Non-transferable anonymous digital receipts

摘要

A system and method for verifying ownership of an electronic receipt in a communication system providing a public key infrastructure, the verification arising out of a series of messages being sent and received between a first party and a verifying party, the method comprising the steps of receiving a proof message from the first party, the proof message being derived from at least a first public key based on a secret owned by the first party and wherein the secret is associated with at least the secret of a further public key of the first party and an electronic receipt that has been issued by electronically signing a request message with a second public key, determining whether or not the proof message was derived from the second public key.

主权项

1. A method for verifying ownership of an electronic receipt by a validating party (B) in a communication system providing a public key infrastructure, the verification arising out of a series of messages being sent and received between a first party (U), a second party (A), and a certificate authority (A), said method comprising:
receiving, at the certificate authority (A) a request message (RM) from the first party (U), the request message (RM) comprising a transaction request (TR) and a public key (PU) based on a secret (SU) owned by the first party (U), and wherein the secret (SU) is associated with at least a further secret (SU) of a further public key (PU) of the first party (U), electronically signing, by said certificate authority (A), at least part of the request message (RM) with a public key (PA) assigned to said the certificate authority (A) for issuance as said electronic receipt (LU) to said first party (U); said method further comprising: subsequently receiving, at said second party (A), an encryption (E2) of the secret (SU) of a user's public key (PU) under the further public key (PU); publishing, by said second party (A), said encryption (E2) to establish a link between the further secret (SU) of the further public key (PU) and the secret (SU) of the public key (PU), wherein:
E2=encPu(SU); and receiving at said validation party (B) a proof message (PM) from said first party (U), said PM derived from said further public key (PU) based on the further secret (SU) owned by the user U, said further secret (SU) being associated via said encryption (E2) to said further public key (PU), said proof message (PM) being further derived from an electronic receipt (LU) previously issued by second party (A) signing said RM with a public key PA of said second party; said second validating party (B) receiving said encryption (E2) and publishing said encryption E2; and validating by the validating party (B) user ownership of said electronic receipt (LU) and (LU) and said encryption (E2) by verifying a cryptographic proof of the existence of values PU, SU, LU, PU, SU, LU such that the value PU is a first public key derived from the value SU and the value LU is a signature with respect to the public key PA on at least the value (PU), and the value PU is the public key derived from the value SU and the value LU is a signature with respect to the public key PA on at least the value PU and the encryption E2 is the encryption of the value SU under the value PU.