has worked with leading organizations in the field. For example:

The ecash technology has now reached the stage where commercialization is appropriate. A successful pilot scale trial has been running on the Internet the better part of a year, with very strong demand and participation.

Personnel

Dr. David Chaum
Managing Director

David Chaum, founder and managing director of DigiCash, earned his doctoral degree in Computer Science from the University of California, Berkeley, in 1982, with a minor in Business Administration. He was immediately recruited to New York University Graduate School of Business as a tenure-track assistant professor where he taught for one year. For the next two years, Dr. Chaum split his time between a faculty position at the University of California, Santa Barbara and a visiting research professorship at Vriej Universitiet, Amsterdam. In 1982, he founded the International Association for Cryptologic Research, the key organization for cryptographic research worldwide, and has held pOSitions on its board of directors and editors.

In 1984 Dr. Chaum accepted a position as head of the Cryptography Group at CWI, the Dutch nationally funded center for research in mathematics and computer science. He has succeeded in raising millions of dollars to build the group up from essentially a single position to one of the top groups worldwide with an average of six researchers. During his nine year tenure as head of this research group, Dr. Chaum formed several European Commission projects that involved advanced research in cryptographic technology. One was RIPE, a consortium of six leading research organizations in Europe which published the first publicly funded recommendations on cryptography. In 1992 Dr. Chaum founded the CAFE Project: a consortium of thirteen European companies dedicated to developing and testing the concept of an advanced electronic wallet.

Dr. Chaum organized several landmark conferences, notably CRYPTO '82, EUROCRYPT '87, Smart Card 2000 and Crypto Concepts, which attracted hundreds of international delegates.

In 1989 Dr. Chaum founded DigiCash as a research and development firm that would develop products based on some results of his research. During the next three years Dr. Chaum acted as head of the Cryptography Group and CEO of DigiCash. In 1993, Dr. Chaum decreased his role to that of advisor for the Cryptography Group while remaining Chairman of Project CAFE.

In 1992 Dr. Chaum published a seminal work entitled If Achieving Electronic Privacy" in Scientific American. During the past decade Dr. Chaum has developed a large portfolio of intellectual property based on his research into public key cryptography and is considered one of the world's leading experts in the field. He has authored over 50 technical articles, lectures at technical conferences and is frequently invited to give numerous keynotes at international meetings.

Daniel Eldridge
Vice President, ecash Business Development


Dan Eldridge majored in Technology, Privacy, Public Policy, and Social Change at the University of California at Berkeley.

In 1981, Mr. Eldridge founded American Time & Temperature, Inc. which acquired telephone, time, and temperature services in New York, Ohio and South Dakota. In 1985, Mr. Eldridge merged American Time & Temperature, Inc. with Telephone Media, Inc. (TMI).

From 1985 till 1993, Mr. Eldridge was a principal of TMI, a service bureau for 800 and 900 interactive telephone services, where he developed products and services for Newsday and New York Newsday, and the more than fifty daily and weekly newspaper clients TMI served.

Mr. Eldridge was also an interactive project consultant for Broadway Video, Inc., the producer of Saturday Night Live and The Kids in the Hall.

Dan Eldridge joined DigiCash in January 1995 as vice president of ecash business development and head of the New York office. He lectures nationally at industry seminars and conferences.

The ecash Development Team

The DigiCash development team is comprised of highly talented and recognized software developers and hardware engineers who, under the direction of Dr. Chaum, are committed to excellence and innovation. They have extensive backgrounds in advanced systems development, both before and during the involvement many have had at DigiCash, in many cases extending over five years.

Ecash Intellectual Property

Patents

David Chaum holds 10 issued U.S. patents related to ecash:
PATENT TITLE PRIORITY FILING DATE U.S. ISSUE DATE(S) U.S. PATENT NUMBER(S)
Cryptographic Identification, Financial Transaction, and Credential Device June 25, 1982 July 16, 1985 4,529,870
Blind Signature Systems August 22, 1983 July 19, 1988 4,759,063
Blind Unanticipated Signature Systems October 7, 1985 July 19, 1988 4,759,064
Undeniable Signature Systems November 23, 1987 August 7, 1990 4,947,430
Card-Computer Moderated Systems May 24,1988 May 15,1990 4,926,480
Returned-Value Blind Signature Systems October 20, 1988 August 14, 1990 4,949,380
Unpredictable Blind Signature Systems May 4,1989 February 5, 1991 4,991,210
Selected-Exponent Signature Systems June 21, 1989 February 26, 1991 4,996,711
One-Show Blind Signature Systems April 5, 1990 January 22, 1991 4,987,593
Optionally Moderated Transaction Systems January 29, 1990 July 14, 1992 and January 4, 1994 5,131,039 and 5,276,736
Destined-Confirmer Signature Systems May 25,1993 December 13, 1994 5,373,558
A brief profile of selected key patents follows:

A brief profile of selected key patents follows:

United States Patent--4,759,063 - Blind Signature Systems

A cryptographic system allows, in one exemplary use, a supplier to cryptographically transform a plurality of messages responsive to secret keys; the transformed messages to be digitally signed by a Signer; and the signed transformed messages returned to the supplier to be transformed by the supplier, responsive to the same secret keys, in such a way that a digital signature related to each original message is developed by the supplier. One important property of these systems is that the signer cannot determine which transformed message received for signing corresponds with which digital signatureeven though the signer knows that such a correspondence must exist.

United States Patent-4,947,430 - Undeniable Signature Systems

Cryptographic methods and apparatus for forming, checking, blinding, and unblinding of undeniable signatures are disclosed. The validity of such signatures is based on public keys and they are formed by a signing party with access to a corresponding private key, much as with public key digital signatures. A difference is that whereas public key digital signatures can be checked by anyone using the corresponding public key, the validity of undeniable signatures is in general checked by a protocol conducted between a checking party and the signing party. During such a protocol, the signing party may improperly try to deny the validity of a valid signature, but the checking party will be able to detect this with substantially high probability. In case the signing party is not improperly performing the protocol, the checking party is further able to determine with high probability whether or not the signature validly corresponds to the intended message and public key. Blinding can be used while obtaining undeniable signatures, while providing them to other parties, and while checking their validity.

United States Patent-4,949,380 - Returned-Value Blind Signature Systems

A payer party obtains from a signer party by a blind signature system a first public key digital signature having a first value in a withdrawal transaction; the payer reduces the value of the first signature obtained from the first value to a second value and provides this reduced-value form of the signature to the signer in a payment transaction; the signer returns a second digital signature to the payer by a blind signature system in online consummation of the payment transaction; the paper de.rives from the first and the second signature a third signature having a value increased corresponding to the magnitude of the difference between the first and the second values. Furthermore, the following additional features are provided: payments are unlinkable to withdrawals; a shop between the payer and signer can be kept from obtaining more value than desired by the payer; the first value need not be revealed to the signer or intermediary in the payment transaction; the returned difference can be accumulated across multiple payment transactions; and the returned difference can be divided between plurality of payment transactions.

Software

This section describes the version of the software implementation of ecash currently used by DigiCash to conduct the CyberBucks experiment.

The ecash software is divided into three main parts: the bank server, the user client and merchant client software. Additionally, a communication network interconnects the parts.

Together with security and reliability, portability has been a main issue in the ecash software development, because DigiCash's strategy is to allow its software to be used as widely as possible. The bank server, as well as the ecash kernel used by all the client software, are designed to be highly portable. Therefore, DigiCash has chosen highly portable "C" as the main programming language. (Some parts of the MS Windows and Apple Macintosh versions of the client software use 'C++', as mentioned later.)

World Wide Web is one of the many ways to offer information to customers via the Internet. Although the ecash software architecture allows interfacing to various network systems, the current ecash software configuration has been chosen to take advantage of the surge in interest in using the Internet with World Wide Web. This approach allows DigiCash to test the ecash system and user reactions in a fairly large trial around the world. Results have been very positive.

Bank Server Software

The bank server software includes the most critical parts of the ecash system. It deals with money issuing, double spend checking and, currently, account management. Special modules perform the handling of cryptographic procedures like encryption, decryption, key generation/management, coin signing, and hashing calculations. The bank server also supports protected message exchange between the bank and its customers. The CyberBucks bank server currently runs under BSD UNIX operating systems. It is completely written in standard "C" to ensure portability across operating system platforms.

User Client Software

The client software basically allows an ecash user to pay and receive ecash coins, and to withdraw coins from and to deposit coins to the user's account. There are two different uses of local client software, either by a consumer or a merchant. A consumer typically uses the client software to pay, whereas the merchant uses the client software mainly to receive payments. When a merchant offers goods via a Web page, an unattended mode is hooked up to the merchant's Web server that deposits all funds received.

The ecash client software has been divided into three modules (see Figure 18): To achieve good portability over a wide range of operating system platforms, the communication and the kernel have been written in "C". The graphical user interface version of the ecash client for the Apple Macintosh and MS Windows are written in "C++" to make optimal use of the best native GUI characteristics while retaining a common look and feel. The graphical user interface for the UNIX versions of the ecash client software is based on X-Windows and MOTIF.

MS Windows OS/2 Macintosh UNIX * Only the text version is available

The Network Possibilities

The communication requirements for ecash are network independent. It is important that the communication between a payer and a payee can be set up quickly, conveniently, and without too much cost. Currently, the Internet, with communication protocols based on the TCP /IP protocol suite, meets this requirement well. With ecash, however, a payment can be made on any IP-connection. This implies that ecash is not limited to World Wide Web. The current version can even handle payments via e-mail messages, since the ecash protocols require only one message per payment. But to keep the CyberBucks experiment manageable, this option is disabled on most clients except for receipt of payments.

The electronic commerce model on the Internet rests on the World Wide Web concept, where merchants today typically publish Web pages to present their commercial goods and services. These Web pages are typically accessible by everybody. Each page contains text, multicolor graphics, and so-called hyperlinks. A hyperlink is a specially marked piece of text that contains a reference to another Web page, anywhere. Not only can these hyperlinks refer to pages but they can also initiate a program, which can then initiate a payment request, if the entering of a hyperlink i something that the page owner requests payment for.

The software used by those browsing through these pages connected by electronic references are called Web browsers. The software sending the pages over to a browsing user is called a Web server. Merchants use Web servers to offer Web pages to their potential customers. Therefore, Web servers are currently the prime marketing and sales instrument for electronic merchants, and ecash is designed to cooperate well with the Web system.

Merchant Client Software

Because most software for Web servers is only available for UNIX, DigiCash developed a special, text-only edition of the ecash client software, together with some specialized scripts to enable merchants to set up an ecash accepting shop which cooperates with the merchant's Web server. This version runs unattended and has a text-only (terminal) user interface. The ecash kernel is the same, as it is in every ecash client.

Competitors and How They Compare

What follows is a comparison of several payment schemes proposed for the Internet.

CyberCash

CyberCash released its first product on April 1, 1995 and is now shipping version 0.8 of their software.

CyberCash requires banks and merchant acquirers to route transactions through CyberCash's server, adding additional complexity and cost to credit card transactions. Drawing heavily on licensed technology, CyberCash has little or no proprietary technology suitable for licensing.

Electronic Business Co-Op

This is a joint effort of:

CheckFree Corporation
CheckFree is a privately held company that specializes in ACH transfers.

Spyglass, Inc.
Develops and distributes World Wide Web technologies. The Company's flagship product, Enhanced Mosaic, is a graphical browser for accessing the World Wide Web.

Tandem Computers Corp.
Tandem manufactures fault-tolerant mini- and super mini-computers. Tandem's role, according to the formation announcement, "keeps the whole transaction system humming along."

Virtual Open Network Environment (V-ONE) Corporation
A small firm developing authentication and security products. V -One announced its payment system for the Internet. Its first demonstration was buying a pizza over the network.

GemPlus Corporation
GemPlus, a smart card manufacturer, has recently joined the Electronic Co-Op.

First Virtual Holdings

First Virtual, headed by Lee Stein (former talent agent for Kenny Loggins among others) promotes itself as, "Merchant Banker for the Internet." In fact, First Virtual is promoting a system for using credit cards to make purchases on the Net. First Virtual keeps credit card numbers secure by using out-of-band communication to establish an alias for credit cards and using that alias in place of credit card numbers for transactions on the Internet.

Microsoft/VISA

Microsoft and VISA have announced a joint venture to establish secure credit card transactions over the Internet. Currently, Microsoft does not have a World Wide Web browser but announcements indicate that Microsoft Network will conform to World Wide Web standards.

The Microsoft/VISA card product-though able to secure credit card numbers-still lacks essential elements necessary for general purpose payments over the Internet: (It has recently been announced that this will merge with Netscape/MasterCard listed below.)

Mondex

Developed by National Westminster Bank and licensed to Midland Bank, Mondex uses smart cards to store electronic cash. Mondex was developed to replace the cash in consumers' pockets and the cash in the cash register till. Recently, Mondex has begun discussing their product for Internet payments.

Mondex is not well suited to the Internet as it relies on tamper resistant smart cards for security. Mondex also allows transfers from one smart card to another without bank intervention or observation. Therefore, enabling rogue use of cracked smart cards.

NetBill

NetBill provides tools for selling information from specially equipped services. It is a Carnegie Mellon University research project which VISA recently joined.

NetChex

NetChex, a two man operation, was founded by a former stockbroker and a former data processing consultant. NetChex announced the product on May 24,1995. NetChex has released little information about its system.

Netscape/MasterCard

Netscape has a system that establishes a secure communication channel between Netscape brand products (browsers and servers). When this secure link has been established, credit card numbers can be transmitted over the Internet without risk of misappropriation.

Similar to the aforementioned Microsoft/VISA alliance, the Netscape/MasterCard product-though able to secure credit card numbers-still lacks necessary elements for general purpose payments over the Internet:

Integrated Selling Systems

Seeking to serve companies selling goods or services on the Internet, two companies, Broad Vision and Open Market, are developing large systems to serve content owners. These companies are essentially system integrators-they are not payment system developers.

Both companies have indicated an eagerness to accept ecash.

Open Market

Open Market defines itself as a company which" develops and markets software, services and industry-specific solutions to facilitate electronic commerce on the Internet and World Wide Web."

BroadVision

BroadVision develops middleware which integrates storefronts and legacy systems to support and facilitate electronic commerce activities.
COMPANY SOFTWARE ONLY SECURE PRIVACY PERSON-TO-PERSON SUITABLE FOR SOFT AND HARD GOODS SUITABILITY FOR IMPULSE BUYING MICRO PAYMENTS HAS PATENDED TECHNOLOGY AVAILABLE FOR LICENSING
EcashCo Yes Yes Yes Yes Yes High Yes Yes
CyberCash Yes Yes No No Yes Low No No
Electronic Business Co-Op Yes Unknown No No Yes Low Unknown No
First Virtual Holdings Yes No No No No Low No No
Microsoft/VISA Unknown Yes No No Unknown Low Unknown No
Mondex No No No Yes Yes High Yes Yes
NetChex Yes Unknown No No Unknown Low No No
Netscape/MasterCard Unknown Yes No No Unknown Low Unknown No

Commerce Opportunities on the Superhighway

The rapid growth and potential for commerce on the information superhighway have been discussed widely. A number of points remain unclear: what form the information superhighway will ultimately take (e.g., Internet, ITV, picture phone); who will control it (e.g., Microsoft, reM, TCI, AT&T); and how quickly it will develop. But if the information superhighway becomes only as large as the catalog channel, it will be a $53 billion market:
Relative Market Size
1994
(Dollars in Millions)
One area that is clear, however, is that a payment system better suited to the information superhighway will develop, and a system such as ecash, which can work on any form of network, will have a distinct advantage as the various delivery systems fight for consumer acceptance.

Below are descriptions of the various delivery systems for the information superhighway and some information regarding growth potential culled from various press accounts.

The Internet

The Internet began in 1969 as an experimental network sponsored by the Defense Department. It has evolved into a web of governmental, academic and private-sector networks linking more than 30,000 computer networks and at least 3.2 million host computers around the world. The Internet is expected to grow from 25 million users today to more than 200 million by 2000, with some projections as high as 20% monthly growth.
Internet Users
(In Millions)

Growth of PC Usage Has Increased Internet Use

U.S. Household PC and Modem Penetration

Improved Software Has Increased Internet Use

Users of On-Line Services
(In Thousands)

Increased Usage is Leading to Commercialization of the Internet

Interactive Television

Interactive Television is yet another component of the information superhighway. As a concept, ITV represents a two-way multipoint-to-multipoint communication system capable of full motion video between a household and a network service. Adding a "smart" but inexpensive set-top box to the existing TV gives the consumer two-way communication capability. This technology will enable a household to view movies or television programs on demand; select and play video games; buy merchandise at the touch of a button, and access information and communicate with other households. These are the same activities that Internet has a potential to offer. Since the computer has entered the household-and with it the capability of on-line communication-a marriage of the computer with the communication systems and the media is expected soon:

The areas that will most likely see an increase are video on demand (VOD), TV shopping, video games (on demand and interactive) and shifted schedule television. ITC, however, is a relatively new technology compared to Internet. The first operational on-line networks emerged in 1970. lTV is in its early stage of testing first prototypes in selected consumer markets. Based on the experience of cable and other successful consumer technologies, household penetration barely reaches 5 percent in the first five years:

TV Household Penetration Rates for New Technologies

YEAR OF AVAILABILITY PAY CABLE HOME VIDEO COLOR TELEVISION
1 0.5% 0.04% 0.6%
2 1.1% 0.1% 0.7%
3 1.8% 0.7% 0.9%
4 3.2% 1.3% 1.2%
5 5.5% 2.3% 1.9%
10 24.7% 25.9% 24.2%
15 29.2% 69.1% 55.4%
20 - - 78.0%
Sources: Veronis, Suhler & Associates, A.c. Nielsen, Television Bureau of Advertising, Paul Kagan Associates, Wilkofsky Gruen Associates

Therefore, over the next five years, ITV is not expected to have explosive growth. However, if the technology proves to be popular, penetration growth may later resemble that of pay cable, home video and color television, rising to about 25% after 2000.