Deliverables / Publications

The goal of this project was to design protocols to support emerging services in high speed networks, and to demonstrate them in a trial system. Cambridge University Computer Laboratory's principal role was to design a payment mechanism and integrate it in a prototype multimedia application.

Over the last few years there have been a number of proposals for making payments over the net. These can be grouped into electronic cash or credit/debit card systems. In the first case the customer buys a number of electronic coins from the bank and spends them with one or more merchants, who can then redeem the coins with the bank. In the second case an bank card transaction processing system is overlaid on the existing credit card legacy infrastructure. This is how things are done today, but such systems - notably as SSL and SET - suffer from relatively high transaction costs and prove uneconomic for payments smaller than a certain threshold.

The NetCard protocol supports micropayments. It was designed on the assumption that in order to control network and processing costs, small transactions would not be authorised online to the bank. It presents a number of micropayment protocols for use in electronic commerce, and discusses how these can be made robust against attacks on either the legacy credit card infrastructure or the public key certification mechanisms that are currently being built. NetCard can be combined with electronic credit card systems to provide solutions to a broader range of application requirements.

The key innovation is that, instead of having to do a digital signature each time the customer spends a coin, she can sign a whole stick of coins that are hashed together in a recursive way and then spend these coins one at a time. The recursive hashing technique greatly reduces the computational complexity in applications where a series of low value payments are made to the same merchant. This work appeared at the 1996 Cambridge Workshop on Security Protocols, and has also stimulated research by others, both within the security group at Cambridge and in the world at large. Links to such work are given below.


Payment mechanisms are probably the most visible part of electronic commerce, but several other mechanisms are needed to complete the picture. This has motivated some work on cryptographic primitives.

The first of these was the Guy Fawkes protocol. The objective was to associate a single act of authentication with a stream of future transactions / statements. Hash chains, as used in the NetCard protocol, are utilised in a different way to establish secure association at low computational cost. The operation is equivalent to a digital signature with the additional benefit that it provides forward security. This work is being published as a technical report.

We designed a new hash function, Tiger, to support both the NetCard and Guy Fawkes protocols. This was designed to run extremely fast on the new 64-bit processors such as DEC Alpha, while still running reasonably quickly on existing hardware such as Intel 80486.A reference implementation can be got by clicking here, while a note on how we generated the Tiger S-boxes can be got by clicking here. This appeared at the third international workshop on Fast Software Encryption.

Next, we turned our attention to the intellectual property problem. We came up with a method to combine decryption with copyright marking. Content owners can broadcast a single encrypted version of an audio file for example while subscribers are given slightly different deciphering keys that produce slightly different decrypted versions. That is how individual copies can be identified or illegal resellers can be traced. This work appeared as a paper at the 1997 Fast Software Encryption Workshop. It is this research that we chose to take further and we are currently being funded by Intel to do more work on copyright marking.

Finally, we decided to look deeper into a problem that is causing more and more problems in the electronic commerce environment, namely public key certification. At the moment there is no single approach that fulfils all the requirements. By publishing a book - The Global Trust Register - containing the fingerprints of the world's most important public keys, we enabled system users to gain an extra level of assurance of the integrity of top level public keys. The book links trust in the electronic world to established physical publishing mechanisms and thus cuts through the debate on how to bootstrap trust in cyberspace. We published the first edition in February 1998; it has now been taken over by MIT Press who will publish the 1999 and subsequent editions.

For years, banking system designers have trusted the tamper resistance claims made by the manufacturers of smartcards and other security processors. This is very unwise. Tamper Resistance - A Cautionary Note describes how to penetrate these devices and recover key material. It has been accepted for the 1996 Usenix Electronic Commerce Workshop, where it has won the Best Paper award. It is also available in HTML format.


Some of the books / papers that cite our work are:

Digital Cash - Commerce on the Net (2nd edition), Peter Wayner, AP Professional, 1997, ISBN 0127887725

Experimenting with Electronic Commerce on the PalmPilot, Neil Daswani, Dan Boneh, 3rd Financial Cryptography Conference (FC'99), Anguilla, LNCS 1648, February 1999,

Authentication and Payment in Future Mobile Systems, Gunter Horn and Bart Preneel, Proc. ESORICS '98, LNCS 1485, Springer-Verlag, 1998, pp. 277-293.

Secure billing for mobile information services in UMTS, K.M. Martin, B. Preneel, C.J. Mitchell, H.J. Hitz, G. Horn, A. Poliakova and P. Howard, 5th International Conference in Services and Networks, IS&N'98, LNCS 1430, Springer-Verlag, 1998, pp. 535-548.

Efficient Protocols for Signing Routing Messages, Kan Zhang, 1998 ISOC Symposium on Network and Distributed System Security, March, 1998.

Micro-Payments viw Efficient Coin-Flipping, Richard Lipton and Rafail Ostrovsky, 2nd Financial Cryptography Conference (FC'98), Anguilla, LNCS 1465, February 1998

Electronic Payment Systems, P.Putland, J. Hill and D. Tsapakidis, BT Technology Journal, vol. 15, no. 2, April 1997.

New Micropayment Schemes Based on PayWords, Y. Mu, V. Varadharajan, and Y.-X. Lin, Second Australasian Conference on Information Security and Privacy, July 1997, Lecture Notes in Computer Science 1270, pp283-293, Springer Verlag, 1997.

An efficient micropayment system based on probabilistic polling, S. Jarecki and A. M. Odlyzko, MIT / AT&T, February 1997.

PayTree: "Amortized-Signature" for Flexible MicroPayments, Charanjit Jutla and Moti Yung, IBM Watson / Bankers Trust, November 1996, 2nd USENIX Workshop on Electronic Commerce, Oakland, California

Micro-Payments based on iKP, R. Hauser, M. Steiner and M. Waidner, IBM Zurich, August 1996.

PayWord and MicroMint: Two simple micropayment schemes, R.L. Rivest and A. Shamir, MIT, May 1996.
Electronic Payments of Small Amounts, T.P. Pedersen, Cryptomathic, Denmark, April 1996.

David Wheeler (Cambridge Computer Lab) has also published papers on electronic payments: Transactions Using Bets, Security Protocols Int. Workshop, Cambridge, UK, LNCS 1189, April 1996. Micromint Extensions, November 1996.