1 Introduction ~Ve present two simple micropayment schemes, "PayWord" and :'MicroMint," for making small purchases over the Internet. We were inspired to work on this problem by DEC's "Millicent" scheme[10]. Surveys of some electronic payment schemes can be found in Hallam-Baker [6], Schneier[16], and Wayner[18]. Our main goal is to minimize the number of public-key operations required per payment, using hash operations instead whenever possible. As a rough guide, hash functions are about 100 times faster than RSA signature verification, and about 10,000 times faster than RSA signature generation: on a typical workstation , one can sign two messages per second, verify 200 signatures per second, and compute 20,000 hash function values per second. To support micropayments, exceptional efficiency is required, otherwise the cost of the mechanism will exceed the value of the payments. As a consequence, our micropayment schemes are lightweight compared to full macropayment schemes. We "don't sweat the small stuff": a user who loses a micropayment is similar to someone who loses a nickel in a candy machine. Similarly, candy machines aren't built with expensive mechanisms for detecting forged coins, and yet they work well in practice, and the overall level of abuse is low. Large-scale and/or persistent fraud must be detected and eliminated, but if the scheme delivers a volume of payments to the right parties that is roughly correct, we're happy. In our schemes the players are brokers, users, and vendors. Brokers authorize users to make micropayments to vendors, and redeem the payments collected by the vendors. While user-vendor relationships are transient, broker-user and broker-vendor relationships are long-term. In a typical transaction a vendor sells access to a WorldWide Web page for one cent. Since a user may access only a few pages before moving on, standard credit-card arrangements incur unacceptably high overheads. The first scheme, "PayWord," is a credit-based scheme, based on chains of "paywords" (hash values). Similar chains have been previously proposed for different purposes: by Lamport [9] and Haller (in S/Key) for access control [7], and by Winternitz [11] as a one-time signature scheme. The application of this
[1]
Leslie Lamport,et al.
Password authentication with insecure communication
,
1981,
CACM.
[2]
Ralph C. Merkle,et al.
A Certified Digital Signature
,
1989,
CRYPTO.
[3]
Silvio Micali,et al.
On-Line/Off-Line Digital Schemes
,
1989,
CRYPTO.
[4]
Ronald L. Rivest,et al.
The MD5 Message-Digest Algorithm
,
1992,
RFC.
[5]
Richard J. Lipton,et al.
Cryptographic Primitives Based on Hard Learning Problems
,
1993,
CRYPTO.
[6]
Torben P. Pedersen.
Electronic Payments of Small Amounts
,
1995
.
[7]
Neil Haller,et al.
The S/KEY One-Time Password System
,
1995,
RFC.
[8]
P. Wayner.
Chapter 15 – Cash
,
1995
.
[9]
Peter Wayner,et al.
Digital cash - commerce on the net
,
1995
.
[10]
Bruce Schneier,et al.
Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists
,
1996
.
[11]
Ralf Hauser,et al.
Micro-Payments based on iKP
,
1996
.
[12]
S. Micali.
Eecient Certiicate Revocation
,
1996
.
[13]
Torben P. Pedersen.
Electronic Payments of Small Amounts
,
1995,
Security Protocols Workshop.