An improved Mondex like protocol About a week ago I posted a protocol that meets the requirements of the Mondex cards as I understand them. It was overkill. I wasn't clear in my own mind what properties of Diffie Hellman I was depending on. Here is an improvement that does not use DH and thus uses less compute power. Two Mondex units, upon command of their respective operators, can pass money from one to the other via infrared signals. I think that this requires tamper proof units. I understand that the Mondex protocol is currently undisclosed. I have no information about that protocol but am merely trying to find a protocol that fits the little that I know about Mondex. Are there other guesses? When a receiving unit, the payee, is instructed by its operator to be ready to receive a payment, it increments an internal counter. The payee transmits an infrared message including its unique id, the counter value and a simple checksum. This message is repeated until some timeout or a valid transmission from a payer is received. The payer unit, having been instructed by its operator to pay, awaits such a message. Upon receipt it decrements its local balance and constructs a record consisting of the payee's id, the payee's counter value, the payment amount and a secret shared by all money units. The payer then transmits a message with the payment amount, and the secure hash of the record. This transmission is repeated until an acknowledgment or a timeout. Upon receipt the payee is able to reconstruct the payer's record and compute the secure hash. If the computed hash matches the received hash then the payee can be sure that some legitimate payer unit has decremented its local balance and it is thus valid for the payee to increment its value by that amount. It then transmits one acknowledgment. If the receiver's transmission is garbled but the checksum does not catch it then the transmitted money is lost. The payer thinks it has authorized a balance increment but no unit recognizes the authorization as its own. Garbled transmission from a payer are ignored when the hash check fails. Subsequent transmissions will hopefully succeed. Note that this scheme uses no crypto.