CA2351588C - Method for carrying out transactions and device for realising the same - Google Patents

Abstract

A method for effecting payments is suggested which allows protecting the financial in-terests of each participant of a payment during payments via open telecommunication nets from other participants' cheating, provides protection of the payers' and payees' privacy, admits payments ranging from micro-payments to business-to-business payments, ensures that the time taken to effecting a payment depends only on the speed of action of the net connections and not on the payment amount, makes it possible to serve of serving a number of clients which grows proportionally to the payment system operator's resources, is easy to build into an arbitrary trade system, enables each client both to pay and to receive payments, and makes possible payments between clients of different banks. The method of effecting payments is realized with the help of programming means.

Description

METHOD FOR CARRYING OUT TRANSACTIONS AND DEVICE
FOR. REALISING THE SAME

Field of the invention The invention relates to electronic payment systems.
Background of the invention Electronic payment systems are intended to provide an adequate payment means for ef-fecting transactions via open comniunication nets. Besides the degree of security and reli-ability, the cost of servicing, the rapidity of performi.ng main operations, etc., an important characteristic of a payment system is the protection of user's privacy.
A user's privacy implies that nobody, not even the payment system operator, can control the user's purchases. One of the ways of protecting privacy in electronic payment systems consists in that purchases are made with the help of digital data, which confirm the solvency, but do not lead to the identification of the payer. Such data are sometimes called electronic cash. However, electronic cash, as xvell as any digital data, can easily be copied, so that one must take care to prevent multiple spending of electronic cash.
In certain payment systems, multiple spending is prevented by payer devices (S. Brands, Untraceable Off-Line Cash in V4'allets with Observers, Advances in Cryptology CRYPTO
'93, Springer-Verlag, pp. 302-318 ). For reliable prevention of multiple spending, such payer devices must be tamper-resistant, i.e., they must prevent unauthorized access to the data contained in the payer device. The deficiency of systems usinLy this approach is that they are extremely unstable. The matter is that penetration into one payer device can lead to disas-trous effects for the entire system, because the data contained in the payer device allotiv one to spend arbitrary amounts of unpaici electronic cash. Known tamper resistance technologies are not sufficiently dependable to thwart such a risk.
Electronic paynient systems NN=hic;h do not rely on taniper resistance of payer devices must ensure, in particular, that one cannot forge payment certificates, i.e., digital data conf:rming the payer's solvency. The forgery is prevented by cryptographic methods, namely. by the ' payment system operator's digital signature. Numerous examples of digital signature are described in the books: B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, John Wiley&Sons, Ne,,v York, 2nd edition, 1996 and A. J.
Menezes, P. C.
Van Oorshot, S. A. N'anstone, Handbook of Applied Cryptography, CRC Press, 1997.
Electronic payment systems in which the impossibility of forgery of payment certificates is ensured by the payment system operator's digital signature can be classified into offline and online ones. In offline payment systems, the moment of receiving the money by the payee is the moment of successful verification by the payee of the payment certificates pro-vided by the payer as a payment. An advantage of such systems is that the transfer of money from payers to payees can be perforrned without any third party. Here, to prevent the multi-ple spending of payment certificates, the pa}=er's identifier is included in payment certificates in a concealed form, and the identifie;r of the payer having committed multiple spending can be disclosed. The deficiency of this inethod is that it does not prevent the multiple spending of payment certificates, and only allows one to detect such a spending and to make a certain payer responsible for it. Thus, if the cheater is out of reach, then the payment system opera-tor ~Nill incur los.ses. ln addition, ar- honest payer's reputation can suffer if a cheater has gained information on bis payment certificates and used such -a certificate.
Several offline payment systems are known. For example, a system of such type is described in the patent:
T. Okamoto, K. Ohta, Electronic cash system, U.S. Patent 5,224,162, 8 Jun 1992.
In an online payment system, the: payee turns to the payment system operator for verifica-tion of each payment. In this case, to prevent multiple spending the payment system operator stores information on the payment certificates used earlier, and if a payment is performed with the help of a certain payment certificate, the operator checks whether the certificate has already been used before.
Known in the prior art is a method for effecting payments (Untraceble electronic cash, U.S. Patent 5,768,385, 16 Jun 1998) in which the payer receives in the ba.nl:
digital signa-tures of payment certifrcates, called electronic coins, which he can use both for exchange for nexN7 electronic coins, and for payment. Here, the bank does not kno-v;= which one of the t -o modes is used by the payer, which fact promotes untraceability of payments.
Further, the multiple spending of electronic coins is prevented by the payee's online verification of the received electronic coins in the bank. HoNvever, the known method does not provide com-plete untraceability of a participant of the system if he is mostly a payer and not a payee, because the electronic coins given to such a participant and produced by the shop for ex-chanQe are an evidence, generally speaking, that the participant made a payment to the shop.
KnoNN=n in the prior art is a method for effecting payments (D. Chaum, Security X'i'ithout ldentification: Transaction Systems to Make Big Brother Obsolete, Communications of the ACNI, vol. 28 no. 10. October 1985 p. 1035-1038) -,vhich is the closest analog of the present invention and is chosen by the applicant as the prototype. In the kno-~vn method, a client pays -ith payment certificates, called electronic coins, ,vhose signatures he receives in the bank.
Here, the collection o; possible norninal values is fixed in advance, and for each possible nominal value of an e':ectronic coin the bank creates a secret and a public money key. To obtain an electronic coin the payer chooses the number of the coin Nvith the help of a random number generator, obt~ns the blind digital siQnature on the chosen number in the bank ill-ina to credit the payer with the correspondina amount of money, and takes said digital siQ-nature as the signature of the payntent certificate, -hich can also be called the payment cer-tificate si;nature. Duri.~.a the paVment, the payer transfers to the payee a collection of elec-tronic coins, after .N-hich the paNlee verifies their validity and sends the received coins to the bank for depositing to his account. The banh verifies the validity of the electronic coins and credits the payee's account with the corresponding antount if the coins have not been already used. To control the coins already used, the bank stores the list of the numbers of used coins, the expiration dates contained in the nunibers of the coins allowine ihe bank to delete old numbers from the list. The deficiencies of the known method are in that the bank's reputation is not defended against dishonest clients, and a client's money is not defended against a dis-honest bank, because a dishonest client having received the bank's refusal to acknowledge an already used certificate for the second time can accuse the bank of cheating.
In turn, a dis-honest bank having received a certificate for verification may claim that the certificate has already been used before. In addition, the bank has to store information on each of the used certificates in databases .vith sufficiently fast access, which leads to a rapid gro~?th of the bank's databases and to the necessity of employing expiration dates for certificates. Further-more, in the known method-the payment amount is an integral combination of nominal val-ues of coins, which fact either limits the range of payments, _or leads to the growth of the number of the coins used in payments, which also leads to the growth of the bank's databases and slows down the payments.
Known in the prior art is an apparatus for effecting payments (T. Okamoto, K.
Ohta, 5Nlethod and apparatus for impleinenting electronic cash, U.S. Patent 4,977,595, 11 Dec 1990), chosen by the applicant as the prototype_ The known apparatus for effecting payments consists of a payer device, a shop, and a bank, connected via telecommunication nets, the payer device having a means for replen-ishing the payer device by obtaining the blind money signature of the bank, and the bank having a means for producing the money signature. In addition, the shop contains a means for offline verification of payment certificates, and the bank contains means for exposure of a cheater if he multiple-spends the bank's obligation.
The deficiency of the knoAm apparatus for effecting payments is that it does not prevent the multiple spending of payment certificates, and only allows one to detect such a spending 1~ and to make a certain payer responsible for it. Another deficiency of the knmvn apparatus for effecting payments is that it works slowly, which is caused by the large size of the data transmitted via communication nets.

Summary of the invention The main problem solved by the variants of the claimed invention is to create methods for effecting payments -hich would ensure an effective and reliable mechanism of paying via open communication nets, protection of each participant of the payment System from the other participants' cheating, privacy protection for ordinary participants of pavments. and a ide range of payments.
2 The technical result common to all sucsested variants of the claimed method for effectinEz paynients is that ,k=hen effecting payments via open telecommunication nets the financial interests of each participant are protected against the other participants' cheating, and payers and payees are able to protect their privacy. Furthernlore, in some of the claimed variants.
paynients ranaing from micro-payments to business-to-business payments are available, the time taken to effect a payment depends only on the speed of action of the net connections.
and not on the payment amount, and the number of the clients that can be served by the payment system operator groNN=s proporionally to the operator's resources. The method for effecting payments is realized by an apparatus for effecting payments implemented by pro-gramming means.
3_5 An essential distinction between the claimed invention and the prior an is that not only the privacy of the participants of a payment operation is protected, but also the payer's finan-cial interests are ensured, since the payment is effected on the basis of a payer order siened with the secret key connected Nvith a payment certificate. Furthermore, in some of the claimed variants, it is allowed to spend payment certificates gradually and to replenish them.
The payer's privacy is protected by the procedure of mabing a blind sianature on a pay-ment certificate, and the payee's pr;ivacy can be protected by that when opening an account the payee does not have to give i.n.formation, identifying him. In those variants where the payment system operator controls the conditions of payment and, in particular, information about the payment objective-, the payer's and the payee's privacy is protected by that such a control is performed without- access to the confidential part of the conditions of payment.
The claimed method for effecting payments is intended exclusively for hardware or com-puter reali.zation, because the processing of the data used in effecting of payments, and, in particular, making and verification of digital signatures practically admits only hardware or computer realization.
The description of the method for effectirtg payments and the apparatus therefor as pre-sented below is intended to describe the invention, and should not be taken to limit the scope of the claimed invention, which is described more fully elsewhere in the present specifica-tion.
Information specifyi.ng the terminology used in the present application is given belo -.
When effecting payments involN=ing digital signatures, as in any system usino digital sis-natures, one deals with data which are stored on suitable material media and admit diQital representation (B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, John Wiley&Sons, New York, 2nd edition, 1996 and A. J. Menezes. P. C.
Van Oor-1-4 shot, S. A. Vanstone, Handbook of.Applied Cryptography, CRC Press, 1997).
In some of digital siQnature schemes , it is easy to make a digital siEnature on random data without access to the secret keys. In order to exclude the possibility of avoid obta.inina a digital signature without assistance of the holder of the secret key, one sinQ.Ies o.:: amonz all data a set of valid data. and includes verification of their validity in verification o: the valid-ity of the sionature on some data. The notion of diQital signature system implies f.xation e:
the validity criterion In particular. coincidence of a part of the data ,vith a sequence of cas can be the validity criterion. In another example of the validity criterion, a data i_ zon_ia:.-:_' to be valid if it is a pair Y/, where F(X) == Y and F is a one-way fun:.ion (B
Applied Cryptography: Protocol-s. Aloorithms, and Source Code in C, Jehn New York, 2nd edition, 1996, p. 29-30 and A. J. 'Menezes, P. C. Van S A.
Vanstone, Handbook of Applied Cryptography, CRC Press, 1997, p. 8-9). i.e.. i1-case, a function whict: is not contputationally invertible for anybody except.
signer.
Below, the keys for sisining are called simply the keys, and the function of t;: ::eyS t:S-__' for other purposes is specified.
By the payment system operator one means an entity ensuring money tra_tiaaions ;;-tween the panicipants of payment operations. In particular, the payment sy.em o:)eratc,. .L-l:eep the accounts of the participants of payment operations and issue value docu._:entS. Th.
payment system operator can consist of one bank, or it can comprise sev.-al orga.niz:aio~:.
including banks, which are interconnected by various agreements. In particular, t.he paymeu:
system operator's secret keys can be a secret of one of the organizations belon-ino :h:
payment system operator, and the ob'~[isations of the payment system opera:or to a third p~;~-can also be obligations of on]y one of the organizations belonging to the pa}-ment s:-_.eW
operator. In the case -here the payment system operator comprises several differer.t banks c7 other organizations, there must exist a secure system of settling mutual obligations b:nv:-::
the organizations belonging to the payment system operator. To simplify the text of the ar-plication, instead of the term "pa}=ment system operator" the term "operator"
is used in what follows. _ By a payment sen=er one means an apparatus with the help of which the ope:ator serves effecting of payments. Such a payment server can consist of :one or several computers or other devices.
By a payer device one means a device with the help of which the payer effects payments, and by a payee device one means a device with the help of which the payee effects pay-5 ments. By a payment certificate one means digital data presenting the operator's obligation.
A payment certificate includes base, signature, and level.
By the base of the payment certificate, also called the payment certificate base, one means data such that the signature on thetn, verified with the public money key, serves as a confir-mation of the operator's obligations associated with this certificate; said signature is called the signature of the payment certificate or the payment certif cate signature.
The payment certificate signature is made ~ith the operator's secret money key correspondinQ to the pub-lic money key used for verification of this signature. In what follows, the term "secret money key" is used instead of the term "the operator's secret money key".
The notion of level of a payment certificate is based on the notion of level of secret and public money keys. By the level of a public money key one means a certain numerical characteristic, associated with this public money key and defining a certain monetary value. The level can be representeci, in particular, by one or several numbers. For example, the level can be represented by a nonnegative integral number L expressing in cents the monetary value defined by this level. In another example, the level can be represented by a collection of nonneaative integral numbers L=(Ll,..., and the monetarv N-aiue ex-pressed in cents can be defined by this level b), the formula L] :?V, =... -L,: -A;:. ivi,ere A';, ..., Nk are nonneaative inteUral riumbers fixed in advance. In this case, the num.:.: L, are called orders, and the excess of one level above another one is defined order by er_4er. By the level of a secret money key one means the level of the corresponding publi; monev key, and by the level of a payment certificate one means the level of the paymen: certifi-cate signature, i.e.. the level of that public money key tivith the help of Nvhich this S:_::ature can be verified.
A description of the method for effecting payments by the first variant is siveL helo '.
Effecting a payment comprises performing the payer device replenishment ope-ation.
the operation of opening the payee's account, and the payment operation per se.
One replenishes the paver device by obtaining the payment certificate signature ~vith the help of the pa}=men: server. Here, the payment certificate signature is obtained as the blind money signature of the operator. This leads to unlinkability of the payment certi.i;.ate Nvith the replenishment source and, thus, to ensuring the payer's privacy.
3-5 One replenishes the payer device Nvith the help of the operation of primarily :aling a payment certificate. in the course of ~vhich in the payer deN-ice one creates the c~se of the payment certificate and obtains the payment certificate siQnature ~N~ith the help of the pa}~-nient server. A separate description of the operation of creatine the base of the p-a}=ment certificate is given below.
The base of the payment certificate is created in the pa}=er device. To create the base Base of the payment certificate one chooses the payee's arbitrary secret key DP and the corresponding public key EP. Such a choice is performed in the framework of anx- digital signature system. The chosen keys.DP and EP are taken as the secret and, respectively, the public key of the payment certifcar.e. The identifier of the public key EP is included in the base Base of the payment cenificate. By the identifier of a public key one means arbitrary data which uniquely define the public key. In particular, the public key EP
itself can be taken as such an identifier. In another example, the value of a cryptographic hash function (B. Schneier, Applied Cr}ptography: Protocols, Algorithms, and Source Code in C, John Wiley&Sons, New York, 2nd edition, 1996, p. 429) on the key EP can serve as an identi-fier. In one more example, the riumber of the public key received as it is registered by the operator or other entity can be taken as the identifier.
Including the identifier of the public key EP in the base Base of the payment certificate atlows one to secure the payer when effecting a payment. Namely, when performing a payment operation , as described below, the operator can spend the x-alues connected with a payment cert ificate only in accordance with a payer order sianed br the payer. The sig-nature on the payer order is macle with the secret key DP and N=erified with the public key EP. Since the secret key DP is accessible only to the payer, such a signature also cannot be obtained without assistance of the payer.
In particular, the identifier of the public key EP is included in the base Base of the pay-ment certificate as follows. As the base, one uses pairs (.k; Y), where X =
EP, Y= F(k), and F is a one-way function which, preferably, is collision free (B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, John Wiley&'Sons, New York, 2nd edition, 1996, p. 30). In this case, one can use the da,a Y as the identifier of the base when performing operations with a payment certificate, and the relation F
= F(X) is used as the criterion of validity of the base, where by the criterion e:
validity of the pay-ment certifcate base one means the validity criterion o~ the ciQitz si~nature system to which the money keys belonc,.
A separate description of obtaining the signature of a payment ct:-,ificate as the blind nloney sianature of the operator durina primarily filling the pa%-m:::
certificate is given below.
During the operation of primarily filling a payment certificate : h base Base one ob-~ tains the payment certificate sianature ~N-ith the help of the proce.--,-e for obtaining the blind digital sianature of the operator in the framework of an arbi;:~~, diQital signature system givino the possibility of obtaining blind digital sianature.
Several digital signature systerns givine the possibility of makins b='.ind diQital signature are known in the prior art (D. Chaum, Blind SiEnature Svstems. U.S. Patent 4,759,063, 19 Jul 19S8; D. Chaum, Blind Unanticipated Signature Systems, U.S. Pa:ent 4,759,064, 19 Jul 1988; D. Pointcheval, J. Stern, Provably Secure Blind Signature. Le.~ures Notes in Com-puter Science, 1163, 1996, Springer, p. 252-265, et.al.). When maki=:s a blind digital sig-nature on initial data M, the user provides the signer vith blinded data M' obtained by blinding the data A1. The signer provides the user with data S' to be unblinded obtained by processing the blinded data M' with the signer's secret key, and the user obtains the signa-ture S on the initial message by unblinding. The sienature property related to the data ob-tained by unblindinc, can be verified not only after the unblindine, but also before the un-blinding if the digital signature system used allows this.
When performing the operation of primarily filling a payment certificate, one tabes as the initial data the identifier Baseld cif the base of the payment certificz*.e, i.e., arbitrary data identifying this base. NN'heti obtairiing the payment certificate sianatvre by making a blind digital signature, one processes the blinded data with the secret money key corresponding to the replenishment amount, and by the correspondencebetween the amount of replenishment and the secret money key one means the correspondence between the replenishment amount and the monetary value defrned by the level of this secret money key.
The signature on the identifier Baseld obtained by unblinding the data to be unblinded obtained from the payment server is accepted as the payment certificate signature with base Base. The validity of the made payment certificate signature can be verified with the public money key corresponding to the secret money key used when obtaining the data to be un-blinded.
Thus, after performing the operation of primarily filling a payment certificate, the payer device contains a payment certificate suitable for performing a payment operation.
When performing the operation of primarily filling a payment certificate, one delivers the blinded identifier of the base to the payment server as a part of the money demand formed in the payer device, and replenishes the payer de%-ice from the funds of the replenishment source indicated in this money demand. Here, from the operator's point of view, the source of replenishnient of the payer device is the source of creditine, because as a result of the replenishment operation the operator's money o'bligation appears in the payer device, and the payer becomes thus credited. Besides the replenishntertt source, the replenishment amount is also determined from the money demand if said amount is not determined by other circunl-stances, for example, by the terms of maintenance of the said replenishment source.
In particular, the payer's account or his bank card, can be used as the replenishment source Here, by a bank card one means an arbitrary value card intended for transferrinQ
values. The security of remote withdrawal of values from the indicated rep'enishment source is ensured b~, a svstem of maintaining the replenishment source The operation of opening a payer's account ,~ith the operator can be performed in an ar-bitrary x~ay. It is preferable that the account bein_ opened admit a secure system of remote management.
An example of an account admittinQ a secure system of remote management is an account xvith a public key, also called a public key account. By a public key account one means an account kept by the operator and admitting manacernent with the help of sisned orders, the si'nature on which can be verified u=ith the helr of the public key connected with the ac-count. To mana2e such an account, the holder o: the account can use his secret key corre-spondin to the public key of the account and calied the secret key of the account. The se:.u-rit\- of remote manaaement by a public key account is ensured b%- the fact that the operator 3 5 performs operations =ith this account follows the siRned orders, the signature on which is verified Nvith the public key of the account and which sianature is used by the operator as an evidence for the holder of the account.
Besides management with the help of orders s:ped with the secret key of the account, a public key account can also be managed by other methods. In particular, -ith such an ac-count one can connect information identifying a person in charge of the account, i.e., a per-son having right to manage the account. Such information can be especially useful in the case of loss of the secret key of the account, because it will allow the holder to keep the con-trol over his account in this case, too.
Moreover, if it is required to-ensure the anonymity of the person in charge of the account, then the information identifyi.ng said person can be stored in the payment server in a con-cealed form, which does not allow one to link this information with the person in charge of the account Ithout assistance of a person knowing this connection. For example, this hid-den information can be the value of a cryptographic hash function on the identification data of the person in charge of the account, concatenated with a password, or simply said value on the pass~vord. Information identifying the person in charge of an account can be con-nected with the account by an order signed with the secret key of the account when opening the account as well as at other moments of time.
A separate description of a pai-ticular case of the operation of opening a public key ac-:10 count is given below. This description will be used below for references in the descriptions of other variants of the claimed invention. In particular, the operation of openin.0 an account as described below can be used Nvhen opening both the payee's account and the payer's ac-count, and the payer's account opened in this way can be used as a source of replenishing the payer device.
The operation of opening a public key account, in particular, can proceed as follows. The future holder of the account being opened accepts an arbitrary secret key of his as the secret key of the account. The public key conesponding to the secret key of the account is deliV-ered to the payment server and taken as the public key of the account beinQ
opened. The holder of the account considered the account to be opened after obtainina a messare Slane~
by the operator, which confirms openinyJ the account connected with the public key.
Besides ttle public key of the account. other data chosen by the holder and by the operator can also be connected %vith the account bein~,j opened. For example. tlie opera:or car, assi<ur, the account being opened a number, which is communicated to the holder of the account. It is preferable that the data ,N!hich the holder connects with the account Nvoulc: be purely de-clarative, x~ hich ensures automatical performance and, thus, the cheapness of the operation of openinL, an account and its mairitainina. The account holder's privacy can be protected b-,,-the fact that the account is opened anonymously.
A separate description of a payment operation by the first variant is given below. The de-scriptions of other variants of the claimed invention presented below contain references to this description. When performirtg a payment operation by the f.rst N-ariant, the value con-tained in the payment certificate is spent completely. Since in other variants of the claime_~
invention one perfornis. in additiori to such payment operations, payment operations makin2 it possible to gradually spend the payment certificate value, the payment ope.ation used i1i.
the present variant is described, for more definiteness, as a pavment operation with annul-ment of the payment certificate.
The essence of a pa}ment operation =ith annulment of the payment certiftcate is that in the payment server one credits the payee's account, thus canceling the operator's oblisation associated with the payment certificate. The payee's account is credited in the case where the payment certificate have not been utilized, the payment certificate signature is -valid, and the signature on the paver order is valid. One judges whether the payment certificate has alread%=
been used by the information orl the used payment certificates which is contained in the pavment server information storage, %N=hile the payment certificate signature and the payer order signed NN-ith the secret key of the payment certificate is delivered to the pavment sen=er xvith the help of the payee device. A more detailed description of a payment operation with annulment of the payment-certificate is as foliows. -When performing a payment operation, one forms in the payer device a payer order, in which one includes information about the payee and the identifier of the base of the payment certifrcate. The payer order signed with the secret key of the payment certificate includes the data delivered to the payee device and called the payment data. In particular, the information about the payee included in the payer order contains the conditions of payment and the iden-tifier of the payee's account if this account is not determined by other circumstances.
By the conditions of payment one means arbitrary data specif}ring the circumstances of effecting a payment. Such data can include, in particular, the payment amount and restric-tions on the time taken to perforrn a payment. In panicular, the conditions of payment may contain, possibly, in a form hidden froni the operator, data describing the payee's obligations implied by the fact of effectin; the payment.
In the payee device, one fornts data called the payee order, which are delivered to the ~ payment server. Here, one includes in the payee order the payer order contained in the pay-ment data, and, possibly, other data. includinQ. in particular, the conditions of payment. In addition, the payer order can be signed with the secret key of the payee's account if the payer's account is a public key account.
ln the payment server, one credits the payee's account on the basis of the payee order and forms the operator's response to the payee order, by means of -hich response the payment operation is judged Here, the pa\ ee's account is credited if the pa~ment ser\-er information stora,e does not contain information saying that the payment ce::ifrcate has already been used. Moreover, in the payment sen-er, the validity of the payx-nerit certifrcate siRnature and the validity of the signature on the pa\er order are verified before creditinL, the payee's ac-count, the siynatures being tal:eri from the payer order contained in the payee orde- received from the payee device. To prevent the multiple spending of the payment certificate. one en-ters the information on said payme:;t certificate into the payment sen-er informatio:1 storaze To confirm the rinhts of the operztor to effect the payment opera:ion being perforr:led. t:i:
signed payer order is also entered into the payment sen-er information storage. The opera-tor's response to the payer order is delivered to the payee device.
DurinQ the execution of a payment operation. the payer's financial interests are prote:.ted by the operator's duty to %-erify the signature on the paver order, while the siRned payer order stored in the inforniation stora'e protects the operator aoainst false accusations tt;at he has nlisappropriated the value contained in the payment certificate.
The payer's privacy is protected, in particular, by that the payer order intended fer de':i% -ery to the payment sern=er is encrypted i~ith the operator's encnption key where by the e: -cryption key of an entm, one means a key for encryptinff the messages sent for to this entitV.
Besides the payer order, the pa%-.ment data can include data intended for the payee, and. in particular, the identifier of the sen=ice or groods to be paid for.
In particular, the payee's securin: is ensured by the fact that the payee receipt signed with 4C the operator's secret key is included in the operator's response to the payee order delivered to the payee. Here, by the payee receipt one means data confirming the fact of crediting the payee's account. Such a receipt, besides the amount of crediting and the identifier of the credited account, may also.contain other data, in particular, the conditions of payment, the time taken to perforni the crediting operation, etc. Having verifred the validity of the opera-tor's signature on the payee receipt, the payee regards the payment as being performed and delivers to the payer data confirming the fact of the performing of the payment.
hloreover, during the execution of a payment operation, in the payee device, by means of the operator's response to the payee; order, one forms and delivers to the payer device data ~i according to the performing of the payment for payer is judged. These data can contain, in particular, both the payee's consent to the fact that the payment operation has been success-fully performed for the payee, and the payer receipt signed with the operator's arbitrary se-cret key. In the payment server, such a receipt is included in the operator's response to the payee order sent to the payee, and in the payee device the receipt is taken from the operator's 10 response to the payee order received by the payee. Here, by the payer receipt one means data confirminQ the fact of spending the value contained in the payment certificate during the execution of a payment operation. Furthermore, the payer receipt may contain other data and, in particular, the conditions of payment and the tinte taken to perform a payment by the operator. In addition, before including the payer receipt into the operator's response to the 1~ payee order. one can encrypt said receipt with an arbitrary encryption key of the payer.
Nloreover, alonL, =ith the data accordiniz to which the performing of the payment for the payer is judged, one can deliver to the paver device data connected with the fulfilment by the payee of his obligations implied by the fact of payment, and, in particular, the password of access to cenain information.
During a payment operation, the value contained in the payment certificate can be spent either conipletel}= on the payment objectives, or panially on other objectives. In particular, a part ef the payment certificate value can be returned to the paver device as change. A sepa-rate description of such an operation is aiven belm~-.
When returning a part of the payment certificate value, one replenishes the payer device either by primarily filling the payment certificate or by replenishing the payment certificate alreadN= at hand. Moreover, the returned value of the payment certificate, i.e., the unspent part of the payment certificate value, can be returneu in such a Nvay that the returned value NN'ill remain unkno\N~n to the operator. Such a reimbursement of the returned value can be performed, for example, with the help of the method described in the patent:
David Chaum, Returned value blind signature sN,stems, U.S. Patent 4 949 380, 14 Aua 1990.
In the best embodiment of the operation of returning a part of the payment certificate value to the payer device, the operator cannot distinguish pri.marilti, filling the payment certificate from replen-ishing a payment certificate already at hand, which promotes the protection of the payer's privacy.
The payee's security during the execution of a payment operation is ensured, in particular, b}y the fact that the payee receipt signed ,ith the operator's arbitrarv secret l:ey is included into the operator's response to the pa.yee order, ,vhile the performing of the payment for the payee is judged according to the validity of the signature on the payee receipt.
Furthermore, the paver can control the circumstances of performing a payment operation.
For such a control. one includes the conditions of payment into the payer order -hen form-ing the payer order. In particular, the conditions of payment contained in the payer order, can include payee obligation data, i.e., data describing the payee's obligations implied by the fact of effecting the payment. To ensure that in case of need the payer could insist on the fulfil-ment by the payee of his obligations, the payee obligation data are siened with the payee's arbitrary secret key, and before the payer decides to perform a payment operation, one veri-5es in the payer device the validity of the signature on the payee obligation data and stores the signed payee obligation data. If it is required to conceal the payment objective from the operator, then in the payer device, when forming the payment data, one processes the payee obligation data A=ith the help of an arbitrary one-way function, and includes the data obtained by the processing in the payee order as the conditions of payment.
In addition, during the execution of a payment operation the payee can play a role of a payer. Such a payment operation can be used for transferring values from the payer device to the payer's account.
Note a particular case of perfotming the payer device replenishment operation, in which the replenishment is performed from the funds of an intermediate paver. In particular, for such performing of the operation of replenishment of the payer device, the data blinded in the payer device during obtaining the blind money signature of the operator are subjected to _ an additional blindins in an intermediate payer's payer device, and the data to be unblinded that were received from the operator are subjected to the correspondina additional unblind-ing. The additional blinding is intended for the protection of the privacy of the intermediate payer.
A common problem of all electronic queueing systems caring about the users' privacy is connected with potential possibilit,,*, of identifying the user b}, net address information. Sev-=C~ era] theoretical approaches to the solution of this problem are describe3 in the paper: D.
Chaum, Security Without Identific:ation: Transaction Systems to Make Big Brother Ob_3-lete, Communications ofthe ACM, vol. 28 no. 10, October 1985 p. 10=1-:03 ;. A
practica'_'%, acceptable method of concealina the user's net address information from :he addressee of the message can be to use remailers ti-ansferring the messaee to the addres-s::
from their e:,.,n address. In particular, in all variants of the claimed invention durinQ the performing o: a payment operation. the payer's address is, to a cenain deRree, hiddea :,-:..~
the bank b}= tc_t the payer order is delivered to the payment sen=er N'ia the payee devic:.
In sonte embodiments of the method for effecting payments by the firs:
variant. payments in the ranae from micro-payments to business-to-business paNlmen:s are possible. and the ~ tinle taken to perform a payment depends only on the speed of action of the net connecti~:=a and not on the payment amount, Nvhich is achieved by choosina levels o;~
payment certi:i-cates such that the value defined by the level can take arbitrary value, in the mentioned range, and by effecting a payment operation with the help of a beforeh:r_d-bounded number of payment certificates of suitable value, -hose number is bounded in advance, or even a single payment ce.~.ificate.
A description of the method for effecting payments b}, the second va.-iant is given b:-10IN'.
One effects payments by the second variant in the same way as by th: first variant, N;~ith the only exception, that besides replenishing the paver device -A-ith the help of primarily 40 filling the payment certificate one also replenishes the payer device b~=
replenishing the payment certificate. Further, in the best embodiment, when replenishinz the payer devic_~, the operator cannot distinguish primarily filling the payment certificate from replenishing a payment certificate already at hand, and the source of funds for such a replenishment is in no way connected =ith the source of funds for primarily filling.

If, when performing a payment operation by the first variant, one presents to the pay-ment server the signature of a payment certificate whose level is the maximal available in the payer device, then the operator can detect the coincidence of this level with the level of the money keys used when replerushing the payer device, which can lead to linking the payment certificate used in a payment with the source of its replenishment.
The probability of this is especially high in the case where the possible levels of payment certificates are such that the value defined by the level can take arbitrary values in the range from micro-payments to business-to-business payments. Replenishing the payer device by replenishing the payment certificate reduces the possibility of such linking considerably, because after replenishing the payment certificate, its level is the sum of several levels of signature "ith secret money keys. Thus, replenishment of the payment certificate additionally promotes the protection of the payer's privacy. In addition, replenishment of the payment certificate additionally alloNvs one both to accumulate on a single payment certificate the returned values of used payment certificates reimbursed in payment operations, and to replenish said payment certif cate from the funds of another source.
A separate description of the operation of replenishing the payer device with the help of replenishing the payment certificate is given below.
The payment certificate replenishment operation, i.e., the operation of obtaining a sio-nature of the payment certificate. whose level exceeds the level of that payment cerLificate siiznature -,vhich is contained in the paver device at the beginnine of the replenishmert op-eration, is performed .vith the help of obtaining the blind money sienature of the ope-ato-.
Here, one takes as the initia'. data the payment certificate signature, which is conta -. c in the payer device. For perfor.~inQ the payment certificate replenishment operation, tr. cor-respondence between the levels and the monev keys must be such that the signa:~-e o:
level A on certain data .k" coincidin,T with the signature of level B on certain data 1- cor*e-sponds to the signature of level (: -- B) on the data Y. An example of such correspot:::ence is the case Nvhere the level L is represented by a collection of nonnegative intearal n::mb:-s (LI, L2. ..., Lo, and for each iadel j from I to k there is a function S,, whose calculatien re-- quires the secret ke), h;. In th: case where the functions S commute with each other. i e.
S;(S, (k)) = S,(S;(k)) for an aibitrar~- data a; arbitrary data allowing one to calcula:: the function SL, NN-hich is the composition of the functions S, each of n=hich occurs in the co~:,-position with multiplicity L;. can be, taken as the money key corresponding to the L.
In this case, the data S;-(V) are the signature on the data X ith the money key corre:: onc-in'1 to the level L. For examp;e= such a key can be represented bN a collection of d::__ L.
K;, K~,, ..., fij. An example o: a specific system of such functions alloNN=inQ an econo:nicu;
niaking and storaQe of secret keys is presented below in the description of the bes: em-bodiment of the niethod for e::ecti.nz payments. Note that the operation of replenishir:R a payment certificate is a particular case of the payment certificate replenishment operztio n if the identifier of the base of the payment certificate is taken as the payment ce:-ncate signature of zero level.
In the best embodiment of the operation of replenishing payment certificates by means of increasing their level with the help of the operator making the blind payment certificate sia-nature of higher level, the operator has no possibility to determine whether the payer replen-ishes a payment certificate already at hand, or he performs the-operation of filling a newly created payment certificate. Here., when replenishing one and the same payment certificate, the payer can use different replenishment sources, without connecting them with each other.
A description of the method for effecting payments by the third variant is given below.
One effects payments by the third variant in the same way as by the first variant, with the only exception that one uses payinent certificates which allow one to perform several pay-ment operations. This is reflected in the fact that the operator opens a payment account con-nected with the given payment certificate and connects said account with the public key of the payment certificate signature. Further, one credits the payee's account during the execu-tion of a payment operation from the funds of the payment account, which is credited from the funds of the payment certificate. Thus, it is possible to graduallN' spend the value con-tained in the payment certificate.
By a payment account one means an account kept by the operator, which gives a possi-bility to effect payments from said account by way of transferrina a part of the amount on the account to another account or converting a part of the amount on the account into a dif-ferent form for delivering said pai-t to the payee. Here, the payment account contains infor-mation on the tota] amount of expenses, information on the total amount with which the ac-count has been credited and information on the level of the payment account.
Here, by the level of the payment account one means the level of the payment certificate signature pre-sented to the ope:ator for crediting the payment account. In particular, it is possible to use a :20 public key account as a payment account.
A separate de-s;.ription of the operation of opening a payment account is giN-en below.
To open a pay:nent accourt connected with the base of a payment certificate it is suft;-cient to deliver t::e identifier of the base of the payment certificate to the payment sen-er. In particular. open:~= a paymen: account can be combined with th: first payment operation 2 5 connected .vith ,*.-,: payment ce-titicate. In the case where an account -with a public key is used as a pavmer:: account, tae public key of the payment ceri;.71:ate can be used as said public key. Moreo ver. to prevent opening a payment account associated NN=ith no payment certificate of po_::ive level, the operation of opening a payment a:count can be combined xvith the operatio:: of creditino tlte account.
30 A separate de_:ription of the operation of crediting a pa},ment aecount is eiven below.
When perforr=::ing the operation of creditinQ a payment accou:.:. one delivers to the pa%-ment sen,er a payment certificate signature whose level can be chesen arbitrarily NN=ithin the level of the payment certifrcate, and the payment account is credited accordina to the excess of the level of th: deliN-ered sianature above the level of the payment account. In particular, 35 the operation of crediting a pavrnent account can be combined -with the payment operation.
In addition, the payer can credit his payment account in the cot:-se of several operations, increasing step by step the level of the payment certi.fcate known to the operator. This al-lows the payer to NN-eaken the possibility of linking a payment account and the sources of filling or replenishing the payment certificate connected with the account ith the help of the 40 level of the payment certificate.
A separate description of the payment operation used in the method for effectina pay-ments by the third variant is given below. In distinction to the payment operation with an-nulment of the payment certificate as described earlier, the payment operation used in the niethod for effecting payments by the third variant is described as a payment operation in-volving a payment account:
A payment operation involving a payment account is performed in the same way as the above-described payment operation with annulment of the payment certificate, with the ex-ception of the following. First, one credits the payee's account from the funds of the paN=ment account, and, secondly, the payment certificate signature is not necessarily included in the payer order. Here, the payee's actions do not differ from his actions during the execution of a payment operation with annulment of the payment certificate. When performing a payment operation with annulment of the payment certificate, there arise problems with the ranae of payments. The point is that the value contained in the payment certificate can take only the values corresponding to one of the possible levels of payment certificates, or, Nvhat is the same, to one of the possible levels of money keys. Thus, if during the execution of a pay-ment operation with annulment of the payment certificate only one payment certificate is used, then the payment amount can take only one of the predetermined values.
Because of the necessity to effect payments in the range from micro-payments to business-to-business ] 5 payments, one either has to do with a sufficiently complicated system of money keys or must use collections of payment certificates during a payment operation.
Application of a compli-cated system of money keys, generally speaking, leads to slow-down of payment operations, because making the money siana.ture and verification of its validity require considerable amount of time. On the other hand, utilizine collections of payment certificates in a payment operation leads both to considerable growth of the number of the payment certificate_ used, which causes losses of various kirids, an3 to inconveniences for the payer, who is force.; to ensure the availability of collections with the needed total value in the payer device. .~_'van-tages of the payment operation involving a payment account are u.at there are no pro::ems with the ranse of payments because the payment amount is not co:-nected ,vith the st;::cture 2 5 of levels of money keys. Thereforf:, usinLy payment accounts allo~v_ one to effect a pa%-ment in an arbitrary amount of money in the linlits of the solvency of the p_-;
ment ac;.ou:,t ti.::. in particular, micro-payments are possible For the operator, advant__es of using payr.1en : ac-counts are that potentially he can sen=e much greater number of ciie n:,.
because one re:.rires no resources for storing information about each payment completel'.
Futihermore, an essen-tially smaller number of records connected with payment certifica:e_ accelerates the search of the record connected Nvith a specific payment certificate, or as;e-La-r:nment of the fa: that such a record is absent during the execution of a payment operatie:1 The deficiency oi u_; in, payment accounts is in that it is possible to link all the payments e=e.ted with using ene and the same payment account. Thus, the maximal number of the pL:_Ment certificates use_' si-multaneously is proportional to the operator's resources. Further. since the proportion c: the number of the payment certificates used to the number of the opera:or's clients can be iimited either by the cost of the operation of opening a payment account o- by the cost of the er era-tion of making blind money signature. it follows that the number o: clients that can be sen-ed by the operator is proportional to the operator's resources.
Another advantage of performine the payment operation invohzn, a payment certificate in comparison to the same paymeiit operation with annulment of a payment certificate, in which one uses a collection of payment certificates, is that the time taken to effect a payment depends only on the speed of action of the net connections, and not on the payment amount, because the fixed size of payer.orders makes it possible to indicate any practically possible amount of money as the payment amount.
In addition, a payment account. connected with one of the payment certificates can be used in the payer device replenisrunent operation as the replenishment source.
Funds can thus be transferred from the payment account to the payer device.
A description of the method for effecting payments by the fourth variant is given below.
One effects payments by the fourth variant in the same way as by the third variant, with the only exception that as in the method for effecting payments by the second variant de-scribed above one additionally performs the payment certificate replenishment operation.
Additional advantages of performing such an operation are also indicated in the above de-l 0 scription of the method for effecting payments by the second variant.
The description of the apparatus for effecting payments is given below. Using this appa-ratus for effectins payments, it is possible to realize the claimed method for effecting pay-ments by the third and fourth variarits.
The apparatus for effecting payrnents contains a payer device, a payee device, and a pay-14- ment sen=er connected with telecoinmunication nets. Each of these devices can be realized by a computing device programmeci in the corresponding way.
Such a computing device can be chosen from a large number of known electronic device-s.
for example, personal computers. Such computing devices include, in an internal o., an ex-ternal way. storaLye devices, which are intended for storing data or codes of programs that ar.
2C involved in effectina payments. In addition, such computing devices comprise auxiliary de-vices, for example. modems, Nvhic.h enable the computina devices to communicate =ith othe-sin:ilar devices. The communication environment, in the framework of NN-hich the data a:e exchanged. can a!so be any of a Iarge number of possibilities, including telephone lines, c=-ble. the Internet. satellite or radio transmissions, optical-fiber connections, etc. In oth:-NN-ords, it is not assumed that the invention is limited with regard to either the types of d.-vices that are used or the methods of communication that are employed.
The payer device, the payee device, and the payment sen-er can be realized by the ~~=i,:~
variety of programming means based on the corresponding algorithms. Here, the pa%,er d.-N-ice contains a means for replenish.ing the payer device by the use of making a blind money signature of an operator, a means for creating a payment certificate base by processing a public key of the payment certificate Nvith a one-way function, a means for storing the cre-ated payment ce:-Lificate base in a storane device, and a means for forming a payer ord=,-signed =ith a secret key of the payment certificate. Here, the means for replenishins tLz-payer device by the use of makiniz a blind money signature of an operator is realized by tr:
3~ means for increasing the level of the payment certificate signature.
Said means fer increasing the level of the payment certificate signature has a means fo-forming a monex- demand including a blinded payment certificate signature, a means fe.
unblindins the data to be unblinded comprised in a response to the money demand, and a means for entering the result of unblinding into said storage de~7ce.
The means for increasing the level of the payment certificate signature is intended for re-plenishing the payer device either by primarily filling the payment certificate or by reple: -ishing the payment certificate. In the former case, with the help of the means for increasing the level of the payment certificate signature one processes the payment certificate signature.
of zero level, which coincides with the identifier of the payment certificate base created wTW

the help of said means for crEating a payment certificate base. In _the latter case, with the help of the means for increasing the level of the payment certificate signature, one processes the payment certificate signature, which is contained in the payer device and was entered into the storage device of the payer device in one of the previous payer device replenishment operations. In both cases, the level of the payment certificate increases as a result of replen-ishment of the payer device.
The payee device contains a means for forming a payee order including the payer order.
In addition, the payee device contains a means for opening a public key account.
The payment server contains a means for making a money signature, a means for per-formina a payment operation, a m.eans for serving a database of payment accounts, and a means for seninE a database of accounts.
Here, by the means for managernent of an arbitrary database one means a means for per-forming operations with records of'the database, including creating such records, thei.r read-inQ. and modification.
I In addition, the means for ser%,u1L, a database of accounts can have some means intended for maintaining accounts, which are records in this database and are stored in the storage device. Among such means are, in particular, tL means for opening a public key account, a means for crediting an account and a means for debitins-7 an account.
In addition, the means for serving a database of payment accounts can have some means intended for nlaintaining the payment accounts which are records in this database and are stored in the storage device. Amon2 such means are. in panicuIar, a means for opening a pati~ntent account, a means for ~~erifti=ina the money sianature, and a means for crediting a payment account.
In addition, the means for performinQ a payment operation contained in the payment '5 sert-er has a means for verifyina a sinnature on the payer order and a means for makinQ a sianed payee receipt.
The means for processine the moneV demand, which is contained in the payment sen'er, uw-Is said means for rnakin- a money sianature when performing the paver device replenish-ment operation.
In addition, the payment server can contain a means for making a signed payee receipt, and the payee device may contain a nieans for verifying the sianed payee receipt.
In particular, the mentioned means for forming a payer order sisned with a secret key of the payment certificate can have a means for forming a demand for creditins a payment ac-count, which, in turn, can have a means for decreasin2 the level of the payment certificate siQnature. The purpose of the means for decreasing the level of the payment certificate sia-nature is as follmvs: from the payment certificate signature of some level, which signature is contained in the payer device, to make another signature of the payment certificate, which has lower level and is intended for delivery to the payment server as a part of the demand for crediting a payment account.
4C1 In particular, the payer device can also contain a means for openino a public key account.
In addition, the payer device, the payee device, and the payment server can be equipped by means for encryption of outgoino messages and by means for decryption of incoming messages.

Brief description of the drawings In what follows, the present invention is clarified by the description of specific examples of its implementation and by accompanying drawings, where:
Fig.1 shows a flow-chart of the apparatus for effecting payments;
Fig.2 shows a flow-chart of the payer device replenishment operation;
Fig.3 shows a flow-chart of the payment operation.

Best embodiment of the invention ln the best embodiment of the metbod for effecting payments by each of the variants, payments are effected in the framework of a payment system, whose operator comprises a variety of banks, and the s'Istent has many payers and payees. Further, both the payers and the payees utilize devices simultaneously containing both a payer and a payee device.
Furthermore, in the description of the best embodiment of the invention, such a device is called the "Electronic wallet".
Before servin2 a client. a batil: belonQing to the payment system performs preparatory actions. Since the preparatory actions are performed in the same way in the best embodi-ment of each of the variants of the claimed method, a separate description of the best way of performing of these operations is given below.
At the stage of preparatory actions, one fixes a digital signature svstem giving a possi-bility of making blind digital signature. This system is intended for mal:ing and verification of money sianature, and below it is called a money siQnature system. One also fixes a col-lection of admissible le% e!-;, i e. cuantities each of w~hich defines a certain monetar,= ~~alue.
Here, the collection of admissible levels is chosen so that an arbitrary monetary value pre-senting a practical interest when replenishing the payer device would be represented by sonle level. For each adrnissible level, the bank chooses a secret money key correspondinE
to this level and a public money key corresponding to the secret money key in tlie frame-NN-ork of a fixed nioney sitlnature system. Here, the secret money key corresponding to each of the admissible levels is chosen so that the signature of level A on some data X _l- coin-cidina with the siQnature of level B on certain data 3~, corresponds to the signature of level (A - B) on the data Y. Informatiori on the public money keys and the monetary values cor-respondina to adniissible levels is made public and is entered into the storaae devices of "Electronic wallets".
One also fixes a digital si_Tnature system intended for signing the messages used when ef-fectina ., payments. In the framework of this system, the banb chooses secret ke}=s and th:
3'i corresponding public keys. The information on public keys is made public and is entered into the storage devices of "Electronic wallets".
In addition, one fixes the structure and the validity criterion of payment certificate bases.
as ivell as the way of including the identifier of the public key of the payment certificate into the base of the payment certificate. To this end, one fixes a cr~ptoeraphic hash function F
which takes values in bit strings and, preferably, is collision free. Payment certificate bases are pairs (Y, a), n=here Yis the public key of the payment certificate, which key is chosen in the framexvork of a fixed signature system and used as its own identifier.
Further, a base -with such a structure is considered to be valid if F(Y)=X. One takes the data X as the identifier Baseld of the base of the payment certificate.

The possibility of realization of the preparatory actions described above in the best em-bodiment of the method for effecting payments by each of the claimed variants is clarified by the following example.
Example 1 As the money signature system, one uses a system based on the digital RSA-signature (B.
Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, John Wiley&Sons, New York, 2nd edition, 1996 and A. J. Menezes, P. C. Van Oorshot, S. A.
Vanstone, Handbook of Applied Cryptograph}, CRC Press, 1997). In this system, a secret key is the pair (N, D), where D is a secret exponent and N is the modulus.
Here, the corre-sponding public key is a pair (N, E), where E is a public exponent satisfying the condition XFD = 1(nrod N) for each integral number X coprime to N. The RSA system allo-'vs several methods of making a blind digital signature. For example, one of these methods is described in the patent: D. Chaum, Blind Signature Systems, U.S. Patent 4,759,063, 19 Jul 1988, and another one is described in the patent: D. Chaunz, Blind Unanticipated Signature Systems, U.S. Patent 4,759,064, 19 Jul 1988.
As an admissible level, one takes an arbitran- collection of nonneeative integral numbers L=(LI, L,,L;), and such a level defines the tnonetary- value expressed in cents bv the for-mulaLf N,, - L~ -A'2 - L; -N;, lxhere.V; = 100~, N, =100, A!; = 1.
For each admissible level, the correspondinQ secret money key and the public money key corresponding to the secret money key are chosen in the framework of the RSA-signature system as follows. As the modulus of each of the public and secret money keys, one uses an arbitrary RSA-modulus K, for wh:ich the intearal numbers E. = 3, E_ = 17, E; =
5 are admi_-sible as public exponents. Below, the numbers E;, E_. E; are called the basic public exp,--nents. One tahes the key with public exponent E = E~ -E. =E; as the public money key corresponding to the level L. As the secret monev key corresponding to the level L one taheS
the kev with secret exponent D = DD: L D;' where D is the secret expon:nt corre-sponding to the basic public exponent E;. Means for creatins ke}-s in the RSA
s\=stem are well known (B. Schneier, Applied Cryptography: Protocols. Aleorithms. and Source Code in = C, John Wilev&.Sons. New York, 2nd edition, 1996 and A. J. Menezes, P. C.
Van Oorsho_, S. A. N'anstone, Handbook of Applied Cryptography, CRC Press, 1997). The modulus N ar;d basic public exponents E;, F_, F;; are published as the information about public money ke~--,;.
The data N: = 100-. N= =100, N; = I are published as the information on the monetary va:-ues correspondinu to the adnlissible levels.
The cryptographic hash function F used of the criterion of validity of payment certificate bases, is chosen so that its value on the bit sequence X is obtained by concatenation of bit sequences H(A) and F, where H denotes the knolvn hash function SHA-1 (A. J.
iNtenezes, P.
C. Van Oorshot, S. A. Vanstone, Handbook of Applied Cryptography, CRC Press.
1997, p.
348), }' = 1111...1110, and the number of the unit bits in J' is such that the total number of bits in F(X) is equal to the number of bits in the modulus N.
As the dioital signature system intended for sianing the messages used -hen effecting payments, one fixes the RSA system -%vith public exponent 3, i.e., the RSA
system in which the.public exponent is fixed and equal to 3. In the frame,~A,ork of this system, the ba.nk chooses a secret key DB and the corresponding public key EB. The modulus of the public key EB is made-public as the information about this key.

A description of the best embodiment of the method for effecting payments by the first variant is given below.
Having performed the preparatory actions described above, the payee opens a public key account in the bank. Here, the account is opened in the following way.
As the secret key of the account being opened, the payee takes his secret key created spe-cially for this purpose in the frarnework of the signature system fixed at the stage of pre-paratory actions. The public key corresponding to the secret key of the account is delivered to the payment server via open telecommunication nets. In the payment server, one takes the delivered public key as the public key of the account being opened, assigns a number to the account being opened, and creates in the storage of accounts a record containing the number of the account. the public key of tlie account, and other attributes of the account. The payee considered the account to be opened after receiving a message signed with the banlc's secret key, which confirms opening an account connected with the public key of the account. Fur-ther, the sienature on the message is stored in the storage device of the "Electronic -,vallet", Nvhich will allow one in the future to make justified claims to the bank if the bank has not fulfilled its obliQations connected with the opened account.
Advantaees of the described variant of opening an account are that the operation of opening an account proceeds in a remote manner in the real-time mode. In addition, openinz an account in the payment server proceeds automatically, because i~
particular, it requires no verification of the data identifying the account holder. Thus, this variant of openino an ac-count is ven= economical for the banl: and very convenient for the banl:'s clients. In additiM.
as every public key account, an account opened as described above zdnuts a secu-e remote mana~,Jement. arid a relatively small size of the number of the acco.:nt alloti1.-s one to repro-duce it by haiid. manually in particular, for indicating the designa:iOn of a postal ml-ney or-der.
In the best embodiment, the pa} er uses an arbitran= nieans to- WDne%*
operaticns tivhic'n allows a secure remote management as a source of replenishnient o: :..is "Electronic wallet".
When creatinR the payment certificate base Base in the course oi perormi.ng t~: opera-tion of primarily filling a payment certificate, as the payee's secre: key DP
and the corre-sponding public key EP one chooses keys specially created for th:s purpose.
Here. the keys DP and EP are chosen in the frame =ork of the signature systen; i.xed at the stare of pre-parator}= action:.
During the op:ration of primarily filling a payment certific_;:te. the blinded identifie_ Baseld of the base of the payment certificate is delivered to the pa.. Lent server as a part of a money demand. Here, the data necessary for remote withdra-,val o; runds from tc: utilized replenishment source are also included in the money demand.
Prior to performin2 a payment operation, the payee obligation data are sianed, v: ith the payee's arbitran= secret key, and before the payer decides to perform a payment oreration, ii, the payer dex-ice one verifies the validity of the signature on the payee obligation data an;:
stores the signed payee oblieation data.
The information about the payee included in the payer order zi=hen performing a payment operation contains the identifier of the payee's account and the caa3itions of payment. The result of processing the pay-ee obligation data zvith the help of a fixed one-way function is included in the conditions of payment. The payer order is encrypted txith the operator's en-cryption key.
A session key for symmetric encryption is included in the payee order and the payee order itself is encrypted %vith the operator's encryption key.
The payee receipt signed with the operatot's secret key is included in the operator's re-5 sponse to the payee order, and the operator's response to the payee order is encrypted with the session key contained in the payee order. The payee judges the performing of the pay-ment according to the validity of the signature on the payee receipt.
In the payee device, by means of the operator's response to the payee order, one forms and delivers to the payer device the data confirming the payee's consent to the fact that the 10 payment operation has been successfully performed.
The part of the payment certificate value that was not spent on the payment objectives is returned to the paver device as change.
The possibility of realization of the above-described best embodiment of the method for effecting payments bv the first variant is clarified by the follo,-ving example.

15 Example 2 The preparator}, actions are performed as in Example I described above.
The payee, who is a seller in the present ekample, opens an account with public key ES in the bank as described above. Further, in the storage device of the seller's "Electronic wallet"
one creates a record with information about the opened account, NN=hich information contains 20 the secret key DS corresponding to the public key ES, the number Accounrld of the opened account. and other attributes of the account.
ln this example, the source of i-eplenishment of the payer's "Electronic wallet" is t":-_ pa}=er's account, ~vhich he opens iri exactly the same %vay as the payee. The payer delivers a certain amount of money to the account opened by him by a postal money order;
for the sake of definiteness. let it be 100 dollars.
L'sini-, the opened account as the replenishment source, the pa}=er replenishes his "Elec-tronic %vallet" Nvith the help of the operation of primarily fillin, a payment certificate.
Durin~, the operation of primarily filling a payment certificate, the base of the payment certificate is created bv choosing th:secret siQnature key DP and the corresponding public 3 0 sisznature key EP in the frame~vorl: of the RSA system Nvith public exponent 3. Since the public exponent is fixed. the public key is represented by a single modulus.
As indicated above. nieans for creatinz such l:evs are tivell known. One takes the data (FP. X) as the base (}: _lj of the payment cenificate, where X is obtained from the key EP -,vith the help of the means for calculatin2 the function F described in Example I presented above.
Such a 3 nieans is realized by proszramming means on the basis of the above description for th:
function F.
During the operation of primariIy fillina a payment certificate, the blinded identifier Baseld of the payment certificate base is delivered to the payment server as a part of the money demand. One also includes in the monev demand the required replenishment 40 amount, for the sake of definiteness 200 dollars, and the payer's account number, and along xvith the money demand one delivers to the payment server the signature of said demand NN-ith the secret key of the payer's account. Here, the payer device is replenished from the funds of the account indicated in the money demand, after verification of the signature contained in the money demand =ith the help of the public key of the account indicated in the money demand.
To blind the identifier Baseld of the payment certificate base one chooses a level M=
(MI, M2, M3) such that L f does not exceed Ml, L2 does not exceed :W,, and L3 does not ex-ceed Mj, where L=(L1, L2 ,L;) is the level of that secret money key which will be used in the payment server when replenishing the payer device. The level M to be chosen depends on the required replenishment amount expressed in cents, i-e., equal to 20 000 in the pres-ent example. XN'hen choosing the level M, one assumes that the level L of the secret money key used by the bank is defined as follows according to the rule fixed in advance in the payment system.
First of all, by the required amount of money contained in the money demand and by the funds on the payer's account, one defines the replenishment amount. In this example, to the moment of performing the replenishment operation the funds of the account expressed in cents make the quantity 19 975. This amount has formed as follotivs. For crediting the account with 20 000 cents, which corresponds to 200 dollars of the postal money order. the 1.5 bank took commission in the amount of 50 cents, so thL: 19 950 cents appeared on the ac-count. During the time elapsed from the moment of crediting the account with this amount to the moment of be'inning of the payer device replenishment operation, the banh, first, added the interest in the amount of 30 cents, and, seconsiv. ch,_-Red 5 cents for mainte-nance of the account. A-s a result, to the motnent of perio:nine th:
replenishment operation the funds of the account mal:e the quantity 19 975 cen.S_ IL adc:::ica- the bank c-'.raes 60 cents for the payer device replenishment operation. Thu:. :Le ret::r~ishment ame~-t i- this example mal:es 19 915 cents 7'he level I. is defined to the rep:en:s,~s-~ent amount, -hich is equal to 19 915 in this example, wi:: tu: he:- of the rule fixed in The payment system so that the relation L; =Y1 -- L, -:1', - 915 cents iv: _,ld ;;.old.
In the present exaniple. L = (l. 99 ,15).
ln any case. the fixed rule of definins the level L i: with the rec__reu re-plenishment amount guaranteeS. iri this example, that.L: d.-.e_ na: eWeed N~hile L= a~ l L;
do not exceed 99. Thus, one t_--1es the data (2, 99 ,99) as le% e':.'. '.
~ After the level 'll is chosen. The initial data X, -hi=' is t~l-en equal to the iden;ifier Baseld of the payment certificate base during primarily nilir_s The payment cer:::ica:;. is blinded in accordance i;-ith th: relation X' = Fh' (nro.: 'Vi. wh,.-; F = R' (mo.: .1; . t' _ t_. =L1_ -C%= L', = F. .. t-_ _~_ -, U; = E;" and R i;~ a rand1-T:zed integral numb:. of suitable size In the payment ser-ver. the siUnature on the blinded d: ta .1' v,::s the secret r:oney key 3'> corresponding to the level L is taken as the data S' to b: unblin;::d Thus, in this exarnple, the data h" is processed with the secret money key with modulus ..1= and secret exponent D
= D;Ll D.? L- D_' . Afrer that, the data S'' are deli~~ered to the pa~-e- de~-ice.
In the payer's "Electronic wa llet", from the received dr:a S'to be unblinded ene tia-kes the signature S of the payment certificate by unblindine th: rece:ved data S' in accordance with the relation S = S '=T' (mod 11 J, -%N-here T= RV (mod N), T= R' (mod A), 1' = I;, - I:
I::, and l~ J= E; ~='' rI, I' = E_' ''2, i;= E;"f;-L'. The made sim.:~x:re S
is stored in the stor-aQe device. As a result, a payment certificate with value 19 915 cents appears in the payer's "Electronic wallet".
The payer .villing to pay 43.50 dollars to the seller for som: goods, prepares The pay-ment data Pa},n1ewData, includirig in them the payer orderPay.erOrder signed with the se-cret money key of the payment certificate DP and data A intended for the seller and con-sisting in this example of the name of the paid goods and the identification data of the re-cipient of the goods. The payer order PayerOrder consists of the public key of the payment certificate EP, the signature S of' the payment certificate, the seller's account number Ac-coutitld, and the data C defining the conditions of payment. In the present example, the payer takes as C the seller's account numberAccounlld and the value of the hash function H on the tea-t of the seller's obligation valid in the case of a payment, namely, an obligation to supply the corresponding goods to the person with the indicated identification data.
The seller .villins to accept the payment forms the payee order SellerOrder =(4ccou -iId, Pat=erOrdei) encrypted with the bank's public encryption key and delivers it to the bank.
Havin2 made sure that the list of the used payment certificates contains no record on the payment certificate with public key EP, having verified the validity of the signature on the payer order Pal=erOrder with the help of the public key EP, and having verified the valid-ity of the siQnature S of the payment certificate, thl- bank enters a record including the public key EP and the signed payer order Paye'rOrder into the list of used payment certifi-cates and credits th: account with number Accountld ith an amount of 43.49 dollars, un-der the assumption that the ban.k charges 1 cent for performinQ a payment operation. After that. the bank forms the payer receipt confirnung the fact of creditina the account with number,-lccountld,.~,1th an amount of 43.49 dollars, signs it, and delivers to the seller, who, havin: N-erified the validity of the bank's signature on the receipt received, regards the payment as being e:rected and informs the payer about successfullv effecting the payment.
Ti:e r;st value e: the payment certificate, making quantity (19 91 5 - 4 350) cents in the 2.5 present example. is returned by replenishing the pati-er device, and the replenishnient can be performed eithe- by primarily filling the payment certificate or by replenishing a pay-ment cer:ificate alreadv at hand. To this end, one includes in the paver order a blinded sia-nature of that payment certificate whose value will increase due to the returned value.
while the correspondina money signature of the operator, delivered to the paver device through the payee ,:e%-ice along with the other data is included in the operator's response to the payee order.
A description o :he best embodiment of the method for enectin' payments by the sec-ond variant is uiven heloi'.
ln the best emb: diment of the method for effectins payments by the second variant, one performs all actions that are perforined in the best embodiment of the method for effectlnQ
payments bx- the first variant.
Moreover, oite performs an additional payment certificate replenishment operation, which is realized so that the operator cannot distinguish the operation of primarily fillinQ a payment certi.ficate from the payment certificate replenishment operation One performs the payment certificate replenishment operation at an arbitrarv moment of time before the payment operation and one uses for replenisbing a payment certificate =hose value is not sufficient af the payment operation.
The possibility of realization of the above-described best embodiment of the method for effecting payments by the fourth variant is clarified by the above-described Example 2, -~vhere the possibility of realization of the best embodiment of the method for effecting payments by the first variant is clarified, and by the following Example 3, where the possi-bility of realization of the best embodiment of replenishing the payer device with the help of replenishing the payment certificate is clarified.
Example 3 In this example, we use agreements and notation adopted in Example I described above.
The payment certificate replenishment operation, i.e., the operation of obtaining a pay-ment certificate signature whose level exceeds 'the level of the payment certificate signa-ture contained in the payer device at the beainn.ing of the replenishment operation, is per-formed by obtaining the blind money signature of the operator_ Here, as the initial data one takes the payment certificate signature contained in the payer device.
Suppose that the payer's "Electronic vvallet" contains a payment certificate with signa-ture S 1 of level (0, 2,30). Suppose that the value of this payment certificate, which is equal to 2 dollars and 30 cents in the present case, is not sufficient for the payer to make a certain 1 purchase. In order to make this purchase an}war, the pa}-er replenishes his "Electronic wallet" by replenishing the payment certificate.
For this purpose, one delivers the blinded sienature SI of the payment certificate to the payment server as a part of the money demand. One also includes in the money demand the required replenishment amount. equal, for the sake of definiteness, to 50 dollars, and the payer's account number, and alona -ith the money demand one delivers to the payment server the signature of said demand ivith the secret key of the payer's acco~_nt. He-e, the payer device is replenished from tile funds of th: account ir,dicated in the rn.-::ey dev;and after N=erification of the siQnature contained in the money demand with the he:c~ of the pub-lic key of said account.
n~ To blind the sianature S! of the payment certificate. as in Examp;e 2 presented a'Dove.
one chooses a level.11= (n-1;. M. .su:h that L: does not etceed 11I. L_ doe.s not e~:.eec .11_, and L; does not exceed hti. e L=(L;, L= . L) is the level of t:at secr.: mone=.- kev -hich %vill be used in the payment server -hen replenishing the payer device.
One c} coses the level M depending on the requ:red rer lenishment amount as in Eaarttple =.
In th:. pres-ent example,.M= (0, 5,99).
As in Example 2, one defines the replenishment amount by the required ,:moun:
con-tained in the money demand and by the funds on the payer's account. Suppos.
that t'-,e re-plenishment aniount in this example turns out to be equal to 47 dollars and 13 cents. i.e., 4 -13 cents. One dettnes the level L by t:!: replenishment amount as in Exarr.~le 2. I. the ,5 present example, L = (0, 4' ,13).
After the level iN4 is chosen, the initial data _1; tvhich is taken equal to the ider::ifier Bczseld of the base of the payment cenificate during primarily filling the payment certifi-cate, is blinded in accordance NN=ith the relation X' = F-X(mod A), ,here F
R' (mW N).
U = U1 =Uc U;, r' 7! = El'{'l , L~, = L:~''-, L:: and R is a randomized integral number of suitable size.
In the payment server, the signature on the blinded data X with the secre:
money key corresponding to the level L is taken as the data S' to be unblinded. Thus, in this example, the data A" is processed by-the secret money ke}= -,vith modulus N and secret exponent D
D Ll . D, L' . D;-"'. After that, the data S' are deliN-ered to the payer device.

In the payer's "Electronic wallet", from the received d"ata S' to be unblinded one makes the signature S of the payment r,ertificate by unblinding the received data S' in accordance with the relation S = S' -T1 (mod N), where T= RY (mod A9, V= Vi - Vz = V3, and h f=
E11" L' v, = E2 n-LZ 1 j= Ej"'3 L3 The made sienature S is stored in the storage device in-stead of the signature Sf stored before. Here, the level of the signature S is equal to the sum of the level of the signature S), Le., (0, 2,30) in the present example, and the level L = (0, 47 ,13). Thus, the level of the signature S is equal to (0,49 ,43), and the payment certificate N-alue has increased to 49 dollars and 43 cents.
A description of the best embodiment of the method for effecting payments by the third variant is given below.
The preparatory actions, opening the payee's account, replenishment of the payer de-vice, and the payee's actions during the execution of a payment operation are performed as in the above-described best embodiment of the method for effecting payments by the first variant.
( 1~ As in the above-described best embodiment of the method for effecting payments by the i: iirst ~~ariant, before the payer decides to perform a payment operation, in the payer de~=ice one verifies the validity of the signature on the payee obligation data and stores the signed payee obligation data.
'hen performing a payment operation, the identifier of the payee's account and the =.0 conditions of payment are included in the payer order as information about the payee. One i::cludes in the conditions of payment th: result of processins the payee obligation data <<, ith the help of a fixed one-way function The paver order is encrypted ivith the operator's zncryption key.
A session key for symmetric encryp:ion is i_ncluded in the payee order, and the payee der itself is encrypted ,vith the operators encnTtion key.
The payee receipt signed with the ope-_~:tor's secret key is included in the operator's re-s:,,)nse to the payee order, and the operator's reSponse to the payee order is encrypted -ith session key contained in the pavee order. The payee judges the performing of the pay-nn.ent according to the validity of the signa;ure on the payee receipt.
In the payee device, by means of the operato:s response to the payee order, one forms a~,d delivers to the payer device data ceL:irming the payee's consent to the fact that the r=%'ment operation has been successfully F:rforr:.:d.
The operator opens a payment account conne;ted with each of the payment certificate_ a=.d connects it with the public key of the p.aymeat certificate, and the funds of the payment a:count are spent in one or several payment operations. Here, the public key account v.-hose public ke)= coincides with the public key of the payment certificate is used as the F::yment account. The funds appear on the payment account as a result of one or several operations of crediting the payment account periormed from the funds of the value con-tained in the payment certificate, and the operation of opening a payment account is com-10 bined with the operation of creditinc; this a:count that as first in time.
1N'hen performing the operation of cre3itina a payment account, one delivers to the payment server a payment certificate sianature, whose level can be chosen arbitrarily within the level of the payment certificate. Moreover, each operation of crediting a pay-ment account is combined with one of the payment operations.

The possibility of realization of the above-described best embodiment of the method for effecting payments by the third variant is clarified by the following example.
Examole 4 In this example, we use agreements and notation adopted in Example 1. The preparatory 5 actions, opening the seller's account, replenishment of the payer device, and the seller's ac-tions during the execution of a payment operation are performed in this example as in Ex-ample 2 described above.
Examples of three payment operations are given below. Here, the first one of the pay-ment operations described below, which is the first (in time) operation performed .vith the 10 use of a payment certificate, is combined with the operation of opening a payment account and its creditine. The second one of the payment operations described below is combined NN-ith the operation of crediting an already opened pavment account. The third one of the payment operations described below is performed under the conditions when the funds on the payment account already suffice for performine such a payment operation.
15 Below, eiven is a description of the first (in time) payment operation performed ivith the use of a payment certificate, which is combined with the operation of openins a payment account and its crediting. j Suppose that the payer device contains a payment certificate with base (EP, h) and sia-nature S of level (2, 12, 45). The payment certificate value is equal to 212 dollars and 415 20 cents. Suppose, furthermore, that the payment certificate has not already been used in one of the payment operations.
The payer willing to pa}, the seller an amount of :S.999 dollars for some soods, pre-pares the payment data PayntentDara. includinQ iz them the payer order Pal=erOrdei-sicned with the secret key of the payment certificate DP, and the data A
intended for the 25 seller and consistina in this example o: the name of the paid goods and the i::entification data of the recipient of the Qoods.
The payer order PayerOrder consists of the publii key EP of the payment certificate.
the siQnature S; of the payment certifica,e, the seller's account numberAccornr:ld, and the data C defining the conditions of payment. In the present example, the payer tahes as C the seller's account number AccountId and the value of the hash function H on the tea-t of the seller's obliaation valid in the case of a payment, 3039 namely, an obligation to supply the corresponding, soods to the person with the indicated identification data.
The public key EP included in the payer order ParerOrder is used in the payment sen-er for opening the payment account connected ivi:h this key. The signature S, of the payment certificate included in the payer order Pa}'erOrder is used in the payment server for crediting the pax=ment account with public key EP.
The siQnature S1 is made in the payer device from the signature S of the payment cenifi-cate. Here, the level L=(L:, ...,L;) of the sianature S, is chosen in so a way that, on the one hand, the value corresponding to this level would suffice for performing the p:esent pay-ntent operation, and, on the other hand. it would not exceed the level of the signature S in each of the three orders. Another aim of such a choice is to hide the level of the sienature S
contained in the payer device from the operator. In the present example, the level of the sianature S is represented by the collection (2, 12, 45), and the value sufficient for per-forming the present payment-operation, expressed in cents, is, in the present case, 1899.9 cents. Thus, the restrictions on the choice of the level L=(Lf, ._.,L3) are as follows: first, L, does not exceed 2, L2 does not exceed 12, L3 does not exceed 45, and, secondly, the quan-tity L1 = Nl = Lz - N2 + L3 - N3, where Nj = 100~, Nz =100, N3 = 1, must be at least 1899.9 cents. The level L satisfying these conditions is chosen with the help of a random number generator and, in the present example, L = (1, 3, 14). The signature Sl is made with the help of a computing device programmed in the corresponding way, in accordance with the relation S1 = S" (mod N), where V = Vl = V2 - V3, Vj = El MI-Ll$ V2 = E2 MI-L2 , V3 = Ej"' L:, and the level (M~, ...,M3) is equal to the level (2; 12, 45), i.e., to the level of the signature S.
The seller willing to accept ttie payment forms his payee order Seller0rder =(Acco:nl-tld, Pa}w-Order) encrypted with the bank's public encryption key, and delivers it to the bank.
Having niade sure that the payment account database contains no record of a payment account with public key EP and having verified the validity of the signature S1 with the help of a public or a secret money key, the bank opens a payment account and enters the ~ 15 corresponding record into the payment account database. Here, first, the opened account is credited -vvith the amount corresponding to the level L = (1, 3, 14) of the signature S1, i.e..
in the present example, with an amount of 103' dollars and 14 cents. In addition, one debits the opened payment account with an amount of 50 cents, whicb is equal to the charge for openinQ the payment account. After that, the payment operation per se is performed.
: 0 Namely, hax-ina verified the signature on the payer order PayerOrder NzIth the help of the public key EP of the payment account, the bank enters the siQned payer order PayerOrder into the information storave, debits the payment account with an amount of 1899.9 cents and credits the account -~vith number Accoin111d with an amount of 1799.9 cents, under the assumption that the cost of perfor.ming a payment operation by the bank is equal to I cent.
'5 After that, the bank forms the payer receipt confitmine the fact of crediting the account with number AccoUntld with an amount of 1799.9 cents, signs it, and delivers to the seller.
who, having verified the validity of the bank's signature on the receipt received, reeards the payment as beinQ effected and informs the payer about successfully effecting the paynient.
A description of a payment operation, which is combined with the operation of crediting ='' an already opened payment account is given beloNN-. Generally speaking.
the payee partici-patina in this operation is in no way connected with the payee from the first payment op-eration described above.
Suppose that the payer device contains a payment certificate lth base (EP, A) and sic-nature S of level (2, 12, 45). The payment certificate value is equal to 212 dollars and 4:
3 5 cents. Suppose that the payment account connected with the oiven certificate is already opened, the total amount of expenses of this payment account does not e.lceed the amoun:
of 6732.8 cents, and the level of the signature delivered to the operator in one of the preN'l-ous operations of crediting the payment account does not exceed the level (1, 3, 14). Thus, the payment account has been credited with an amount of 10 314 cents in the course of th:
40 previous crediting operations.
The payer willing to pay the seller an amount of 3699.9 cents for some goods prepares the payment data PaymentData, i.ncluding in them the payer order Pa},erOrder signed w-ith the secret key DP of the payment certificate, and the data A intended for the seller and con-sisting in this example of the name of the paid goods and the identification data of the re-cipient of the goods.
Since the payment amount exceeds the difference between the amount of 10 314 cents, delivered to the payment account in the previous crediting operations, and the total amount of expenses of this payment account, which makes 6732.8 cents, the payer combines the 4' ) payment operation with the operation of crediting a payment account.
The payer order Pa}=erOrder consists of the identifier of the public key of the payment certificate, which coincides in the present example with the value on the key EP of the hash function H fixed in advance, the signature S, of the payment certificate, the seller's account number Accoulltld, and the data C, defming the conditions of payment.
In the pre-sent example, the payer takes as C the seller's account number Accourltld and the value of the hash function H on the text of the seller's obligation valid in the case of a payment, namely, an oblisation to supply the corresponding goods to the person with the indicated identification data.
The identifier H(EP) of the public key of the payment certificate included in the payer or-1-4, der PayerOrder is used in the payment server for seat-ch of the payment account connected ,,vith the key EP. The sisnature S, of the payment certificate included in the paver order PayerOrder is used in the payment server for Crediting the payment account with public key EP.
The siynature S, is made in the payer device from the sianature S of the payment certifi-cate. Here, the level L=(L:, ...,L;) of the signature Sl is chosen so that, first, the value corre-sponding to this level suffices for performing the present payment operation considering the expenses paid earlier, secondly, that said level does not exceed the level of the sianature S in each of the three orders. and, thirdly, that in each of the three orders the said level would not be less than the level of the sianature delivered to the operator in one of the previous opera-2-5 tions of creditinQ the pwynlent account, i.e., in the present example, not less than the level (1, 3, 14). In the present example, one takes L = (2, 7, 15). The sienature S; is made -,vith the help of a computing device programmed in the corresponding way, in accordance Nvith the relation S; = S' (nlod.\'i. where I' _- I'! I'2 1'; I:l =1 ~1r1-tr I,, _ E_',, I;= E_'' "-. and the level is equal to the :level (2,12, 45), i.e., to the level of the signature S.
:0 The seller willing to accept the payment fornls the payee order Se11C1'O1'der =(4ccO1nlild, PmYel-Ordel) encrypted with the bank's public encryption key and delivers it to the bank.
The bank, havin'T detected a record of a payment account Nvith public key EP
in the pay-nlent account database and having verified the validity of the signature S1 with the help of a public or a secret money kev, increases the total aniount on the found account to the amount 35 corresponding to the level each order of which equals the maximal one of the corresponding orders of the levels of all signatures of the payment certificates delivered to the bank in the operations of creditinR the given payment account. After that, the payment operation per se is performed. This operation is performed as in the above example of the first payment op-eration.
40 Below, a description of a payment operation performed with the help of an already opened payment account without combining it with the operation of crediting a payment account is given. Generally speaking, the payee participating in this operation is in no way connected .vith the pa}lee from the first payment operation described above.
Such an operation is performed in the case whexe the payment amount does not exceed the difference between the amount delivered to the payment account in previous crediting operations and the total amount of expenses of this payment account. In such an operation, the payer order PayerOrder does not contain the payment certificate signature, but consists of the identifier of the public key of the payment certificate, which identifier coincides in the present example with the value on the key EP of the hash function H fixed in advance, the seller's account number Accouiitld, and the data C determining the conditions of payment. In the present example, the payer takes as C the seller's account number Accouirtld and the value of the hash function H on the text of the seller's obligation valid in the case of a pay-ment, namely, an obligation to supply the corresponding goods to the person with the indi-cated identification data. ln all other respects, such an operation proceeds in the same way as the payment operations described above.
A description of the best embodiment of the method for effecting payments by the fourth variant is given below.
ln the best embodiment of the rnethod for effecting payments by the fourth variant, one performs all actions that are performed in the best embodiment of the method for effecting payments by the third variant. In addition, one additionally performs a payment certificate replenishment operation, and the best embodim'ent of this operation is described above in the description of the best embodiment of the method for effecting payments by the second vari-ant.
The possibility of realization of the above-described best embodiment of the method for effectina payments by the fourtti variant is clarified by the above-described Example 4, where the possibility of realization of the best embodiment of the method for effecting pay-ments by the third variant is clarified, and by the above-described Example 3, Nvhere the possibility of realization of the best embodiment of replenislung the payer device -ith the help of replenishing the payment certifrcate is clarified.
A description of the best embociiment of the apparatu, for effecting payments is Riven below. ~
In the best embodiment, the payer device contai.ns a means for replenishing the payer de-vice by the use of makina a blind money signature of an operator, which is realized by the ,0 means for increasing the level of the payment certificate siLnature. In addition, the payer device contain-r a means for opening a public key account. Furthermore, the means for formin~, a payer order signed with a secret key of the payment certificate has a means for forming a demand for crediting the payment account, which, in turn, has a means for de-creasino the level of the payment certificate signature.
The payee device contains a nleans for opening a public key account and a means for verifying the signed payee receipt with the operator's public key.
The payment server contains a means for servi.ng a database of payment accounts and a means for sert=ine a database of accounts, and the means for serl=ins a database of accounts has a means for opening a public key account, a means for crediting an account and a means for debiting an account. The means for serving a database of payment accounts has a means for opening a payment account, a means for verifying the money signature and a means for crediting a payment account. The nreans for performing a payment operation contained in the payment sen,er has a means for verifying a signature on the payer order and a means for making a signed payee receipt. -In addition, the pa}mcnt server contains a means for making a signed payee receipt.
The means for storing information in the storage devices of the payer device, of the payee device, and of the payment server have high reliability, and the payer device, the payee de-vice, and the payment server are equipped with means for encryption of outgoing messages and means for decryption of incoming messages.
The possibility of realization of the above-described best embodiment of the apparatus for effecting payments and using such a system are clarified by the following example.
Example 5 The example is illustrated by Fig.1, Fig.2, and Fig.3. Fig. l shows a flow-chart of the ap-paratus for effecting payments containing payment server 1, payer device 2, and payee de-vice 3. Here, the lines drawn between the blocks sho = interconnections between the above-mentioned devices via telecommunication nets.
Fig.2 shows a flow-chart of the payer device replenishment operation. Here, block 4 shows a means for creating a payment certificate base by processina a public key of the payment certificate with a one-,vay function, block 5 sho =s the storaae device, line 6 shows a means for storing the created payment certificate base in a storage device, block 7 shows a means increasing the level of the payment cerfifica:e sivnature, block 8 shows a means for forming the money demand including a blinded pa-vment certificate signature, block 9 sho 's a nieans for unblinding the data to be unblinded comprised in a response to the money de-mand, line 10 shows a means for enteriny a result of unblindina into the storaae device, block 11 shoN,,-s a means for processing the money demand. and block 12 sho-,N-s a means for making a money signature. ln addition, line 13 sho;c; a means for reading the pa}Iment cer-tificate signature from the storase device, line 14 shows a connection via which the money demand is delivered to the payment server, and L : 15 shoN;,s a connection via which the operator's response to the money demand is delive:zd to the paver device.
Fia.3 shows a flow-chart of a pa}Iment ope:a:ion. Here, block 16 shows a means for formin; a payer order siQned ~vith a secret key of die payment certificate, block 17 shows a means for forminQ a payee order including the pa%-e- order. block 18 shows a means for veri-fying the si~ned payee receipt, block 19 shows a m.ans for performina a payment operation, block 20 sho =s the pa}-ment account database, bloc'; 21 sho =s the account database. In ad-dition, line 22 shows a connection ),~ia ~vhich the payer order is deliN-ered to the paNlee device, line 23 shou=s a connection via n=hich the payee order is delivered to the payment server, line 24 shoNN=s interaction between the means for performing a payment operation and the pay-ment account database, line 25 shows interaction between the means for performing a pay-ment operation and the account database, and line :6 shoNvs a connection via which the op-erator's response to the payee order is delivered to the payee device.
The apparatus for effectine a payment is realized by programming means on the basis of the algorithms indicated in Examples 2 and 3 above. In particular, cr}-ptographic means used, such as making a signature, verification of a si_nature, encn-ption and decryption, are based on the functions of arithmetics of integral numbers and modular arithmetics.
Examples of realization of such functions are well know-n in the art. Means for calculating hash functions utilized are also well known.
With the help of the apparatus for effecting pa}-ments, vrhich is shown in Fig.l, payments are effected as follo,.vs.

Payer device 2 is replenished for an arbitrary number of times. Here, one can replenish the payer device with the help of both primarily filling a payment certificate and replenishing one of the payment certificates already at hand. When replenishi.ng the payer device with the help of primarily filling a payment cerdficate, one uses a means for creating a payment cer-5 tificate base, in which the public key of the payment certificate is processed by a one-way function, after which the created payment certificate base is entered via line 6 into storage device 5, both as the base of the payment certificate and as the payment certificate signature of zero level.
In an arbitrary operation of replenishing payer device 2, the payment certificate signature 10 is entered via line 13 into block 7, where the payment certificate signature is blinded and of the money demand including the blinded payment certificate signature is formed with the help of block S. A money demand is delivered via line 14 to payment server 1, where it is processed in block 11, including making the monev signature on the blinded payment certifi-cate signature xvith the help of block 12. The operator's response to the money demand, 15 which response is formed in block. 11, is entered via line 15 into payer device 2, where the data to be unblinded contained in the response to the money demand is unblinded with the help of block 9. Unblinded data are entered via line 10 into storage device 6 as the payment certificate sianature of higher level.
NA'hen performing a payment operation. the payer order sianed =ith the secret key of the 20 payment certificate is formed in block 16 of payer device 2. The payer order is entered via line 22 into payee device 3, where the payee order includinQ the payer order is formed in block 17. The payee order is entered via line 23 into payment sen,er 1, where with the help of block 19 one perfornls a payment operation, in the course of -,vhich the payee's account stored in account database 21 is creditei fronl the funds of the payment account stored in payment account database 20. Her-e, readinEz and nlodification of records of the payment account and the payee's account are perfo:med N=ia lines 24 and 25.
respectively. The opera-tor's response to the payee order formed in block 19 and includin'T the signed payee receipt siimed with the operator's secret key, is entered via line 26 into block 18 of payee device 3, where the signed payee receipt is verified. which completes the payment operation.
Variants of implementing the invention For each of the variants of the claimed method for effecting payments, the invention ad-mits an enlbodiment such that the pa}yer device can be replenished from the funds of an in-ternlediary payer. In this case, when replenishing his payer device, the payer delivers the >> blinded data to an intermediar}, payer, who additionally blinds said blinded data and, corre-spondingly, unblinds the data to be unblinded which he receives from the bank.
If need be, the payee can also control the incoming payments. Such control is intended in order to ensure that nobody can credit the payee's account tivithout his assistance. To exercise such control, the payee order and its signature with the payee's secret key are delivered to the payment sen-er, and during the performing of a payment operation the validity of the signa-ture on the payee order is verified. Furthermore, when forming the payer and payee orders, the conditions of payment are included in these orders, and during the execution of a pay-ment operation the correspondence between the conditions of payment contained in the payer and payee orders is conzrolled in the payment server. In particular, in the payer device when forming the payment data and in the payee device when fhrming the payee order, one processes the payee obligation data with the help of one and the same one-way function, and the data obtained by the processing are included both in the payment data and in the payee order as a part of the conditions of payment.
The reliability of the method for effecting payments by each of the variants is ensured, in particular, by that if there are malfirnctions in communication nets when performing the op-erations employed in a payment, such operations can be recovered till their successful com-pletion without damage for the parties involved.
As the replenishment source in the payer device replenishment operation, one can use the payer's account, which Nvas credited in advance when performing an earlier payment opera-tion, in which the payer, in turn, played a role of the payee.
When performing a payment operation, the payee can play a role of a payer.
Such a pay-ment operation can be used for transferring values from the payer device to the payer's ac-count.
-~ 15 An overeroNrth of the operator's databases storing information on payment certificates can be prevented by charging either the operation of replenishing the payer device or the opera-tion of openinR the payment account connectedwith a payment certificate.
The operator's money obligations associated with payment certifrcates can be expressed in various currencies, and performing both a payment operation and the paver device replen-ishment operation can be combined with the operation of converting one currency into an-other.
To increase the security of the participants of a payment system utilizinQ the present in-Niention, one can introdu.z certain restrictions both on the amount of a sinale replenishment of the payer device, and on the total amount of expenses of the replenishment source -ithin a certain period of ti.nle.
The message exchange between the payee device and the payment sen-er, the payer de-vice and the payment server. and the payee device and the payer device can proceed in the interactive mode. ln particular, the money demand, the paN=ment data, the payee order, and other data can be delivered to their addressee in portions.
The procedure of acknowledging by the payment system operator of his obligations asso-ciated ,vith a payment certificate, besides the verification of the operator's o ,n sianature of the certificate. can include verification of the validity period of other data. as Nvell In addition, the data to be unblinded, which one received ~N,hen replenishing the payer de-vice, together with data alloNN-ina one to perform such an unblinding can be used as the pay-ment certificate signature, because thev allow one to convince a third party in the existence of the operator's oblig.ations.
Industrial applicability The invention can be used in electronic queueing systems, especially those 'here pay-ments via open communication nets are required. Among possible applications, the invention can be used for organizing payment systems, trade systems, service centers, and in many other areas. In particular, the invention can be used in the work of banks and systems of banks, for organizing shops, trade in securities, lotteries, etc.

Claims (109)

1. A method for effecting payments comprising steps of: replenishing a payer device by an operation of primarily filling a payment certificate, in which a payment certificate base is created in the payer device and a payment certificate signature is obtained by means of mak-ing a blind money signature of an operator; performing an operation of opening a payee's account; performing a payment operation in which the payment certificate signature and an identifier of the payment certificate base are included into payment data delivered to a payee device by means of which a payee order is formed including the payment certificate signa-ture and the identifier of the payment certificate base; delivering the formed payee order to a payment server in which the payee's account -s credited on the basis of the payee order in the case of absence of an information that the payment certificate was utilized, according to the validity of the delivered payment certificate signature; and forming the operator's response to the payee order, by means of which response the payment operation is judged, character-ized in that the method is further comprising steps of: including an identifier of a public key into the payment certificate base, said public key corresponding to an arbitrary secret key of a payer, wherein the public key is accepted as the public key of the payment certificate and the secret key of the payer is accepted as the secret key of the payment certificate; including a payer order signed with the secret key of the payment certificate into the payment data, and including an information on the payee and the identifier of the payment certificate base into the payer order; and the step of crediting the payee's account is carried out according to the validity of the signature on the payer order.

2. The method according to claim 1, characterized in that in the step of performing the payment operation the signed payer order is entered into the operator's information storage.

3. The method according to claim 1, characterized in that in the step of replenishing the payer device a money demand is formed including data for making a blind money signature, and is delivered to the payment server in which a replenishment source and replenishment amount are determined according to the money demand; data to be unblinded are created in the step of making the blind money signature by processing data for making the blind money signature, that are comprised in the demand, with a secret money key corresponding to the replenishment amount, whereupon the payment certificate signature is made in the payer de-vice by unblinding.

4. The method according to claim 3, characterized in that in the step of replenishing the payer device by the operation of primarily filling the payment certificate a blinded identifier of the created payment certificate base is included as the data for making the blind money signature into the money demand being formed.

5. The method according to claim 1, characterized in that in the step of performing the payment operation a payee receipt is included into the operator's response to the payee order, which receipt being signed with an arbitrary secret key of the operator, and the performing of the payment for the payee is judged according to the validity of the signature on the payee receipt.

6. The method according to claim 1, characterized in that in the step of performing the payment operation data are formed in the payee device with the use of the operator's re-sponse to the payee order and delivered to the payer device, according to which data the per-forming of the payment for the payer is judged.

7. The method according to claim 6, characterized in that in the step of performing the payment operation a payer receipt is included into the operator's response to the payee order and into the data delivered to the payer device, which receipt being signed with an arbitrary-secret key of the operator, and the performing of the payment for the payer is judged accord-ing to the validity of the signature on the payer receipt.

8. The method according to claim 7, characterized in that the payer receipt is encrypted by an arbitrary encryption key of the payer prior to including said receipt into the operator's re-sponse to the payee order.

9. The method according to claim 1, characterized in that in performing operations with the payment certificate the public key of the payment certificate converted by an arbitrary one-way function is used as the identifier of the payment certificate base.

10. The method according to claim 1, characterized in that in performing operations with the payment certificate the public key of the payment certificate is used as the identifier of the public key of the payment certificate.

11. The method according to claim 1, characterized in that in the step of replenishing the payer device the validity of the made payment certificate signature is verified.

12. The method according to claim 1, characterized in that in the step of opening the ac-count an arbitrary secret key is accepted as the secret key of the account, and the public key corresponding to the secret key of the account is delivered to the payment server as the pub-lic key of the account being opened.

13. The method according to claim 1, characterized in that conditions of payment are in-cluded into the payer order.

14. The method according to claim 13, characterized in that payee obligation data are in-cluded into the conditions of payment comprised in the payer order.

15. The method according to claim 14, characterized in that prior to performing the payment operation, the payee obligation data are signed with an arbitrary secret key of the payee, and the payer verifies the payee's signature on the payee obligation data prior to performing the payment operation.

16. The method according to claim 13, characterized in that in the payer device in the step of forming the payment data, the payee obligation data are processed by an arbitrary one-way function, and data obtained in this processing are included into the payer order as the conditions of payment.

17. The method according to claim 1, characterized in that the payer order is encrypted by an arbitrary public encryption key of the operator prior to including them into the payment data.

18. The method according to claim 3, characterized in that in the step of replenishing the payer device the payer's account is used as the replenishment source.

19. The method according to claim 3, characterized in that in the step of replenishing the payer device a bank card is used as the replenishment source.

20. The method according to claim 1, characterized in that in the step of performing the payment operation the payee appears as the payer. '

21. The method according to claim 1, characterized in that in the step of performing the payment operation a part of a payment certificate value is returned to the payer device.

22. The method according to claim 1, characterized in that the step of replenishing the payer device is performed from funds of an intermediate payer.

23. The method according to claim 22, characterized in that in the step of replenishing the payer device, the data blinded in the payer device in the step of making the blind money sig-nature of the operator are subjected to an additional blinding in the payer device of the in-termediate payer.

24. A method for effecting payments comprising steps of: replenishing a payer device by an operation of primarily filling a payment certificate, in which a payment certificate base is created in the payer device and a payment certificate signature is obtained by means of mak-ing a blind money signature of an operator; performing an operation of opening a payee's account; performing a payment operation in which the payment certificate signature and an identifier of the payment certificate base are included into payment data delivered to a payee device by means of which a payee order is formed including the payment certificate signa-ture and the identifier of the payment certificate base; delivering the formed payee order to a payment server in which the, payee's account is credited on the basis of the payee order in the case of absence of an information that the payment certificate Nvas utilized, according to the validity of the delivered payment certificate signature; and forming the operator's response to the payee order, by means of which response the payment operation is judged, character-ized in that the method is further comprising steps of: including an identifier of a public key into the payment certificate base, said public key corresponding to an arbitrary secret key of a payer, wherein the public key is accepted as the public key of the payment certificate and the secret key of the payer is accepted as the secret key of the payment certificate; repleni-hing the payer device by means of an operation of replenishing the payment certificate, in which operation a blind money signature of the operator on the payment certificate signature already being in the payer device is made; including a payer order signed with the secret key of the payment certificate into the payment data, and including an information on the payee and the identifier of the payment certificate base into the payer order; and the step of credit-ing the payee's account is carried out according to the validity of the signature on the payer order.

25. The method according to claim 24, characterized in that in the step of replenishing the payer device a money demand is formed including data for making a blind money signature, and is delivered to the payment server in which a replenishment source and replenishment amount are determined according to the money demand; data to be unblinded are created in the step of making the blind money signature by processing data for making the blind money signature, that are comprised in the demand, with a secret money key corresponding to the replenishment amount, whereupon the payment certificate signature is made in the payer de-vice by unblinding.

26. The method according to claim 25, characterized in that in the step of replenishing the payer device by the operation of primarily filling the payment certificate a blinded identifier of the created payment certificate base is included as the data for making the blind money signature into the money demand being formed.

27. The method according to claim 25, characterized in that in the step of replenishing the payer device by the operation of replenishing the payment certificate a blinded payment cer-tificate signature is included as the data for making the blind money signature into the money demand being formed.

28. The method according to claim 24, characterized in that in the step of performing the payment operation the signed payer order is entered into the operator's information storage.

29. The method according to claim 24, characterized in that in the step of performing the payment operation a payee receipt is included into the operator's response to the payee order, which receipt being signed with an arbitrary secret key of the operator, and the performing of the payment for the payee is judged according to the validity of the signature on the payee receipt.

30. The method according to claim 24, characterized in that in the step of performing the payment operation data are formed in the payee device with the use of the operator's re-sponse to the payee order and delivered to the payer device, according to which data the per-forming of the payment for the payer is judged.

31. The method according to claim 30, characterized in that in the step of performing the payment operation a payer receipt is included into the operator's response to the payee order and into the data delivered to the payer device, which receipt being signed with an arbitrary secret key of the operator, and the performing of the payment for the payer is judged accord-ing to the validity of the signature on the payer receipt.

32. The method according to claim 31, characterized in that the payer receipt is encrypted by an arbitrary encryption key of the payer prior to including said receipt into the operator's response to the payee order.

33. The method according to claim 24, characterized in that in performing operations with the payment certificate the public key of the payment certificate converted by an arbitrary one-way function is used as the identifier of the payment certificate base.

34. The method according to claim 24, characterized in that in performing operations with the payment certificate the public key of the payment certificate is used as the identifier of the public key of the payment certificate.

35. The method according to claim 24, characterized in that in the step of replenishing the payer device the validity of the made payment certificate signature is verified.

36. The method according to claim 24. characterized in that in the step of opening the ac-count an arbitrary secret key is accepted as the secret key of the account, and the public key corresponding to the secret key of the account is delivered to the payment server as the pub-lic key of the account being opened.

37. The method according to claim 24, characterized in that conditions of payment are in-cluded into the payer order.

38. The method according to claim 37, characterized in that payee obligation data are in-cluded into the conditions of payment comprised in the payer order.

39. The method according to claim 38, characterized in that prior to performing the payment operation, the payee obligation data are signed with an arbitrary secret key of the payee, and the payer verifies the payee's signature on the payee obligation data prior to performing the payment operation.

40. The method according to claim 38, characterized in that in the payer device in the step of forming the payment data, the payee obligation data are processed by an arbitrary one-way function, and data obtained in this processing are included into the payer order as the conditions of payment.

41. The method according to claim 24, characterized in that the payer order is encrypted by an arbitrary public encryption key of the operator prior to including them into the payment data.

42. The method according to claim 25, characterized in that in the step of replenishing the payer device the payer's account is used as the replenishment source.

43. The method according to claim 25, characterized in that in the step of replenishing the payer device a bank card is used as the replenishment source.

44. The method according to claim 24, characterized in that in the step of performing the payment operation the payee appears as the payer.

45. The method according to claim 24, characterized in that in the step of performing the payment operation a part of a payment certificate value is returned to the payer device.

46. The method according to claim 24, characterized in that the step of replenishing the payer device is performed from funds of an intermediate payer.

47. The method according to claim 46, characterized in that in the step of replenishing the payer device, data blinded in the payer device in the step of making the blind money signa-ture of the operator are subjected to an additional blinding in the payer device of the inter-mediate payer.

48. A method for effecting payments comprising steps of: replenishing a payer device by an operation of primarily filling a payment certificate, in which a payment certificate base is created in the paver device and a payment certificate signature is obtained by means of mak-ing a blind money signature of an operator; performing an operation of opening a payee's account; performing a payment operation in which an identifier of the payment certificate base is included into payment data delivered to a payee device by means of which a payee order is formed including the identifier of the payment certificate base received from a payer; delivering the formed payee order to a payment server in which the payee's account is credited on the basis of the payee order; forming the operator's response to the payee order, by means of which response the payment operation is judged, characterized in that the method is further comprising steps of: including an identifier of a public key into the pay-ment certificate base, said public key corresponding to an arbitrary secret key of the payer, wherein the public key is accepted as the public key of the payment certificate and the secret key of the payer is accepted as the secret key of the payment certificate;
opening a payment account associated with the payment certificate base; carrying out an operation of crediting the payment account, in which a payment certificate signature is delivered to the payment server, choosing the level of said signature arbitrarily within the level of the payment certifi-cate, and the operation of crediting the payment account is carried out in accordance with the excess of the level of the delivered signature above the level of the payment account; includ-ing a payer order signed with the secret key of the payment certificate into the payment data, and including an information on the payee and the identifier of the payment certificate base into the payer order; and the step of crediting the payee's account is carried out according to the validity of the signature on the payer order from funds of the payment account.

49. The method according to claim 48, characterized in that the payment account associated with the payment certificate base is opened in the step of performing the payment operation.

50. The method according to claim 48, characterized in that the operation of crediting the payment account is carried out in the step of performing the payment operation.

51. The method according to claim 48, characterized in that in the step of performing the pa}ment operation the signed payer order is entered into the operator's information storage.

52. The method according to claim 48, characterized in that in the step of replenishing the payer device a money demand is formed including data for making a blind money signature, and is delivered to the payment server in which a replenishment source and replenishment amount are determined according to the money demand; data to be unblinded are created in the step of making the blind money signature by processing data for making the blind money signature, that are comprised in the demand, with a secret money key corresponding to the replenishment amount, whereupon the payment certificate signature is made in the payer de-vice by unblinding.

53. The method according to claim 52, characterized in that in the step of replenishing the payer device by the operation of primarily filling the payment certificate a blinded identifier of the created payment certificate base is included as the data for making the blind money signature into the money demand being formed.

54. The method according to claim 48, characterized in that in the step of performing the payment operation a payee receipt is included into the operator's response to the payee order, which receipt being signed with the arbitrary secret key of the operator, and the performing of the payment for the payee is judged according to the validity of the signature on the payee receipt.

55. The method according to claim 48, characterized in that in the step of performing the payment operation data are formed in the payee device with the use of the operator's re-sponse to the payee order and delivered to the payer device, according to which data the per-forming of the payment for the payer is judged.

56. The method according to claim 55, characterized in that in the step of performing the payment operation a payer receipt is included into the operator's response to the payee order and into the data delivered to the payer device, which receipt being signed with the arbitrary secret key of the operator, and the performing of the payment for the payer is judged accord-ing to the validity of the signature on the paver receipt.

57. The method according to claim 56, characterized in that the payer receipt is encrypted by an arbitrary encryption key of the payer prior to including said receipt into the operator's response to the payee order.

58. The method according to claim 48, characterized in that in performing operations with the payment certificate the public key of the payment certificate converted by an arbitrary one-way function is used as the identifier of the payment certificate base.

59. The method according to claim 48, characterized in that in performing operations with the payment certificate the public key of the payment certificate is used as the identifier of the public key of the payment certificate.

60. The method according to claim 48, characterized in that in the step of replenishing the paver device the validity of the made payment certificate signature is verified.

61. The method according to claim 48, characterized in that in the step of opening the ac-count an arbitrary secret key is accepted as the secret key of the account, and the public key corresponding to the secret key of the account is delivered to the payment server as the pub-lic key of the account being opened.

62. The method according to claim 48, characterized in that conditions of payment are in-cluded into the payer order.

63. The method according to claim 62, characterized in that payee obligation data are in-cluded into the conditions of payment comprised in the payer order.

64. The method according to claim 63, characterized in that prior to performing the payment operation, the payee obligation data are signed with an arbitrary secret key of the payee, and the payer verifies the payee's signature on the payee obligation data prior to performing the payment operation.

65. The method according to claim 63, characterized in that in the payer device in the step of forming the payment data, the payee obligation data are processed by an arbitrary one-way function, and data obtained in this processing are included into the payer order as the conditions of payment.

66. The method according to claim 48, characterized in that the payer order is encrypted by an arbitrary public encryption key of the operator prior to including them into the payment data.

67. The method according to claim 52, characterized in that in the step of replenishing the payer device the payer's account is used as the replenishment source.

68. The method according to claim 52, characterized in that in the step of replenishing the payer device a bank card is used as the replenishment source.

69. The method according to claim 48, characterized in that in the step of performing the payment operation the payee appears as the payer.

70. The method according to claim 48, characterized in that in the step of performing the payment operation a part of a payment certificate value is returned to the payer device.

71. The method according to claim 52, characterized in that in the step of replenishing the payer device, the payment account associated with the base of one of payment certificates is used as the replenishment source.

72. The method according to claim 48, characterized in that the step of replenishing the payer device is performed from funds of an intermediate payer.

73. The method according to claim 72, characterized in that in the step of replenishing the payer device, data blinded in the payer device in the step of making the blind money signature of the operator are subjected to an additional blinding, in the payer device of the intermediate payer.

74. A method for effecting payments comprising steps of: replenishing a payer device by an operation of primarily filling a payment certificate. in which a payment certificate base is created in the payer device and a payment certificate signature is obtained by means of mak-ing a blind money signature of an operator; performing an operation of opening a payee's account; performing a payment operation in which an identifier of the payment certificate base is included into payment data delivered to a payee device by means of which a payee order is formed including the identifier of the payment certificate base received from a payer; delivering the formed payee order to a payment server in which the payee's account is credited on the basis of the payee order: forming the operator's response to the payee order.
by means of which response the payment operation is judged, characterized in that the method is further comprising steps of: including an identifier of a public key into the pay-ment certificate base, said public key corresponding to an arbitrary secret key of the payer.
wherein the public key is accepted as the public key of the payment certificate and the secret key of the payer is accepted as the secret key of the payment certificate;
replenishing the payer device by means of an operation of replenishing the payment certificate, in which a blind money signature of the operator on the payment certificate signature already being in the payer device is made; opening a payment account associated with the payment certificate base; carrying out an operation of crediting the payment account, in which a payment cer-tificate signature is delivered to the payment server, choosing the level of said signature ar-bitrarily within the level of the payment certificate. and the operation of crediting the pay-ment account is carried out in accordance with the excess of the level of the delivered signa-ture above the level of the payment account: including a payer order signed with the secret key of the payment certificate into the payment data, and including an information on the payee and the identifier of the payment certificate base into the payer order;
and the step of crediting the payee's account is carried out according to the validity of the signature on the payer order from funds of the payment account.

75. The method according to claim 74, characterized in that the payment account associated with the payment certificate base is opened in the step of performing the payment operation.

76. The method according to claim 74, characterized in that the operation of crediting the payment account is carried out in the step of performing the payment operation.

77. The method according to claim 74, characterized in that in the step of performing the payment operation the signed payer order is entered into the operator's information storage.

78. The method according to claim 74, characterized in that in the step of replenishing the payer device a money demand is formed including data for making a blind money signature, and is delivered to the payment server in which a replenishment source and replenishment amount are determined according to the money demand; data to be unblinded are created in the step of making the blind money signature by processing data for making the blind money signature, that are comprised in the demand, with a secret money key corresponding to the replenishment amount, whereupon the payment certificate signature is made in the payer de-vice by unblinding.

79. The method according to claim 78, characterized in that in the step of replenishing the payer device by the operation of primarily filling the payment certificate a blinded identifier of the created payment certificate base is included as the data for making the blind money signature into the money demand being formed.

80. The method according to claim 78, characterized in that in the step of replenishing the payer device by the operation of replenishing the payment certificate a blinded payment cer-tificate signature is included as the data for making the blind money signature into the money demand being formed.

81. The method according to claim 74, characterized in that in the step of performing the payment operation a payee receipt is included into the operator's response to the payee order, which receipt being signed with the arbitrary secret key of the operator, and the performing of the payment for the payee is judged according to the validity of the signature on the payee receipt.

82. The method according to claim 74, characterized in that in the step of performing the payment operation data are formed in the payee device with the use of the operator's re-sponse to the payee order and delivered to the payer device, according to which data the per-forming of the payment for the payer is judged.

83. The method according to claim 82. characterized in that in the step of performing the payment operation a payer receipt is included into the operator's response to the payee order and into the data delivered to the payer device. which receipt being signed with the arbitrary secret key of the operator, and the performing of the payment for the paver is judged accord-ing to the validity of the signature on the paver receipt.

84. The method according to claim 83, characterized in that the paver receipt is encrypted by an arbitrary encryption key of the payer prior to including said receipt into the operator's response to the payee order.

85. The method according to claim 74, characterized in that in performing operations with the payment certificate the public key of the payment certificate converted by an arbitrary one-way function is used as the identifier of the payment certificate base.

86. The method according to claim 74, characterized in that in performing operations with the payment certificate the public key of the payment certificate is used as the identifier of the public key of the payment certificate.

87. The method according to claim 74, characterized in that in the step of replenishing the payer device the validity of the made payment certificate signature is verified.

88. The method according to claim 74, characterized in that in the step of opening the ac-count an arbitrary secret key is accepted as the secret key of the account, and the public key corresponding to the secret key of the account is delivered to the payment server as the pub-lic key of the account being opened.

89. The method according to claim 74, characterized in that conditions of payment are in-cluded into the payer order.

90. The method according to claim 89, characterized in that payee obligation data are in-cluded into the conditions of payment comprised in the payer order.

91. The method according to claim 90, characterized in that prior to performing the payment operation, the payee obligation data are signed with an arbitrary secret key of the payee, and the payer verifies the payee's signature on the payee obligation data prior to performing the payment operation.

92. The method according to claim 90, characterized in that in the payer device in the step of forming the payment data, the payee obligation data are processed by an arbitrary one-way function, and data obtained in this processing are included into the payer order as the conditions of payment.

93. The method according to claim 74, characterized in that the payer order is encrypted by an arbitrary public encryption key of the operator prior to including them into the payment data.

94. The method according to claim 78, characterized in that in the step of replenishing the payer device a payer's account is used as the replenishment source.

95. The method according to claim 78, characterized in that in the step of replenishing the payer device a bank card is used as the replenishment source.

96. The method according to claim 74, characterized in that in the step of performing the payment operation the payee appears as the payer.

97. The method according to claim 74, characterized in that in the step of performing the payment operation a part of a payment certificate value is returned to the payer device.

98. The method according to claim 78, characterized in that in the step of replenishing the payer device, the payment account associated with the base of one of payment certificates is used as the replenishment source.

99. The method according to claim 74, characterized in that the step of replenishing the payer device is performed from funds of an intermediate payer.

100. The method according to claim 99, characterized in that in the step of replenishing the payer device, data blinded in the payer device in the step of making the blind money sig-nature of the operator are subjected to an additional blinding in the payer device of the in-termediate payer.

101. An apparatus for effecting payments comprising a payer device, payee device and payment server interconnected by telecommunication nets, the payer device comprising a means for replenishing the payer device by the use of making a blind money signature of an operator, and the payment server comprising a means for making a money signature, char-acterized in that the payer device further comprises a means for creating a payment certifi-cate base by processing the public key of the payment certificate with a one-way function, a means for storing the created payment certificate base in a storage device, and a means for forming a payer order signed with the secret key of the payment certificate;
the payee device comprises a means for forming a payee order including the payer order; the payment server further comprises a means for performing a payment operation, a means for serving a data-base of payment accounts, and a means for serving a database of accounts, wherein said means for performing a payment operation has a means for verifying a signature on the payer order and a means for making a signed payee receipt, said means for serving the data-base of payment accounts has a means for verifying the money signature, and the means for replenishing the payer device by the use of making the blind money signature of the operator is realized using a means for increasing the level of a payment certificate signature.

102. The apparatus according to claim 101. characterized in that the payee device com-prises a means for opening a public key account. and said means for serving the database of accounts has a means for opening a public key account.

103. The apparatus according to claim 101. characterized in that the payer device com-prises a means for opening a public key account. and said means for serving the database of accounts has a means for opening a public key account.

104. The apparatus according to claim 101. characterized in that said means for increasing the level of a payment certificate signature has a means for forming a money demand includ-ing a blinded payment certificate signature a means for unblinding the data to be unblinded comprised in a response to the money demand. and a means for entering the result of un-blinding into said storage device, and the payment server comprises a means for processing the money demand, wherein said means for processing the money demand has a means for making the money signature.

105. The apparatus according to claim 101. characterized in that said means for serving the database of payment accounts has a means for opening a payment account and a means for crediting a payment account.

106. The apparatus according to claim 101. characterized in that the payee device has a means for verifying the signed payee receipt.

107. The apparatus according to claim 101. characterized in that said means for forming the payer order signed with the secret kex- of the payment certificate has a means for forming a demand for crediting the payment account.

108. The apparatus according to claim 107, characterized in that said means for forming the demand for crediting the payment account has a means for decreasing the level of the payment certificate signature.

109. The apparatus according to claim 101, characterized in that the payer device, payee device and payment server are further provided with a means for encryption of outgoing messages and a means for decryption of incoming messages.