Future Generation Computer Systems 16 (2000) 393–401 Secure linking of customers, merchants and banks in electronic commerce N. Alexandris a,∗ , M. Burmester b , V. Chrissikopoulos a , Y Desmedt b,c a Department of Informatics, University of Piraeus, 80 Karaoli and Dimitriou Str., 185 34 Piraeus, Greece b Information Security Group, Royal Holloway, University of London, Egham, Surrey TW20 OEX, UK c Center for Cryptography, Computer and Network Security, and Department of EE and CS, University of Wisconsin, Milwaukee, PO Box 784, Wisconsin WI 5320 Milwaukee, USA Accepted 3 March 1999 Abstract We use the concept of designated 2-verifier proofs to design simple and secure electronic payment systems. Two on-line protocols which link securely Customers, Merchants and Banks are presented. In the first the identity of the Customer is traceable. This protocol can be used for general electronic payment systems. The second protocol can be used for anonymous electronic cash payments. Both protocols have a simple structure and are provably secure. ©2000 Published by Elsevier Science B.V. All rights reserved. Keywords: Electronic payment systems; Designated verifier proofs; Man-in-the-middle attacks; Non-malleability 1. Introduction The recent wide utilization of international inter- connected computer networks such as the internet and the web applications, and the rapid expansion of elec- tronic commerce have stimulated the demand for elec- tronic payment systems. Electronic commerce is rec- ognized as a leading application in the information so- ciety. In particular, organizations perceive the internet as a virtual market place which offers several advan- tages over the traditional market. The business poten- tial of such applications is the major driving force for electronic payment systems. These systems must be simple and flexible, and must also offer a high level of security to protect all the parties involved. The first electronic cash payment systems which emulate the ∗ Corresponding author. Fax: +30-1-411-2463. properties of physical cash were proposed by Chaum [6–8]. Subsequently many other authors contributed to this area (e.g., [4,5,9,10,30]), which rapidly expanded to include general financial and payment systems (e.g., [17,26,27,34]). Some of the principle desired properties of elec- tronic cash are functionality, security, acceptability and, for some applications, anonymity. Functionality requires that the basic provisions of physical money are satisfied. Security deals with forgery and dou- ble spending. Electronic payment systems should pre- vent these. Acceptability deals with the usefulness of payment mechanisms. Payment instruments must be accepted widely by different financial institutions to facilitate reconciliation. In many financial transactions it is desirable that the identity of the customer is traceable, to prevent sev- eral frauds such as money laundering, blackmailing 0167-739X/00/$ – see front matter ©2000 Published by Elsevier Science B.V. All rights reserved. PII:S0167-739X(99)00063-1