## PayWord and MicroMint: two simple micropayment schemes (1996)

### Cached

### Download Links

Venue: | CryptoBytes |

Citations: | 220 - 5 self |

### BibTeX

@INPROCEEDINGS{Rivest96paywordand,

author = {Ronald L. Rivest},

title = {PayWord and MicroMint: two simple micropayment schemes},

booktitle = {CryptoBytes},

year = {1996},

pages = {69--87}

}

### Years of Citing Articles

### OpenURL

### Abstract

1 Introduction We present two simple micropayment schemes, "PayWord " and "MicroMint, " for making small purchases over the Internet. We were inspired to work on this problem by DEC's "Millicent " scheme[10]. Surveys of some electronic payment schemes can be found in HallamBaker [6], Schneier[16], and Wayner[18]. Our main goal is to minimize the number of public-key operations required per payment, using hash operations instead whenever possible. As a rough guide, hash functions are about 100 times faster than RSA signature verification, and about 10,000 times faster than RSA signature generation: on a typical workstation, one can sign two messages per second, verify 200 signatures per second, and compute 20,000 hash function values per second.

### Citations

372 |
Password Authentication with Insecure Communication
- Lamport
- 1981
(Show Context)
Citation Context ...bly high overheads. The first scheme, "PayWord," is a credit-based scheme, based on chains of "paywords" (hash values). Similar chains have been previously proposed for different purposes: by Lamport =-=[9]-=- and Haller (in S/Key) for access control [7], and by Winternitz [11] as a one-time signature scheme. The application of this idea for micropayments has also been independently discovered by Anderson ... |

327 |
A certified digital signature
- Merkle
- 1990
(Show Context)
Citation Context ...cheme, based on chains of "paywords" (hash values). Similar chains have been previously proposed for different purposes: by Lamport [9] and Haller (in S/Key) for access control [7], and by Winternitz =-=[11]-=- as a one-time signature scheme. The application of this idea for micropayments has also been independently discovered by Anderson et al. [2] and by Pederson [14], as we learned after distributing the... |

264 |
Applied Cryptography, Second Edition
- Schneier
- 1996
(Show Context)
Citation Context ...making small purchases over the Internet. We were inspired to work on this problem by DEC's "Millicent" scheme[10]. Surveys of some electronic payment schemes can be found in HallamBaker [6], Schneier=-=[16]-=-, and Wayner[18]. Our main goal is to minimize the number of public-key operations required per payment, using hash operations instead whenever possible. As a rough guide, hash functions are about 100... |

199 | Available at rfc1760: The s/key one-time password system
- Haller
- 1995
(Show Context)
Citation Context ...d," is a credit-based scheme, based on chains of "paywords" (hash values). Similar chains have been previously proposed for different purposes: by Lamport [9] and Haller (in S/Key) for access control =-=[7]-=-, and by Winternitz [11] as a one-time signature scheme. The application of this idea for micropayments has also been independently discovered by Anderson et al. [2] and by Pederson [14], as we learne... |

93 |
Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security
- Blaze, Rivest, et al.
- 1996
(Show Context)
Citation Context ...v 0 )] 1:::n : The broker purchases a number of field-programmable gate array (FPGA) chips, each of which is capable of hashing approximately 2 25 (approximately 30 million) x-values per second. (See =-=[3]-=-.) Each such chip costs about $200; we estimate that the broker's actual cost per chip might be closer to $400 per chip when engineering, support, and associated hardware are also considered. The brok... |

91 | Efficient certificate revocation
- Micali
- 1996
(Show Context)
Citation Context ..."hot list" of certificates whose users have reported lost keys, or which are otherwise problematic. As an alternative to hot-lists, one can use hash-chains in a different manner as proposed by Micali =-=[12]-=- to provide daily authentication of the user's certificate. The user's certificate would additionally contain the root w00 of a hash chain of length 31. On day j \Gammas1 of the month, the broker will... |

90 |
The MD5 message-digest algorithm. Internet Request for Comments
- Rivest
- 1992
(Show Context)
Citation Context ...ital signature produced by secret key SK is denoted fM gSK. This signature can be verified using the corresponding public key P K. We let h denote a cryptographically strong hash function, such as MD5=-=[15]-=- or SHA[13]. The output (nominally 128 or 160 bits) may be truncated to shorter lengths as described later. The important property of h is its one-wayness and collision-resistance; a very large search... |

81 | Cryptographic primitives based on hard learning problems
- Blum, Furst, et al.
- 1993
(Show Context)
Citation Context ... must be balanced and difficult to learn from random examples. Suggestions of hard-to-learn predicates exist in the learning-theory literature. For example the parity/majority functions of Blum et al.=-=[4]-=- (which are the exclusive-or of some of the input bits together with the majority function on a disjoint set of input bits) are interesting, although slightly more complicated functions may be appropr... |

72 | On-line/off-line digital signatures
- Even, Goldreich, et al.
- 1996
(Show Context)
Citation Context ...payword chain). M is signed by U and given to V . (Since this signature is necessarily “on-line,” as it contains the vendor’s name, the user might consider using an “on-line/off-line” signature scheme=-=[5]-=-.) This commitment authorizes B to pay V for any of the paywords w1, . . . , wn that V redeems with B before date D (plus a day’s grace). Note that paywords are vendor-specific and user-specific; they... |

60 |
On-line/off-fine digital signatures
- Even, Goldreich, et al.
(Show Context)
Citation Context ...payword chain). M is signed by U and given to V . (Since this signature is necessarily "on-line," as it contains the vendor's name, the user might consider using an "on-line/off-line&qu=-=ot; signature scheme[5]-=-.) This commitment authorizes B to pay V for any of the paywords w 1 , : : : , w n that V redeems with B before date D (plus a day's grace). Note that paywords are vendor-specific and user-specific; t... |

48 | A practical electronic cash system
- Anderson, Manifavas, et al.
(Show Context)
Citation Context ...ller (in S/Key) for access control [7], and by Winternitz [11] as a one-time signature scheme. The application of this idea for micropayments has also been independently discovered by Anderson et al. =-=[2]-=- and by Pederson [14], as we learned after distributing the initial draft of this paper. We discuss these related proposals further in Section 5. The user authenticates a complete chain to the vendor ... |

47 | Electronic payments of small amounts
- Pedersen
(Show Context)
Citation Context ...access control [7], and by Winternitz [11] as a one-time signature scheme. The application of this idea for micropayments has also been independently discovered by Anderson et al. [2] and by Pederson =-=[14]-=-, as we learned after distributing the initial draft of this paper. We discuss these related proposals further in Section 5. The user authenticates a complete chain to the vendor with a single public-... |

44 | Micro-payments based on iKP
- Hauser, Steiner, et al.
- 1996
(Show Context)
Citation Context ...ea. (The details off the CAFE scheme are not available to us.) Similarly following Pedersen's exposition, the iKP developers Hauser, Steiner, and Waidner have independently adopted a similar approach =-=[8]-=-. 6 Conclusions and Discussion We have presented two new micropayment schemes which are exceptionally economical in terms of the number of public-key operations employed. Furthermore, both schemes are... |

17 |
Digital Cash: Commerce on the Net
- Wayner
- 1997
(Show Context)
Citation Context ...chases over the Internet. We were inspired to work on this problem by DEC's "Millicent" scheme[10]. Surveys of some electronic payment schemes can be found in HallamBaker [6], Schneier[16], and Wayner=-=[18]-=-. Our main goal is to minimize the number of public-key operations required per payment, using hash operations instead whenever possible. As a rough guide, hash functions are about 100 times faster th... |

5 |
On-line/O -line Digital Signatures
- Even, Goldreich, et al.
- 1990
(Show Context)
Citation Context ... payword chain). M is signed by U and given to V . (Since this signature is necessarily \on-line," as it contains the vendor's name, the user might consider using an \on-line/o -line" signature scheme=-=[5]-=-.) This commitment authorizes B to pay V for any of the paywords w 1, :::, wn that V redeems with B before date D (plus a day's grace). Note that paywords are vendor-speci c and user-speci c� they are... |

4 |
Millicent (electronic microcommerce
- Manasse
- 1995
(Show Context)
Citation Context ...1 Introduction We present two simple micropayment schemes, "PayWord" and "MicroMint," for making small purchases over the Internet. We were inspired to work on this problem by DEC's "Millicent" scheme=-=[10]-=-. Surveys of some electronic payment schemes can be found in HallamBaker [6], Schneier[16], and Wayner[18]. Our main goal is to minimize the number of public-key operations required per payment, using... |

3 |
The S/KEY one-time password system
- Hailer
- 1994
(Show Context)
Citation Context ...d," is a credit-based scheme, based on chains of "paywords" (hash values). Similar chains have been previously proposed for different purposes: by Lamport [9] and Haller (in S/Key) for access control =-=[7]-=-, and by Winternitz [11] as a one-time signature scheme. The application of thisY0 idea for micropayments has also been independently discovered by Anderson et al. [2] and by Pederson [14], as we lea... |

2 |
W3C payments resources
- Hallam-Baker
- 1995
(Show Context)
Citation Context ...roMint," for making small purchases over the Internet. We were inspired to work on this problem by DEC's "Millicent" scheme[10]. Surveys of some electronic payment schemes can be found in HallamBaker =-=[6]-=-, Schneier[16], and Wayner[18]. Our main goal is to minimize the number of public-key operations required per payment, using hash operations instead whenever possible. As a rough guide, hash functions... |

1 | The NetBill Electronic Commerce Project - unknown authors - 1995 |

1 |
Cryptographic primitives based on hard learning problems
- Bhim, Purst, et al.
- 1994
(Show Context)
Citation Context ...t be balanced and difficult to learn from random examples. Suggestions of hard-to-learn predicates exist, in the learning-theory85 literature. For example the parity/majority functions of Blum et at.=-=[4]-=- (which are the exclusive-or of some of the input bits together with the majority function on a disjoint set of input bits) are interesting, although slightly more complicated functions may be appropr... |

1 |
Fast signature screening. CRYPTO '95 rump session talk
- Shamir
(Show Context)
Citation Context ...uite effective in any case. The public-key operations required by V are only signature verifications, which are relatively efficient. We note that Shamir's probabilistic signature screening techniques=-=[17]-=- can be used here to reduce the computational load on the vendor even further. Another application where PayWord is well-suited is the purchase of pay-per-view movies; the user can pay a few cents for... |