The invention relates to a cryptographic method and a system for implementing a cryptographic method, and in particular to a method and a system in which a user, A, may securely access a resource from an issuer, B. In particular, the invention may

advantageously relate to cryptographic methods, systems and apparatus involving very high-speed communications, preferably light-speed communications or equivalent communications at the speed of propagation of light in, for example, optical fibres.

Background of Invention

To date, the concept of‘money’ (or in the same way for the purposes of this document, ‘token’,‘share certificate’‘access password’, or any other term representing a quantity that has value or can be exchanged for something of value) has not properly been

conceptualised for relativistic networks (that is, networks where light speed signalling constraints are significant). One reason for this is that such a new, generalised

conceptualisation has no evident advantage in scenarios where the speed of

communication (whether of physical money or tokens, or of data defining such money or tokens) may effectively be considered infinite. Another is that computational methods and financial networks and systems were relatively unsophisticated in eras where technology only allowed slower communications. As a result, a conceptualisation applicable for relativistic networks has not been needed for most of human history. However, science has known since 1905 that all communications are bounded by light speed, and this is by now a very practically significant restriction for transactions on the global financial network, military command and control networks, and other networks involving high value decisions.

An important further problem that adds to the motivation for the invention is that, in practice, even the light speed bound may not be realisable or closely approximated. For example, when communicating by means of electromagnetic signals sent through fibre optic cables, those signals will only travel at about 2/3 of the speed of light in vacuum. This is light speed in the optical fibre. As another limitation on communication times, generally speaking signals sent between locations on the Earth’s surface today are transmitted along geodesic paths or longer paths along the Earth’s surface or through the region around the Earth, rather than on straight line paths through the Earth’s interior.

A significant requirement in relativistic settings, spelled out and satisfied in UK patent publication no. GB2542751 , is that a user (or‘buyer’) should be able to transmit a token of

l value, previously issued to them by an issuer (or‘seller’), at the maximum speed possible on a network (which theoretically is light speed in a vacuum along a straight line path between the relevant network nodes, but practically may be slower as just discussed, such as light speed along a predetermined non-straight path and/or in a medium having a refractive index greater than 1 , such as an optical fibre), and should be able to use the token (for example, by carrying out a trade or accessing a database) as soon as it is presented at a point in space-time. Another significant requirement, again spelled out and satisfied in UK patent publication no. GB2542751 , is that the scheme should be secure against duplication (or multiplication). That is, the scheme should prevent the user from purporting to present identical valid tokens at two or more space-like separated points and obtaining the same relevant resource at both points. While cheating in this way can ultimately be detected by the issuer’s agents at respective token-redemption points if and when they are able to compare notes, this takes some time, during which (in high-value scenarios) users could cause significant damage. There are also some scenarios, for example those in which the issuer’s agents may be vulnerable to being kept from communicating, in which they may not be able to compare notes after issuing the relevant resources.

For example, a user with a given authorised trading margin could potentially wreak havoc in a global financial network if they were able to carry out trades at space-like separated points that collectively gave them some multiple of that margin. Though those trades might be detected quickly, it might not be possible to invalidate and reverse them. Legal consequences might deter many cheating users, but despite legal consequences unauthorised trades are not unknown at present. Multiple agents who collectively obtain unauthorised resources might each maintain that their individual actions were legitimate, making responsibility hard to prove and making it more complicated to invalidate and reverse the relevant trades. And some users - perhaps acting in the interests of states or other powerful entities - might be motivated deliberately to destabilise the financial system by such attacks, if they were possible. Similarly, a user with flexible authorisation to control some defensive military resources could jeopardise an entire defensive strategy if they were able to exploit duplication or multiplication attacks illegitimately to control more resources than they are authorised to.

The term‘space-like separation’ as used here is meant to have its standard connotation, of denoting points in space-time between which a light ray cannot travel. As noted above, in many practical applications that constraint of no superluminal signalling may be weaker than the constraints that are in fact in place on communications between points on the network. The following discussions assume, for maximal generality, the light signalling bound, and are given in terms of points between which no signalling at all is possible even in theory (viz., space-like separated points). However, as those of skill in the art will recognise, this is done by way of illustration of the principles involved and the same principles, setups and methods apply equally, mutatis mutandis, to embodiments of the invention in which stronger bounds exist on communication amongst some or all of the agents of one or both of the parties.

Summary of Invention

The invention provides a method, a system, a commitment device, a redemption device and non-transitory computer storage media carrying programs for programming a commitment device and a redemption device, as defined in the appended independent claims to which reference should now be made. Preferred or advantageous features of the invention are defined in dependent subclaims.

The cryptographic method and system may advantageously enable a user rapidly and securely to access a resource from an issuer, using very high-speed communications, such as light-speed communications or optical-fibre communications.

Thus, by way of illustration a first aspect of the invention may advantageously provide a method as follows (reference should also be made to the definitions following the description of this embodiment). The method is a cryptographic method comprising the following steps;

A user and an issuer enter into, or agree, or pre-agree, an arrangement comprising a rule or rules under which a token, or one or more sub-tokens, will be defined by commitment data. The commitment data will be created by the user initiating commitments of respective committed data at each of two or more commitment space-time points and by generating corresponding commitment data. Under the rule(s) of the arrangement, when the commitment data or a subset thereof forming the token or sub-token are presented, or unveiled and presented, at one of a plurality of token-redemption space-time points, the user and the issuer can determine, by applying the rule(s), whether or not the token or sub token is valid at that token-redemption point.

After the arrangement has been entered into;

the user can initiate a commitment to the respective committed data at each of the commitment points and generate the commitment data, following the agreed rule(s) of the arrangement; the commitment data or a subset thereof that comprise the token or sub-token can then be unveiled to reveal the corresponding committed data, which is presented at a token-redemption point; and

the issuer can determine whether the token or sub-token is valid (according to the rule(s)) at that token-redemption point and, if so, permit the user to access an agreed resource from the issuer, or to use the token or sub-token in relation to a further commitment or set of commitments to the issuer.

In this document, the following definitions are used.

(i) By network is meant an agreed set of points in space-time (network points) with specified space and time coordinates with respect to an agreed reference frame, such that it is agreed that communications between the parties of prescribed types may take place by agreed means within agreed (relatively small) space-time regions around the relevant points. In other words, in preferred embodiments, the maximum spatial diameters of these regions are smaller than the typical distances between the spatial locations of the network points, preferably less than one half or one tenth of these distances. These are regions within which the parties, or their agents, may exchange information to complete functions such as to initiate a commitment or to validate a token. These regions may thus be termed commitment points, or unveiling points, or redemption points, as set out below.

Each point on the network may be a commitment point and/or an unveiling point and/or a redemption point. Communications establishing one or more commitments, following an agreed form, may take place at any commitment point. Communications unveiling one or more commitments, following an agreed form, may take place at any unveiling point.

Communications presenting a token or sub-token for redemption, following an agreed form, may take place at any redemption point. In some embodiments, unveiling points are identical to redemption points, and the communications required to define a suitable set of unveilings may also suffice to present a token or sub-token for redemption. However, more general embodiments are also possible, for example as known in conventional commitment systems, in which unveilings may take place without immediate redemption and the unveiled committed data are then retained by agents of the issuer and/or propagated to other agents of the issuer so that they are available to agents of the issuer located at redemption points, where they may define part or all of the data allowing a token or sub-token to be presented for redemption and validated. In preferred embodiments, both parties agree in advance their respective practical communication constraints on the network, which may be different for the two parties, so that each knows whether or not they may assume that the other is able to send signals between any pair of points. In preferred embodiments, while these constraints necessarily restrict the possible speed of communication between any pair of separate points in space, both parties are able to send signals from any location in space to any other location in space so that the signal will arrive before some fixed finite time (which in general will depend on the relevant pair of locations) has elapsed, and both parties may rely on this being the case for the other party. That is, each party can send signals between any pair of locations in space at some pre-agreed transmission speed (or faster). However, the invention may also be applied in embodiments in which there are pairs of locations in space between which one or both parties are not able to communicate, or may not be able to communicate, at all. The invention may also be applied in embodiments in which the time needed to communicate between locations may depend on the time at which the signal is sent.

(ii) By token scheme is meant a cryptographic method of combining commitments and unveilings on a defined network of commitment, unveiling and redemption points in space- time, following defined rules (defined by agreement between the parties), to define tokens and sub-tokens. A user (or an agent of the user) may make or initiate a commitment (or a set of commitments) to an issuer (or an agent of the issuer) at a commitment point or set of commitment points. (References in this document to a set of commitments should be taken, where appropriate, to include single commitments.) The user (or an agent of the user) may then unveil the committed data from some or all of these commitment(s) to the issuer (or an agent of the issuer) at one or more unveiling points (which may or may not coincide with one or more redemption points). The unveiled committed data from the commitment or commitments are thus unveiled at a redemption point and/or retained by and/or transmitted between agents of the issuer so as to be available to one or more agents of the issuer at one or more redemption points. The commitment data for the commitment or commitments (as defined below) may effectively define a token at one such redemption point or one or more sub-tokens at one or more such redemption points. The validity of a token or sub-token defined by a set of commitment data for a set of commitments is determined by the committed data, which may be validated as unveiled by an agent of the issuer when in possession of the corresponding validation data (as defined below) and commitment data. In some embodiments the issuer may thus also verify the validity of a token or sub-token by computations that use such validated unveiled committed data, which may be retained by and/or transmitted between his agents, rather than using the corresponding commitment data.

A set of commitments may include commitments made (or initiated) at the same or at different commitment points (which may be mutually spacelike separated). Where the commitments are made at different commitment points, even if the user’s local agents at some or all of these points do not know whether a new token or one or more subtokens will be generated or not, they can commit to data in case this may generate a component of a token or one or more subtokens. This may provide an advantage in embodiments involving identifying maximum prices or the like. For example, a valid token might require the maximum price to be in a certain range, and if the token is not valid the user would like to try again with updated prices, at the time the first token would have been presented if valid. Also, even if a set of commitments is made at a single commitment point, the committed data from these commitments might be unveiled at separate unveiling points, or committed data from some of them might be unveiled and from others not.

(iii) A token is defined by the commitment data for a set of commitments (which in general may only be a subset of a full set of commitments) such that the corresponding committed data, when unveiled, constitute redemption data, as defined below. If the token follows the rules of the token scheme, the unveiled committed data from the corresponding

commitments, which collectively define the redemption data corresponding to the token or sub-token, define a valid token at a redemption space-time point P. By definition, the rules of the scheme then guarantee that no other valid token or sub-token can also be defined at any other redemption space-time point Q, including points space-like separated from P or other points Q such that communication between Q and P is not possible. A local issuer agent at P may thus accept the token in exchange for a given resource, confident that no other issuer agent will accept another token or sub-token exchangeable for that resource.

(iv) A sub-token is defined by the commitment data for a set of commitments (which in general may be only a subset of the full set of commitments) such that the corresponding committed data, when unveiled, constitute redemption data, as defined below, and that, following the rules of the scheme, define a valid sub-token at the space-time point P. The rules generally may allow the possibility that one or more other valid sub-tokens may be defined at other space-time points Q, which may include points space-like separated from P or other points Q such that communication between Q and P is not possible. However, the rules constrain the number and type of valid sub-tokens that may be generated by the scheme, so as to satisfy pre-agreed constraints (as agreed by the parties). The local issuer agent at P may thus accept the sub-token in exchange for a given resource, confident that, while other local issuer agents may also exchange other sub-tokens for other resources, the overall distribution of resources will necessarily satisfy pre-agreed constraints.

(v) The synonymous terms token fraction and fraction of a token refer to the special case of a sub-token, in which the agreed constraints or rules allow the token to be sub-divided only into positive fractions fj that sum to 1. Schemes allowing token fractions have a particularly natural application when the token may be exchanged for a resource, such as a sum of money M, that is divisible, and the token fractions may be exchanged for fractions of that resource (for example, smaller sums of money f_i * M). In a token scheme that allows token fractions, a local issuer agent may accept a token fraction f_i in exchange for the corresponding fraction of the total resource, confident that the total resource value distributed by all issuer agents will be no more than the token resource value. (In the example above, the issuer agents may be confident that the total monetary value redeemed by token fractions is no more than M.)

(vi) By elementary component of a token is meant an individual commitment, together with corresponding commitment data, that forms part of a token scheme. This need not necessarily define a token or a sub-token.

(vii) A composite component of a token is a collection of commitments, together with corresponding commitment data, that form part of a token scheme. Again, this need not necessarily define a token or a sub-token.

(viii) A commitment point is a point in space-time at or near which the user may make or initiate one or more commitments as part of the token scheme. For some types of commitment, the commitment must be made at or near the commitment point, and is then complete. (This may be true, for example, for some types of quantum commitments whatever technology the user has and for other types of quantum commitments if the user is not able to store or transmit quantum states but is able to measure them. It may also be required for computationally-secure cryptographic commitments if the user and issuer agree that such commitments must be completed near the commitment point.) For some types of commitment, the commitment must be made at or near the commitment point, but may need to be sustained by continuing communications between (at least) two pairs of user and issuer agents. (This is true, for example, of commitments that involve classical information exchanges and rely for security on the impossibility of superluminal signalling.) For some types of commitment, the commitment may be made by the actions of one or more agents of the user after the commitment is initiated, at any point or points (or in any space-time region or regions) in the causal future of the commitment initiation point and in the causal past of the unveiling point at which the committed data is unveiled. (This is true of some quantum commitment schemes if the user is able to store, process and transmit quantum states in any way consistent with the laws of physics, without significant losses or errors. In such schemes, the user could, for example, delay making her commitment until at or near the point where it is unveiled, which could potentially also be the token redemption point. We refer to the point at which such a commitment is made in a scheme of this type as the commitment completion point. For commitment schemes of this type, making the commitment does not require any communication between the user and the issuer and thus no agent of the issuer need necessarily be present at or near each possible commitment completion point. The possible commitment completion points thus need not all necessarily be considered as part of the network.)

Thus, depending on the technology being used and the nature of the commitment schemes used, the issuer and the user (or their agents) may meet at a commitment space-time point and both initiate and complete a commitment at or near that point, or they may meet at a commitment space-time point and initiate a commitment at or near that point that they (represented by two or more of their respective agents at separate locations) sustain by continuing communications, or they may meet at a commitment space-time point and only initiate the commitment by exchanging information at that point, the commitment itself being made later by an agent of the user at a commitment completion space-time point.

In this document, the term commitment point (used herein equivalently to commitment space-time point) will be used to refer to the commitment initiation point, i.e. the space-time point at which the issuer and the user (or their agents) first exchange information to begin the commitment scheme, whether or not the commitment is completed at that point, and whether or not the commitment needs to be sustained by continuing communications between user agents and issuer agents.

(ix) The commitment data for a given commitment scheme that forms part of the token scheme comprise all the classical and/or quantum information that the user is required to retain for presentation at unveiling by the given commitment scheme. Such data may include and/or be generated from data correlated or entangled with data input by user agents in the course of the scheme and/or data received by agents of the user in the course of the scheme. The validation data for a given commitment scheme that forms part of the token scheme comprise all the classical and/or quantum information that the issuer is required to retain for validation of an unveiling by the given commitment scheme. Such data may include and/or be generated from data correlated or entangled with data input by issuer agents in the course of the scheme and/or data received by agents of the issuer in the course of the scheme. The committed data in a given commitment comprise the specific classical data string to which the user is committed if she follows the rules of the commitment scheme.

(x) An unveiling point is a point in space-time at or near which the user may unveil one or more previously made commitments, as part of the token scheme. This requires a user agent at or near the point to communicate commitment data of a pre-agreed type and in a pre-agreed form to an issuer agent at or near the point. The commitment data are defined as part of the commitment scheme. They have the property that, when combined with the validation data for the given commitment, they give the issuer’s agent at the relevant space-time point persuasive evidence that the commitment being unveiled was made (either at or near the commitment point, or at any rate prior to or at the unveiling point, depending on the type of commitment scheme) to a specific classical data string, namely the committed data in the relevant commitment.

In preferred embodiments, if committed data are unveiled at an unveiling point that are not part of data presented as comprising the committed data associated with a token or sub token valid at the given unveiling point, the issuer’s agent at that point may retain the unveiled data and/or communicate the unveiled data to other issuer agents at or faster than pre-agreed speeds, so that the data may be available to issuer agents at a pre-agreed set of future redemption points and may comprise part or all of data comprising the redemption data (as defined below) associated with a token at one such future redemption point and/or one or more sub-tokens at one or more such future redemption points.

(xi) A redemption point (or token-redemption point) is a point in space-time at or near which the user may present commitment data unveiling one or more previously made

commitments, with these commitment data collectively defining a token or sub-token, as part of the token scheme. The corresponding unveiled committed data from the corresponding commitments collectively define redemption data corresponding to the token or sub-token, as part of the token scheme. The relevant redemption data may also include unveiled committed data from commitments earlier unveiled at unveiling points in the past of the redemption point, provided that the scheme requires the issuer’s agents at such unveiling points to have retained and/or communicated the unveiled committed data so that they are available to an agent of the issuer at the relevant redemption point, such requirement being consistent with the issuer’s pre-agreed communication constraints. In some embodiments, the scheme may also require the issuer’s agents at such unveiling points to have retained and/or communicated the corresponding commitment data.

However, the scheme also allows the validity of a token or sub-token to be determined directly from committed data that has been validly unveiled to an issuer agent or agents, so that the requirement to communicate such commitment data is not essential to the scheme. Any committed data not previously unveiled that are required as part of the redemption data must be unveiled at the redemption point. This requires a user agent at or near the point to communicate all relevant commitment data in a pre-agreed form to an issuer agent at or near the redemption point.

In preferred embodiments, the scheme should ensure that the issuer agent is able to validate a token or sub-token so presented using the redemption data together with data previously communicated to the issuer agent by other issuer agents and/or user agents as part of the scheme. This allows the issuer agent to give the user agent access to pre agreed resources corresponding to the presented token or sub-token, once they have carried out the computation or computations necessary to verify the validity of the token or sub-token, without requiring any additional communications with other agents. In preferred embodiments, the computations required to validate a token or sub-token may be completed quickly compared to (i.e. in significantly less than) the time taken to signal between distant network points, so that access may be granted to the corresponding resources at a point in space near to the spatial coordinates of the redemption point and at a point in time immediately after or soon after the presentation of the token or sub-token.

In other embodiments, variants of the scheme may sometimes require an issuer agent to cross-check with one or more other agents after a token or sub-token is presented for validation. This could still be advantageous if the time for any cross-checks required may be shorter than the time required for full cross-checking with other agents everywhere on the network.

In a further aspect the invention may thus advantageously provide a cryptographic method comprising the following steps.

First, a user A and an issuer B enter into an arrangement, or agreement, comprising a rule or rules for creating and redeeming a token or a sub-token. Under the rule(s), a token can be created, defined by commitment data generated by commitments to respective information, in the form of respective committed data, to which the user will commit (or initiate a commitment) at each of two or more commitment space-time points. When the token or a sub-token is then presented at one of a plurality of token-redemption space-time points, the rule(s) can be applied to the committed data in the (sub-)token to determine whether or not it is valid at that token-redemption point.

After the arrangement between the user and the issuer has been entered into (which includes agreement to a token scheme), the process of creating and redeeming a token can be implemented. The user may commit to the respective committed data at each of the commitment points, for example through an agent of the user at each commitment point, to generate commitment data. When each commitment is made, the user at each commitment point may receive the commitment data and the issuer at each commitment point may receive corresponding validation data. The user may commit to different respective information, in the form of the committed data, at each commitment point which may, for example, be information which is known to an agent of the user at that

commitment point at the time when the commitment is made, but which is not necessarily known to agents of the user at the times and locations of other commitment points. The information might for example be a local price of a commodity or an offer price for a transaction at the point in space and time where the commitment is made, or some other mathematical function determined by market data at that point, or some other mathematical function determined by other local data such as local weather data or statements or actions of independent local agents (i.e. independent of the user or the issuer).

Under the arrangement, the user's agent at a commitment point generates the commitment data, to which they will initiate the commitment, in any agreed manner so as to enable later validation of a token or sub-token under the arrangement. The agent may acquire information, typically from external sources, which might for example be local market data, local weather data, signals from other agents (of the user or the issuer or of some independent party), locally generated random numbers, the results of computations they are running on local computers, or combinations of any or all of these. The committed data may (depending on the arrangement) be the information that they have acquired, or it may be derived from that information. For instance, the committed data may be the local market price of a commodity A, where A is defined in a signal they have just received from another user agent. Or it may be a coarse-grained version of the market price: say, the market price is defined in pence, but rounded to the nearest pound. Or the committed data could be generated based on information from other sources, which could include several different sources. When the commitment by user agents have been made, the commitment data may then be combined to form the token, for example by the user transmitting the commitment data from two or more commitment points to another agent or agents of the user at one or more of the redemption points and/or by the user presenting some or all of the commitment data and thus unveiling some or all of the committed data at one or more intermediate unveiling points so that the issuer may ensure the relevant commitment data and/or committed data are available to his local agent or agents at one or more of the redemption points. The commitment data from two or more commitment points form the token, or a composite component of the token, which may be a sub-token. The token or a sub-token may thus be presented by the user at a token-redemption point, and the parties can use the rule(s) to determine whether the token or sub-token is valid at that token-redemption point. If so, then the user may access an agreed resource from the issuer, or an agreed portion of a resource. If the user wishes to defer access to the resource, then they may alternatively use the validated token or sub-token in relation to one or more further commitments to the issuer, made at one or more commitment points. These commitment points may be but need not necessarily be in the future of the redemption point and/or include the redemption point (if it is also an agreed commitment point). The commitment or commitments may for example be used to generate a further token or sub-token that may be presented (or again extended) at a later time.

In certain prior art systems, a token may effectively be propagated to a given future space- time location by making commitments to committed data that explicitly give the coordinates of that location (in some agreed coding scheme). So, in such a system, in testing the validity of a presented token the issuer’s agent needs to compare the value of the committed data from such commitments against the coordinates of the space-time location where it is presented.

In preferred embodiments of the present invention, there may be more flexibility. For example, none of the user’s agents at the commitment points need necessarily know the location where the token will be valid. The valid location may only be inferable at the redemption points, when the values of the committed data from the commitments are compared. This is true, for instance, in examples where the token is valid at some point in space where the price of a commodity (or some other local data point) was maximised (or minimised or specified in some other way) at the time of commitment. In such examples, the validity of a token depends implicitly on the space-time location of the redemption point at which the commitment data are presented, since it requires that point to have the same spatial coordinates as the point where the maximising (or minimising or otherwise specified) value was committed.

Further, in preferred embodiments of the present invention, the rules for tokens and subtokens may depend explicitly on space-time coordinates. For example, the rules for what is required for a valid token or subtoken presentation could be different in different locations, such as in America and Europe, or different in different time intervals, in ways that have been pre-agreed between the parties.

In a preferred embodiment, the step of determining whether the token or token portion is valid at a token-redemption point may depend on the space-time location of the token- redemption point and its relationship to the space-time location of the commitment points and the information given by the corresponding commitments. Thus, the rule(s) of the arrangement may advantageously require that the process for determining the validity of the token or token portion depends on the committed data to which the user has committed at the two or more commitment points from which commitment data have been received to form the token or token portion, and one or more of the space-time locations of these commitment points, of the token-redemption point and of any intermediate unveiling point(s).

This is a preferred embodiment rather than an essential component of the scheme, since for example a network may have only one redemption point, where there either is or is not a valid token at that point depending on the committed data in the commitments. In this case the validity of the token need not depend on the space-time location of the token- redemption point, as there is only one such point

In a second aspect, the invention may further provide a cryptographic system for enabling the user securely to access a resource from the issuer. The user and the issuer have entered into an arrangement comprising a rule or rules under which a token or a sub-token will include respective committed data to which the user has committed at each of two or more commitment space-time points. The rule(s) also allow the user and the issuer to determine, when a token or a sub-token is presented at one of a plurality of token- redemption space-time points, whether or not the token or the sub-token is valid at that token-redemption point. The system may then comprise a respective commitment device for enabling the user to make or initiate a secure commitment to the issuer at each commitment point, the commitment being to committed data. The committed data are data that the user inputs into the scheme. For commitment schemes that require the commitment to be made at the commitment point, the committed data are based on information available to the user’s agent at that commitment point. For commitment schemes which allow the commitment to be made later than the commitment point, the committed data and thus also the commitment data may be based on information available to one or more agents of the users at one or more input points, which are spacetime points at or in the causal future of the commitment point and at or in the causal past of the corresponding unveiling point, at which an agent of the user may optionally input classical and/or quantum information to the device. The commitment device is configured to generate commitment data at one or more outputs associated with the user and (for commitment schemes that produce validation data) to generate validation data at one or more outputs associated with the issuer. A token or subtoken comprises the commitment data generated by two or more commitment devices, which have for example been shared between agents of the user receiving commitment data output by two or more commitment devices that initiate commitments at two or more commitment points and by an agent of the user at a token-redemption point.

The system then further comprises a respective redemption device at each token- redemption point, each of the redemption devices having an input associated with the user for receiving the token or one or more sub-tokens, and an input associated with the issuer for receiving validation data corresponding to the commitments whose data comprise the token or sub-token(s), and being configured to determine the validity of the token or subtoken or subtokens by applying the rule(s) to the information in it or them.

If the token or subtoken is partly or wholly defined by commitments that have previously been unveiled, then the relevant commitment data have been previously been supplied to an agent of the issuer; such commitment data and/or the corresponding validated unveiled committed data may for example have been retained or communicated so as to be available to a local agent of the issuer at a token-redemption point. The redemption device may optionally have an input associated with the issuer for receiving such commitment data for token schemes in which unveilings of one or more commitments may precede the redemption of the token of which the relevant commitment(s) are

component(s). The redemption device may also or alternatively optionally have an input associated with the issuer for receiving validated unveiled committed data for token schemes in which unveilings of one or more commitments may precede the redemption of the token of which the relevant commitment(s) are component(s).

Each redemption device for validating the token may (1) use the commitment data to unveil the committed data to generate the redemption data and validate the token, or (2) receive redemption data that has already been generated by unveiling committed data, in which case it may validate the token on the basis of the redemption data or (3) perform a combination of these processes by unveiling committed data to generate some of the redemption data, and receiving other redemption data from committed data previously unveiled by a separate unveiling device, to assemble the redemption data submitted for verification by the redemption device.

Each commitment device and/or redemption device is preferably suitably programmed to implement the commitment scheme rule(s) and/or token scheme rule(s) agreed between the parties, optionally automatically without further input from the issuer or the user during the steps of commitment or redemption.

Preferred embodiments of the invention may thus comprise a number of useful features, as follows.

Embodiment (1) Rules for producing a valid token are agreed between the issuer and the user at the start of a cryptographic protocol, or commitment protocol. One simple example of such a rule would be (a): 4 out of 7 shares, which may be defined by elementary or composite components, of a token validly propagated to a point in space- time Q may be required for it to be accepted that the token has been validly propagated to Q and may be used there. In this case, the token shares may for example be propagated to the token-redemption point Q by commitments that explicitly reference its space-time co ordinates, so that the validation test for the token at Q also explicitly depends on the space- time coordinates of Q. Another example would be (b): a network that has a point at each of a number of locations on the surface of the Earth, such as at the stock exchanges of each of a number of selected countries. In this case the network on which the invention operates is the global financial network with nodes being the stock exchanges. At some time t, the user calculates a function at each network point (which defines the location of a commitment point) and commits to it there. The calculated function is the information to which the user commits at that commitment point. At a later time t’ just sufficiently later than time t for signals to have reached every one of the spatial locations from every other, the user unveils the committed data from his commitments (the commitment data having been communicated to every location) at every redemption point. The token is accepted as valid (only) where the function attains a maximum. For example, the function may be the price of a given share (in a company or other financial vehicle) at time t. The user may have a token representing some number of the relevant share, and wish to propagate it as quickly as possible to the maximum price point, where he may access a pre-agreed resource from the issuer at time t’, for example to carry out a transaction relating to the shares. In this case, the spatial location of the token-redemption point (in the given fixed reference frame) would be relevant to the validity of the token or sub-token.

Embodiment (2) Tokens may be distributed and delocalized over a network by using many token components each defined by commitment data from a commitment to a mathematical statement, with each component propagated separately by cryptographic commitments. Each token component therefore corresponds to commitment data resulting from a user’s commitment, for example output by a commitment device at a commitment space-time point. The committed mathematical statements collectively define rules for validating tokens at redemption points, with the property that it may be logically deduced from a set of statements unveiled and presented at a redemption point, if they define a valid token, that no valid token can be defined at any other redemption point.

Embodiment (3) The rules may depend on spatial location and the time, and may include choices made by the user subsequently to the initial agreement of the rules, within prescribed parameters and by a pre-agreed coding scheme, using cryptographic commitments. As a simple example, it might be agreed that the number of components of a token defined by N components may be increased or decreased, within prescribed parameters, at prescribed points in space-time. In general, the rules may allow any type of mathematically well-defined statement affecting the valid presentation of the token, with the statement taken from any set of allowed statements that the parties pre-agree.

The scheme may also allow the issuer to make choices subsequent to the initial agreement of the rules, within prescribed (pre-agreed) parameters. For instance, the issuer might be able to choose a subset of the redemption points at which a valid token may be redeemed. In one embodiment, the subset of redemption points may be the redemption points within a spatial or geographical region chosen by the issuer. In this way, for example, Example 9 below could be modified, using the same sets of commitment and redemption points but different token rules. Thus the issuer might choose one hemisphere (perhaps from a small set, for example the northern or southern hemisphere, or perhaps from a larger set of possible hemispheres) which is kept secret from the user until the time at which the token redemptions take place. At that time, all issuer agents make co-ordinated announcements of the hemisphere choice to all the corresponding local user agents. The token is valid at the point in the chosen hemisphere where the function takes its unique maximum (i.e. now considering only function values in that hemisphere). Embodiment (4) A claim that a whole token is presented at any network redemption point Q in space-time will be accepted as valid provided that, given the pre-agreed set of possibilities allowed by the rules, and given the commitments validly unveiled at Q, it follows logically that no claim to validly present the token can also take place at any redemption point R space-like separated from Q. For instance, in example 1 (b) above, the commitment scheme guarantees that the same set of function values is produced at every network point, and that the token will only be accepted at one point if there is a unique maximum of the function. If there is not a unique maximum, but a finite number M of them, then using the generalisation of the invention described in (6) below, the rule might be that a fraction 1/M of the token is accepted as valid at each of the M maxima. Alternatively, the rule might be that the token will not be accepted anywhere at time t’ if the maximum is not unique. In this case additional rules may be provided to ensure that the token can be accepted somewhere at some later time.

Embodiment (5) The statement at (4) above assumes the theoretically ideal case in which the issuer can and does communicate all information at light speed, along the shortest possible path, between his agents on the network. In a realistic case where the issuer’s communications are generally slower than light speed , the statement of (4) above must be modified, to state that the token may be accepted as valid if, given the issuer’s pre-agreed communication constraints, and assuming that the issuer communicates all information between agents as fast as these constraints allow, it follows logically that no claim to validly present the token can also take place at any other redemption point R other than Q. In its simplest form, the scheme may assume that if the issuer is able to send signals from R to Q or from Q to R, then he will do so, and so it will follow logically that if one of these conditions holds then valid claims of token presentation cannot be made at both Q and R, since we may assume that the information that the token has already been presented is sent from R to Q, or Q to R. An important advantage of the invention is to cover presentations of tokens at pairs or sets of points in space-time that are not related in this way. However, see (7) below for additional comments.

Embodiment (6) Embodiments of the invention may be viewed, in general terms, as relating to schemes for distributing a token in such a way that fractions of the token may be presented and accepted at different points in space-time, including space-like separated points. Points (2)-(5) above apply to this generalisation, mutatis mutandis. For point (6), the requirement becomes that a claim that a positive fraction F_i is presented at a point Q_i will be accepted as valid provided that, given the pre-agreed rules (and allowed variations) of the scheme, and the commitments unveiled at Q_i, it follows logically that no set of claims to validly present fractions FJ at points QJ (including the fraction F_i at Q_i) can be justified if Fj > 1 for any possible indexing set J.

Embodiment (7) Some embodiments of the invention may require that, once a fraction or portion FJ (which may be the whole token) has been presented and accepted at some space-time point QJ, the issuer’s agent at QJ communicates this fact to all agents of the issuer located at space-time points in the causal future of QJ that can be reached (given communication constraints) from QJ.

However, other embodiments of the invention may not have such a requirement. It might be assumed instead that the issuer’s agents communicate information about token acceptance only to a subset of the set of other agents whom they could communicate to, or communicate more slowly to some other agents than they could in principle, or that they do not communicate it all. Depending on the other token scheme rules, these weaker assumptions may mean that there are fewer situations in which the user can validly present a token or fraction thereof or in which the issuer can validate a token or fraction presented for redemption. However, the scheme may still advantageously be applicable in

appropriate scenarios under such weaker assumptions, as the skilled person would appreciate.

In more general terms, it may be important to ensure that a token or fraction cannot be redeemed more than once. In some schemes this may be guaranteed by the form of the commitment rules (i.e. by the nature of the agreement between the parties) alone, so that the token can only be valid at one redemption point. This is true, for instance, in embodiments where all the redemption points are at the same time, and the commitments identify a unique maximum point of some function. However in many schemes there are redemption points at many times, some in the causal future of others. It is then desirable to ensure that a token cannot be redeemed both at P and Q in general, and in particular when Q is in the causal future of P. One simple way to ensure the latter is for issuer agents to tell each other once they have redeemed a token, so that no agent in the causal future of the redemption point will accept the token and redeem it again. In that case, it is only necessary for the agreement (the scheme rules) to ensure a token cannot be valid at spacelike separated points P and Q.

In general, schemes in accordance with the invention may assume a set of ordered pairs (Pi, Qi) of space-time points on the network such that the token issuer will guarantee to send signals from each Pi to each Qi; this set may be a subset of the set (Xi, Yi) of ordered pairs of points between which the issuer could send such signals. In other words, restrictions on communications may be defined quite generally in terms of space-time network points, rather than in terms of specific agents who do not communicate to some other agents when they could, or communicate more slowly than they could. For example, some agents may communicate from some points in space-time but not others, even though they could, or may communicate from some points in space-time more slowly than they could.

Embodiment (8) Other embodiments of the invention allow even further flexibility. Such embodiments are not restricted to implementing a token that represents a certain sum of money, which sum could be subdivided so that fractions are presented at different sites. More generally, they can securely implement any set of rules governing the presentation of user-generated sub-tokens that may be exchanged for other assets or resources, with security constraints that ensure limitations on such exchanges. Such rules may depend on the spatial location and timing of sub-token presentation as well as on the types and quantities of assets or resources. A (simple) example could implement a trading margin rule that allows either (a) the presentation of a credit token for 1 billion dollars at a single site, or (b) the presentation of N tokens, where 1 < N < 11 , at separated sites, for a total credit of up to 0.75 billion dollars. Such a rule is cryptographically enforced to ensure that it cannot be violated by presenting extra (sub)tokens at space-like separated sites. Or, where tokens and sub-tokens are used to obtain access to resources, another example could implement a rule that allows control of, for example, up to five defensive military assets at different locations within a given continent, or three on separate continents, or seven at a single location.

Such embodiments may also include rules that make the value of a valid token or subtoken depend on the committed data corresponding to the commitment data defining the token. For example, in example 9 below, the token value could depend on some function of the global distribution of the values of the function that are reported at the redemption point and that validate the token there. One simple possibility would be for the token value to be the difference between the global maximum value and the global minimum value.

Similar comments apply here as in point (7) above; some embodiments of the invention may assume or require that, once a sub-token (which may be the whole token) has been presented and accepted at some space-time point Q_i, the issuer’s agent at Q_i communicates this fact to all agents located at points in the causal future of Q_i that can be reached (given communication constraints) from Q_i. However, other embodiments of the invention may not have such a requirement. It might be assumed instead that the issuer’s agents communicate information about subtoken acceptance only to a subset of the set of other agents whom they could communicate to, or communicate more slowly to some other agents than they could in principle, or that they do not communicate it all. Depending on the other token scheme rules, these weaker assumptions may mean that there are fewer situations in which the user can validly present a subtoken. However, the scheme may still advantageously be applicable in appropriate scenarios under such weaker assumptions, as the skilled person would appreciate.

Embodiments of the invention may thus advantageously address a number of problems in existing technology.

The first is security - protecting as securely as possible the privacy of users while also protecting issuers against duplication/multiplication attacks.

The second is flexibility of response, particularly advantageously on distributed relativistic networks when a single token will ultimately be presented with proof of validity. This applies even more strongly in the case of sub-divided tokens, which give considerably more flexibility. The inventor’s understanding is that this is not an issue that has been considered to date, because the idea of money or token has not been adequately conceptualised in a token that is designed for use on networks where relativistic or other signalling constraints play a significant role. Embodiments of the invention may allow more efficient algorithms for producing a token at a desired point in response to data arriving at different space-time points in a network. The invention may also allow a token to be flexibly defined by components defined by commitment data from commitments to committed data defining general mathematical statements drawn from a pre-agreed set of allowed statements, where these components may be distributed at different points on a network. Such components may also themselves become objects of exchange when appropriately defined and when an appropriate framework has been established between all the relevant parties that allows transfers and exchanges of ownership. Such a framework could be part of the agreement, or arrangement, between the parties and could, for example, allow two users and the issuer, via local agents of each, to agree that components previously associated by the issuer with the first user’s token scheme should henceforth be associated with the second user’s token scheme, and/or vice versa. In principle, some types of component of a money token could thus be exchanged for some types of component of a stock token, for example. Transfers and exchanges of ownership of components could also be made by statements contained in other components of a token scheme, if the rules of the token scheme allow for such statements. Any such extended token scheme must ensure that the transfers and exchanges so defined appropriately restrict the resources available to users, individually and collectively, as a result of presenting any collection of valid sub-tokens and tokens.

The third is flexibility of response on distributed networks when a token may be partially redeemed (with some positive fraction F_i of its value) at each of several points P_i in space-time, which may generally include space-like separated points. The inventor’s understanding is that this too is not an issue that has previously been considered in the context of tokens and sub-tokens distributable over networks where relativistic or other signalling constraints are significant. For example, it allows trading strategies in which a trading margin may be flexibly allocated to enable trades - up to but not beyond the total allowed margin - at many different points, with the spatial locations of these points and the values of the associated trades determined by data arriving at points across the financial network during the decision process. Such strategies may be more general than those allowed by a scheme that simply divides up a token into sub-tokens of prescribed value at the start, because embodiments of the invention may advantageously allow more flexible and more general decision algorithms. Nevertheless, the invention may be designed to ensure that the total fraction redeemed is always no more than one (although it need not be; see next paragraph).

The fourth is flexibility in defining rules for improved general partial (distributed) token redemptions. Embodiments of the invention may allow and securely enforce pre-agreed rules that depend on spatial location, timing, type and value of redemption. These may, but need not be, restricted to rules that divide up a token representing a given monetary value or quantity of resources into sub-tokens representing fractions of that value or quantity that are positive and sum to the given value or quantity.

Although prior elaborations of requirements on tokens on relativistic networks exist that are important and themselves represent key conceptual advances, those still make an assumption that turns out to be significantly and unnecessarily restrictive; namely, that the token effectively follows a well-defined single path through space and time. Of course, this is true for familiar physical tokens (coins, banknotes, subway tokens, and so forth).

However, it need not be true for tokens that are defined by protocols that use classical or quantum information. A token that can be effectively‘delocalised’ so that its behaviour and end state depend on commitment data that may arrive on any of two or more paths, up to a large number of paths, has the advantage that the choice of the final destination where it effectively‘re-localises’ may also depend on information arriving on many different paths, including information arriving at space-like separated points. In a preferred aspect, the invention exploits this advantage, allowing it to be used to implement decision algorithms on financial or other networks that cannot be implemented by tokens that follow definite paths.

Among other advantages, in a preferred aspect, the invention described here may therefore give a way to implement a form of money that can have all the flexible

delocalisation properties of quantum money, but which does not require quantum state storage, nor entanglement or other complex quantum operations. This can be achieved since there is a classical description for each quantum processing operation or quantum communication protocol (such as quantum teleportation) that could in principle be implemented on a quantum money state. A token scheme that allows each such operation to be encoded via a commitment scheme, generating a corresponding token component, with the commitment being initiated at the commitment point where the relevant operation would have been implemented, thus allows a local issuer agent at a redemption point, where all the relevant commitments are (or have been) unveiled, to verify whether the collection of operations implemented in his past light cone would successfully have generated the quantum money state (in the form of a valid token) at that redemption point. In other words, the local issuer agent can verify the token which effectively represents a valid method that could have been used to propagate a quantum money token to the redemption point, were a quantum money token scheme actually employed. The token scheme embodying the invention may thus advantageously allow the user to simulate what she would have done with quantum money, without actually needing all the required technology. Indeed, by using purely classical commitment schemes, this can be implemented using only classical communications. It can also be implemented using only short distance quantum state exchanges followed by measurements and classical communications, using quantum commitment schemes that require only short distance quantum state exchanges. In either case, it is thus implementable with existing technology.

By way of clarification, the reference in the foregoing paragraph to the relevant

commitments having been unveiled before being verified by the local issuer agent at a redemption point, can be more fully expressed as saying that the relevant commitments were validly unveiled in the causal past of that redemption point and the commitment data and/or validly unveiled committed data were communicated to that point for token verification. Moreover, while the invention can reproduce all the flexible delocalisation properties of quantum money, the converse does not appear to be true, even in principle. Embodiments of the invention allow forms of delocalisation that are not possible, using prior art techniques, with quantum money or any similar token scheme in which a quantum state unknown to the user defines the token. It is the inventor’s understanding that these forms of delocalisation, which include practically relevant examples, are not possible using quantum money tokens as presently understood in the art with any techniques. The present flexible delocalisation scheme may advantageously allow users to effectively distribute elements of the token over the network, and to make local decisions at different network points not only about how to propagate such elements further on the network, but also about the rules by which some elements may ultimately be recombined into a valid token. Nonetheless, it maintains security against copying attacks.

Another aspect to the invention is a further generalisation of the requirements on tokens (or money), allowing more flexibility in their use without jeopardising any relevant security requirement from the issuer. Namely, the invention allows tokens to be subdivided at will (perhaps up to some minimal fraction previously agreed by issuer and user). The user is allowed to produce and use fractions (or portions) F_i > 0 of the token at sets of token- redemption points P_i , some or all of which may be space-like separated, so long as the set of validly unveiled commitments available to the issuer at each of the points P_i guarantees to the issuer that there is no possibility of the set F_i satisfying sumj F_i > 1.

(In the simplest scenario, it is natural to assume that the issuer will transmit the information that some fraction F_i has been used at P_i to all accessible future issuing points in the network, so the security protection is required only for cases where at least one pair of the P_i are space-like separated. However, as previously discussed, the invention is also applicable in other scenarios in which the issuer’s agents’ communications are more restricted.) For example, the scheme can allow a user with a billion dollar margin credit to use parts of this credit at various points on the network, including space-like separated points, while guaranteeing to the issuer that the total spend cannot be more than a billion dollars. Note that the invention may provide more flexibility than would a scheme in which the token was initially divided up into elementary sub-tokens (for instance, a billion dollar token divided up into a billion one dollar tokens) that then are propagated along definite paths. It allows algorithms that produce partial credits at sets of points in space-time, in response to local data, in a way that cannot be replicated by any scheme in which money is subdivided and then propagated along definite paths - even when these paths also depend on local data. In this sense, again, it extends the concept of money In a world in which relativistic trading networks carry high value, optimal flexibility in propagating and presenting tokens is valuable. Decisions will generally depend on information arriving at many different points in space-time, generally including many space like separated network points.

For example, flexibility in response may make the difference between being able to execute a valid and credibly profitable trade (known or estimated to be profitable or to have positive expectation value because of an algorithm that depends on the information gathered at many points on the network), or missing an opportunity to do so.

Similarly, a decision about deploying an element of a defensive military system may depend on information gathered at many space-like separated points. If such a decision is token-based, it is desirable to allow as much flexibility as possible in using information gathered at different points in space and time, in deciding where to present the token and thus deploy. A decision about deploying specific local responses to defend against cyberattacks on an extended network may similarly depend on information gathered at many space-like separated points. Again, if such a decision is token-based, it is desirable to allow as much flexibility as possible in using information gathered at different points in space and time, in deciding where to present the token and thus deploy.

In sum, preferred embodiments of the invention define ways of implementing a significantly new definition of‘money’ (or any of its equivalents, as introduced above) that is more flexible than any existing definition.

Detailed Description of Embodiments of the Invention

The invention will now be described in detail, for the purposes of illustration and

enablement only, with reference to some exemplary embodiments.

Consider first two locations in space, 1 and 2. A user A and an issuer B are respectively represented by agents A1 and B1 at location 1 and agents A2 and B2 at location 2. In this example the locations 1 and 2 serve, at a first time, as commitment space-time points and then, with different time co-ordinates, also as redemption space-time points. In other words, the commitment and redemption points are at the same spatial locations in a reference frame previously agreed between the user and issuer. (Note that in the embodiment the general assumption here is that A1 and B1 are close to one another, but not necessarily co-located; and similarly for A2 and B2. In this sense, locations 1 and 2 are best thought of as regions in space, the size of which is small compared to the separation between them. They might, for example, be cities, with respective agents of the user and issuer situated in different buildings within those cities.)

In an example, B may have agreed to lend funds to A in order to carry out a transaction. Neither A nor B knows where the transaction will be carried out, but it is critical to B that he only lends the funds at one location, which will be where a token is validly redeemed (so that A cannot cheat B by borrowing the funds in two locations). However, the decision to lend the funds, on being presented with the token, is to be made before there is time for the agents of B to check with one another whether only one of them is lending the funds.

In this example, the parties A and B pre-agree an approach for representing a parameter relating to the possible transaction. This parameter is the committed data to which A will commit during the cryptographic process. The parameter may, for instance, be a number quantifying the desirability of carrying out the transaction at a particular location. For the sake of this example, consider the parameter to be the price of a commodity, which may be different in different locations. A would like to borrow funds from B to purchase the commodity in the location where it is cheapest at the time at which the commitments are made.

The pre-agreed representation of the parameter needs to allow each agent of B, on receipt of the representations from two (or more) locations, to decide whether to redeem, or validate, a token enabling A to access the funds at that agent’s location. In other words, each agent of B must be able to determine, without communicating with the other agents of B, whether or not he is the agent who is uniquely redeeming the token.

In the example, at a particular time (say, t = 0) when A wishes to initiate generation of a token, the agents A1 and A2 commit, at their respective locations (the commitment locations), to representations of the (local) prices of the commodity. The parties A and B have pre-agreed that B will lend the funds to A at whichever location (i.e. whichever token- redemption location, in this example the redemption locations being the same spatial locations as the commitment locations) A’s committed price (as represented in the committed data) is lower. At location 1 , A’s agent A1 makes a cryptographically-secure commitment to B’s local agent B1 , representing A’s price at location 1. In a preferred embodiment, this produces classical commitment data, which are subsequently both retained at location 1 and sent by A’s agent A1 to A’s agent A2 at location 2. Similarly, at location 2, A’s agent A2 makes a cryptographically-secure commitment to B’s local agent B2, representing A’s price at location 2. The resulting commitment data are both retained at location 2 and sent by A’s agent A2 to A’s agent A1 at location 1.

When each commitment is made, at locations 1 and 2, corresponding validation data are received by B’s agents B1 and B2 at each location 1 and 2. B’s agents then exchange the validation data with each other so that they can both in due course determine the information (as represented in the committed data)to which the agents of A have committed at each location.

Once the commitment data and validation data have been transmitted, the committed data from A’s commitments at locations 1 and 2 are both able to be unveiled in both locations. The commitment data for both commitments together form the token to be presented by A in each location for validation. The agent A1 can then submit the token (i.e. both sets of commitment data) to a redemption device at location 1 , revealing to the local issuing agent B1 the representations of A’s prices at locations 1 and 2. According to the pre-agreement, if B1 sees that the price at location 1 is lower than the price at location 2, the trade is to be carried out at location 1. B1 can then validate the token and lend the funds to A1.

At location 2, when the representations of the prices are revealed, B2 knows that A’s price at location 2 is higher than at location 1 , and therefore, according to the pre-agreed rules, B2 will not lend the funds to A2.

In practice, in the circumstances set out above, A2 may already be aware before submitting the commitment data to B2 that the price at location 2 is higher than the price at location 1 , such that B2 will not lend the funds to A2. A2 may therefore decide not to submit the commitment data to the redemption device, in order to avoid revealing information unnecessarily early to B2 (although B2 may presumably eventually learn the information, since B1 may transmit it to B2).

The overarching purpose of the structure of this embodiment is to enable the agents of A at time t = tO to distribute information in such a way that, at a later time t = t1 , the information can be submitted to corresponding agents of B at different locations such that only one of the agents of B can validly issue a token, for example to release some desired resource to A at that location. The agents of A and B at the different locations do not need to wait to exchange information after time t = t1 in order to validate the token. In this example, information is therefore exchanged between all of the agents of A, but the information only leads to a valid token at the single location where the information (in the form of the committed data) received by an agent of B validly corresponds to the pre agreed arrangement between A and B. Though characteristic of this example, exchange of information between all agents of A is not a requirement in general, and the invention foresees examples in which only some agents of A exchange information, and/or there is only one-way communication between certain pairs of agents, or indeed there is not necessarily any need for communication at all (for instance, if one agent is appointed to redeem the token unless she chooses to commit to and transmit data that is redeemable by another agent, which she in fact chooses not to do).

The pre-agreement (or agreement) between A and B is critical. The pre-agreement determines what forms of information agents of A may commit to agents of B, the space- time points at which these commitments may be made, the space-time points at which unveilings may be made, and the space-time points at which a token or one or more sub tokens may be redeemed. It further determines the rules for a valid redemption of a token or sub-token. Each agent of A should be able to determine the value of a parameter or parameters that determines their commitment or commitments. In preferred embodiments, all of the agents of A may define the parameter in the same way, or in other words according to the same rules., and may agree in advance what representation of the parameter (that is, what committed data) will be chosen by and/or distributed among the agents at the different locations. The parameter might be the local price of a commodity, or a factor quantifying the desirability of taking a particular action at that location. The representation may be the parameter itself, or it may be some factor representing the parameter in such a way that the parameter itself need not be revealed to B. In any event, it is necessary that when the representations are revealed to the agents of B at time t = t1 , each agent of B can be certain whether he is the agent at the unique location where a valid token should be issued. (A simple example would be if the value of the representation at that location is the highest value of the representations from all of the locations and this is the only location with this property, i.e. the highest value is uniquely attained.)

Note that the invention applies to communication networks that may have any type of constraints, including constraints that depend on the point in space and time, and on the speed of communication between nodes. Its security requires only that both parties accept the existence of some agreed bounds on the possible communication speed between any pair of relevant points in space-time. As has been mentioned in the Summary above, it is important in many scenarios (though not always essential) that the parties agree their respective signalling constraints in advance.

Specifically, B will definitely have some signalling constraints (either light speed signalling constraints, or some stronger constraints), and B needs the scheme to be secure against duplication at points between which his agents cannot signal. Note that B’s signalling constraints might be stronger than the light speed signalling bound, while A’s might be (or might be assumed by B to be, for safety) only light speed.

A must ensure that her use of the token scheme allows B to verify that the token presented is not being presented elsewhere (or that the sub-tokens or portions of tokens presented satisfy the agreed rules), using information that B can obtain given his actual signalling constraints. For A to do this, and to be confident that a validly presented token (or set of sub-tokens) will be immediately accepted, she needs to know B’s actual signalling constraints or at least lower bounds on B’s signalling speeds. These thus need to be agreed between the parties in advance, though this is not essential if A is willing to accept that a validly presented token may be rejected (or that its acceptance may be delayed) because of some signalling constraints on B of which she was unaware. It should be noted, however, that schemes embodying the invention may guarantee that no duplication of a valid token by A is possible, without requiring any signalling at all between the agents of B during the implementation of the scheme. This can be arranged, for example, by employing commitment schemes in which the validation data comprise only classical information about B’s inputs. If B’s agents pre-agree before the token scheme is implemented, all the inputs they will make at any commitment point, each of B’s agents then already has all the validation data necessary to validate commitment unveilings and hence to validate a token or sub-token, and do not need to communicate validation data to one another during the token scheme implementation. Schemes of this type of course need no agreement about B’s signalling constraints.

A’s agents at locations 1 and 2 (and at all locations of all commitment space-time points in all subsequent examples) may carry out their secure commitments using any suitable classical or quantum commitment scheme or any semi-classical commitment scheme that combines classical and quantum information inputs from one or both parties. Ideally, the invention is implemented using a cryptographic commitment scheme the security of which is based only on the laws of physics (quantum, relativistic, or both), such as the schemes presented in UK patent publication no. GB2542751 introduced above, or those derived in Kent, A. Unconditionally Secure Bit Commitment. Phys. Rev. Lett. 83, 1447-1450 (1999); in Kent, A. Secure Classical Bit Commitment using Fixed Capacity Communication Channels. J. Cryptolog. 18, 313-335 (2005); in Kent, A. Unconditionally Secure Bit Commitment with Flying Qudits. New J. Phys. 13, 113015 (2011); in Kent, A. Unconditionally Secure Bit Commitment by Transmitting Measurement Outcomes. Phys. Rev. Lett. 109, 130501 (2012); in Adlam, E. and Kent, A. Device-Independent Relativistic Quantum Bit

Commitment. Phys. Rev. A 92, 022315 (2015); in Adlam, E. and Kent, A. Deterministic Relativistic Quantum Bit Commitment. J. Quantum Inform. 13, 1550029 (2015); or in Lunghi, T. et al. Practical relativistic bit commitment. Phys. Rev. Lett. 115, 030502 (2015); any other such secure bit commitment scheme; or any combination of these. Using any of these commitment schemes to define the commitments for a token scheme, such as those described in the example above and examples below, guarantees that the user cannot present an apparently valid token at two or more space-like separated points. However, not all of these commitment schemes guarantee to the issuer that the user is committed in advance to presenting the token at some particular space-time point. For some of the commitment schemes (for example, that described in Kent, A. Unconditionally Secure Bit Commitment by Transmitting Measurement Outcomes. Phys. Rev. Lett. 109, 130501 (2012)) employed in some network configurations, a user with sufficiently advanced technology (namely quantum state storage) may retain some degree of flexibility about the space-time point at which the token is unveiled after the token has been issued, and may choose this point (within the constraints implied by the laws of physics) in a way that depends on data arriving at various positions in space at later times. This is not a concern to the issuer in the scenarios for which this invention is envisaged to be useful, assuming that the issuer is concerned only with preventing fraudulent multiple use of the token. The fact that a sufficiently technologically advanced user may have more flexibility in its use is something an issuer may wish to take into account in analysing or trying to predict users’ behaviour, but is not per se a security concern in the preferred security scenarios considered here. In other scenarios in which the issuer also wishes to constrain the user by ensuring that all commitments must be unalterably decided at or near the commitment initiation point, he may do so in the agreement with the user by restricting the allowed commitment schemes to those which ensure this.

It is also possible that users may be, or may become, confident enough in the security of post-quantum cryptographic schemes for bit commitment (and other tasks). Standard cryptographic schemes are breakable in principle, but are secure unless the attacker can solve a problem that is believed to be unfeasibly hard, at least within time scales over which security is required. So-called‘post-quantum’ schemes are designed to be secure in this sense against quantum computers as well as classical computers. Post-quantum cryptography is an active area of research, and it is plausible that users may have or acquire sufficient confidence in the security of existing or future post-quantum schemes to be willing to rely on them for short term applications or even for high value transactions that require long term security. The invention could also be implemented using cryptographic commitments based on such schemes..

Finally, the invention could also be implemented using conventional cryptographic protocols whose security is based on the assumed present computational intractability of carrying out a computation, for one or both of the parties involved. Some schemes of this type are described in the publications listed below, which are incorporated herein by reference in their entirety;

The Wikipedia article https://en.wikipedia.org/wiki/Commitment scheme (version dated 15.8.17).

Oded Goldreich (2001). Foundations of Cryptography: Volume 1 , Basic Tools, Cambridge University Press. ISBN 0-521-79172-3.

Gilles Brassard, David Chaum, and Claude Crepeau, Minimum Disclosure Proofs of Knowledge, Journal of Computer and System Sciences, vol. 37, pp. 156-189, 1988.

Goldreich, Oded; Micali, Silvio; Wgderson, Avi (1991). "Proofs that yield nothing but their validity". Journal of the ACM. 38 (3): 690-728. doi:10.1145/116825.116852.

Russell Impagliazzo, Moti Yung: Direct Minimum-Knowledge Computations. CRYPTO 1987: 40-51

Moni Naor, Bit Commitment Using Pseudorandomness, Journal of Cryptology 4: 2 pp. 151— 158, 1991.

Manuel Blum, Coin Flipping by Telephone, Proceedings of CRYPTO 1981 , pp. 11-15,

1981 , reprinted in SIGACT News vol. 15, pp. 23-27, 1983.

Shimon Even. Protocol for signing contracts. In Allen Gersho, ed., Advances in

Cryptography (proceedings of CRYPTO '82), pp. 148-153, Santa Barbara, CA, USA, 1982. A. Shamir, R. L. Rivest, and L. Adleman, Mental Poker. In David A. Klarner, ed., The Mathematical Gardner, pp. 37-43. Wadsworth, Belmont, California, 1981.

Oded Goldreich, Silvio Micali, and Avi Wgderson, Proofs that yield nothing but their validity, or all languages in NP have zero-knowledge proof systems, Journal of the ACM,

38: 3, pp. 690-728, 1991

Oded Goldreich and Hugo Krawczyk, On the Composition of Zero-Knowledge Proof Systems, SIAM Journal on Computing, 25: 1 , pp. 169-192, 1996

Gennaro; Rosario; Rabin, Michael O.; Rabin, Tal. "Simplified VSS and fast-track multiparty computations with applications to threshold cryptography". Proceedings of the seventeenth annual ACM symposium on Principles of distributed computing. 1998, June. Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, Moti Yung: Perfect Zero- Knowledge Arguments for NP Using Any One-Way Permutation. J. Cryptology 11(2): 87- 108 (1998)[1 ]

Although these schemes are breakable in principle, and some, for example those based on the discrete logarithm or factorisation, are particularly threatened by the advent of quantum computers, with suitable parameter choices they may still be judged to offer sufficient security for long enough time periods for practical purposes. It should be noted, though, that in principle and possibly in practice,‘secure tokens’ that are constructed using such bit commitments are not perfectly secure; that is, their security is guaranteed only by computational assumptions, rather than the known laws of physics. As such, they remain vulnerable to attacks in principle. Some such schemes may be unconditionally secure against one party, but not both. Unconditionally binding schemes may guarantee the user’s unconditional commitment; however, it may be possible for the issuer to read her commitment before she unveils it, if he can break the computational assumptions. Equally, unconditionally concealing schemes give the user perfect security against such an interception, but they do not guarantee to the issuer that the user cannot cheat, which she may if she can break the computational assumptions. In other words, these schemes remain vulnerable in principle to:

(1) privacy attacks (if the scheme is not unconditionally concealing); in particular, they may be vulnerable to attacks that allow the issuer to obtain information about the strategy of the user before the user presents the token (for example, allowing the issuer to determine in advance a subset of network points that contains the space-time point at which the token will be presented); and/or

(2) duplication (and multiplication) attacks (if the scheme is not unconditionally binding); depending on the details of the bit commitment protocols implemented, they may alternatively, or also, be vulnerable to attacks that allow the user to present the token at two or more space-like separated points on the network, and to have two or more of these presentations accepted as valid by the issuer’s local agents. More generally, in versions of the present scheme that allow a token to be sub-divided into token fractions, these protocols may be vulnerable to attacks in which a total fraction greater than one of the token is presented and accepted as valid at a set of points on the network. More generally still, in versions of the present scheme that allow a token to be sub-divided into sub-tokens that may be exchanged for resources according to some general set of pre-agreed rules, these protocols may be vulnerable to attacks that allow multiple presentations that violate the constraints defined by those pre-agreed rules. Following is a non-exhaustive list of more exemplary embodiments of the invention and scenarios in which they may find application (Examples 1-9).

1. Consider first three commitment points d , c2, c3, each light-like separated from two pre-agreed possible redemption points r1 and r2. Commitments made by agents of a user A at the three commitment points encode the decision made by each agent on the basis of information available to them about a desirable set of valid redemption points, as follows: each agent commits to a value (or committed data representing a value) {r1}, {r2}, {r1 , r2}, or the empty set, meaning respectively that the token will be valid only at r1 , will be valid only at r2, may be valid at either point or is valid at neither. All three sets of commitment data are sent to both redemption points, where respective agents of the token issuer B will redeem the token if and only if (i) all of the data from the three unveiled commitments agree that the token will be valid at that redemption point; and (ii) at least one of the three unveiled commitments precludes the token being valid at the alternative redemption point.

2. Next consider the reverse scenario, in which agents of a user A at each of two commitment points d , c2 commit to data that, collectively, select (or represent) one of three pre-agreed possible redemption points r1 , r2, r3, again each light-like separated from both of the commitment points. Specifically, each of A’s agents commits to data taking the form of a subset of the set S = {r1 , r2, r3}. (Here and in the examples that follow, the term ‘subset of the set S’ denotes any possible subset, including the possibility of the empty set or the complete set S itself.) The agent of the issuer B at one of the redemption points will accept the token as being valid at that point if and only if (i) all of the unveiled committed data from both commitment points agree that the token may be valid at that point, and (ii) at least one of the unveiled commitments implies that the token is not to be considered valid at either of the two alternative redemption points. That is, the token is valid at redemption point ri if and only if the intersection of the subsets of S committed to at each commitment point is precisely the set {ri}.

3. Examples 1. and 2. above generalise to the situation in which agents of A at each of M commitment points {d , ... cM} commit to data identifying one or more of N pre-agreed possible redemption points. Again, all of the possible redemption points are light-like separated from all of the commitment points; and, again, the data committed to at each commitment point represent a subset of the set S = {r1 , r2, ... , rN}. Once all of the commitment data have reached all of the possible redemption points, the token will be redeemed at a given redemption point if and only if (i) all of the unveiled committed data from all of the commitment points agree that the token may be valid at that point, and (ii) the unveiled committed data also imply that the token is not to be considered valid at any of the other (N - 1) possible redemption points. In other words, the token is valid at redemption point ri if and only if the intersection of the N subsets of S committed to is precisely the set {ri}.

4. Consider now a similar configuration of commitment and (possible) redemption points as in example 3, but now with the additional constraint that no light signal from a commitment point to a redemption point can pass through any light signal from any other commitment point to any other redemption point. Further, consider in this case that agents of A at each of the N commitment points commit to data representing either a single one of the redemption points, or‘no choice of redemption point’. Under these circumstances, an agent of the issuer B at a given redemption point may redeem the token at that point if and only if (i) the agent of A at one of the commitment points committed to data representing that point, and (ii) when the commitment points are numbered in an ordered sequence, all agents of A at points preceding that point in the sequence committed to data representing no choice of redemption point. In other words, the commitment points (and

correspondingly, the agents of the user A) are endowed with a priority ordering, and the token is valid (only) at the redemption point chosen by the‘first’ of the user’s agents (i.e. the agent nearest to the beginning of the sequence of agents) to commit to a redemption point.

5. In another exemplary application, and modelling the Earth as a sphere, a set of commitment spatial locations may be distributed around the great circle represented by the equator, with the poles pre-agreed to represent the spatial locations of two possible redemption points. There may be any number (large or small, but finite) of commitment points. Similarly to the first example above, agents of a user A at each of the commitment positions commit to data representing a subset of the set {r1 , r2} of redemption points (meaning, one, neither or both of the points). Assume that all of the commitments are made at the same time (in some agreed fixed reference frame), and that the resulting commitment data are sent at light speed to both of the assigned possible redemption space-time points, the spatial co-ordinates of which are the respective poles and the time co-ordinates of which are given by the time at which these signals should arrive. In this case, the parties may pre-agree that the token will be accepted as valid at each one of the redemption locations if that location was included in the subsets committed to by at least one group from among a respective pre-agreed list of groups of the user’s committing agents (provided there is not also a valid instruction for it to be returned at the other redemption point). Thus to check that the token is validly presented to him, the agent of the issuer at each pole needs to check (i) that some group of the user’s agents belonging to the pre-agreed list of groups for that pole have committed to data including a designation of that redemption point, and (ii) that no group of the user’s agents belonging to the pre agreed list of groups for the other pole have committed to data including a designation of the other pole.

6. Agents of a token user A may be located at spatial locations on the surface of the Earth forming the vertices of a regular tetrahedron. In this scenario, consider four pre-agreed possible redemption points, spatially located again on the Earth’s surface at the centres of the spherical triangles defined by those commitment positions. Each agent of A, at the same agreed start time, commits to data representing a subset (as defined above) of the three possible redemption points spatially adjacent to her position; and sends the commitment data to each of those three adjacent redemption points. Here, the parties may agree that the token will be considered valid at a redemption point if (i) agents of the user at each of the commitment positions adjacent to it has included that position in the set of positions that she committed to, and (ii) the unveiled committed data sent by the user’s agents at the adjacent commitment points also imply that no other redemption point can satisfy condition (i). Note that the second condition holds if and only if the subsets of redemption points committed to by each pair of adjacent agents of the user do not both include the other redemption point to which they are both adjacent.

7. The example of 6. may be extended by including a further set of commitment points, lying on the surface of the Earth, each associated with one of the redemption locations (which may be different for different commitment points in this set) and by having agents of the token user at those additional points commit to data encoding the designation of the respective redemption location as a valid or invalid redemption point and send the corresponding commitment data to the corresponding redemption point. In this case, the timings are co-ordinated so that all of the commitment data from all of the commitment points that communicate with each redemption point arrive simultaneously at that point. With these additional conditions, a further requirement for a token to be accepted as valid at a given redemption point is that (iii) every one of the user’s agents who communicates with that redemption point explicitly commits to data designating it as a valid redemption point.

8. The examples of 6 and 7 could also be defined for configurations of points in space, such that the tetrahedron defined by the redemption points is entirely outside the interior of the Earth. In this case the commitment points described in example 6 may lie at the centres of the faces of the tetrahedron, and the additional commitment points described in example 7 may lie anywhere in space. These examples may be extended further by including a call point at the centre of the tetrahedron that sends a list S of valid return points to all four return points, to arrive at the same time as all the other communications.

A valid return at ri then requires (a) that at all call points communicating with ri the user’s local agents committed to data implying that ri is a valid return point (so in particular ri belongs to S), and (b) it is deducible from these data that no other return point is also valid.

9. Consider now examples in which agents of the token user are situated at a finite number of commitment positions distributed, perhaps densely, over the surface of the Earth (modelled here as a perfect sphere). Similarly to the first embodiment discussed in detail above, each commitment point location is also pre-agreed to be a possible redemption point location. Each agent of the user commits to data representing the value of some function, calculated at the same pre-agreed time (in some fixed frame). This function might, for instance, be the price of a stock at the relevant node of a financial network at the agreed time. The function could also be some complicated algorithm that produces an output dependent on market data in a way that the user does not necessarily want to reveal. In either case, the commitment data are securely broadcast in all directions. After sufficient time has passed for a light signal to travel between antipodal points, every point will have received the commitment data broadcast from every other point. The token might then be agreed to be validly returned at a given point if the unveiled committed data show that the function takes its unique maximum value at that point. Alternatively, if it transpires that the function has multiple (say, N) maxima, then it could either be agreed that there is no point at which the token may be validly redeemed, or else that fractions 1/N of the token are validly returned at each of the N corresponding positions. (Other rules are also possible in the case of multiple maxima. For example, the commitment/redemption locations could be given some pre-agreed ordering, and it could be pre-agreed that in the case of multiple maxima the token is valid only at the first point in this ordering at which the maximum value is attained.)

10. As will be apparent to those of skill in the art, the preceding example may be varied in many ways, using different rules of the parties’ choice in which a unique redemption point (or perhaps a set of return points) is defined by the values of a function at each point. For example, the valid redemption point could be defined to be the point at which the function takes its minimum value or its median value; alternatively still, as the point antipodal to the point at which the function takes its maximum, minimum or median value; and so on. 11. Next, consider a situation in which the commitment and redemption positions are again the same, and this time represent the corners of a cube (say, suitably chosen locations on the Earth’s surface). As in example 9., the data to which each agent of the token user commits are given by respective values of some function f at some agreed fixed time.

Now, the token is valid at a given corner of the cube if the unveiled committed data show that f(x) < f(y) for all pairs of corners x that are opposite to it along some face of the cube and y that are adjacent to it along some edge of the cube (and including the position under consideration). In other words, the token is valid at some corner ci if the function takes smaller values on all of the three second neighbour positions than it does at any of the three first neighbour positions or at ci itself. It is easy to see that this condition can hold for at most one corner of the cube, so that the token in this example is guaranteed to be accepted as valid at no more than one of the possible redemption points.

12. Consider again examples in which the user’s agents are positioned at locations spatially arranged along a circle, such as a great circle or any other circle along the Earth’s surface. Suppose, as a simple first case, that there are some number N, greater than 4, of such locations regularly distributed around the circle, which define the spatial locations of N commitment points. Define M = (N + 3)/2 if N is odd, or M = (N + 4)/2 if N is even. The data committed to by each of A’s agents are again given by the value of a function f evaluated at the corresponding location at some agreed fixed time, which defines the time coordinate of the N commitment points. A valid redemption point then exists if there are M neighbouring locations in sequence with the properties that f(x) < f(y) for either end location x of the sequence and each interior location y of the sequence, and is defined to have the same spatial location as the middle location of the sequence. The time coordinate of a valid redemption point may be taken to be the earliest time at which communications reach the redemption point from the commitment points at all the relevant M locations. This condition implies that the spatial locations of the possible redemption points are identical with the spatial locations of the commitment points if M is odd, and are spatially located at points midway between them if M is even. (Note in the case of M even these locations will not necessarily coincide with the location of any of A’s agents described so far; A may however have other agents located around the circle, for example at the spatial locations of all possible redemption points.) At most one valid token redemption point can be defined by this condition.

13. One can vary the previous example by pre-agreeing any value M’ in place of M, where M’ is an integer greater than the values of M given above. 14. Now consider generalisations of the previous two examples. Suppose, for instance, that N agents of the token user A are situated at locations irregularly arranged around a circle, and numbered in a clockwise order. A valid redemption point exists if there are any number M of neighbouring commitment points with spatial locations in sequence with the properties f(x) < f(y) for either end location x of the sequence and any interior location y of the sequence, and with the locations satisfying the following conditions. First, the angle between the end locations, following the numerical order clockwise, is greater than p.

Secondly, the angle between the end locations of any shorter sequence within this sequence is smaller than p. The redemption point at which the token is valid is defined by some agreed rule, which may depend on the chosen sequence. For example, a simple (sequence-independent) rule might be that the valid redemption point has spatial location at the midpoint of the clockwise arc between the end locations. (Note that this will not necessarily coincide with the location of any of A’s agents described so far; A may however have other agents located around the circle, including agents at the location of each possible redemption point.) Another rule might define the valid redemption point to have the same location as that of the commitment point located closest to this midpoint, taking (say) the location that is closest clockwise from the midpoint in the event that there are two commitment points with locations equidistant from it. Again, at most one valid redemption point can be defined by this condition. In any case, the time coordinate of a valid redemption point may be taken to be the earliest time at which communications reach the point from all the M relevant commitment points.

15. One can vary the preceding example by substituting any angle Q such that p < Q <

2 p in place of p.

16. To extend these examples to include the case where the relevant sequence of locations of commitment points occupies exactly a half-circle (/.e., with an exact angle of p), a further condition for validity may be added that breaks the symmetry and excludes the possibility that the complementary half-circle may also define a valid redemption point. For example, one could require that a redemption within a half-circle is valid only if f(c_a) < f(c_b) and f(c_a) < f(c_c), f(c_b) < f(c_c), where c_a, c_b are the locations of the

commitment points at the ends of the half-circle ordered so that the half-circle proceeds clockwise from c_a to c_b and c_c is the location of any commitment point within the half circle.

17. One can generalise examples 12 to 16 above to consider configurations of

commitment and possible redemption points whose locations lie on the surface of a sphere, rather than being constrained to lie on a circle. (Here the sphere may for example be taken to be an approximate model of the surface of the Earth.) Consider a network S of commitment locations that are located on the surface of a sphere, and suppose some real function f is defined at each commitment point. Let Q be some fixed angle greater than 0 and smaller than |. Suppose the network has the property that, if S n H is the intersection of S with a hemisphere H, and S n A is the intersection of S with the annulus extending angle Q around the sphere from the boundary of H into the opposite hemisphere, and the boundaries of H and of A contain no points in S, and f(s)< f(t) for all s e S n A and t e S n H , then S n H is the unique set of network points satisfying all these conditions (for any hemisphere H and corresponding annulus A. (Note that for any Q > 0 an approximately uniform network of sufficient density will have this property.) Suppose also that for each possible such set S' = S n H a redemption point (which may for example have the same spatial location as a commitment point located somewhere near the central pole of a hemisphere H such that S' = S n H) is pre-agreed. The token may then be validly accepted at such a redemption point as soon as all the commitment data from a set of commitment points in a suitable H and A have been received and the corresponding committed data unveiled, providing that these unveiled committed data show that indeed f(s)< f(t) for all seSDA and teSDH .

18. Another possibility for the configuration of example 14. would be to take a binary function f defined on the commitment points. If the function evaluates to 1 at some point and to 0 at all of the (M - 1) points following it on the sequence around the circle, for any M such that (a) the clockwise angle between the first and last points in the sequence is greater than p; and (b) the clockwise angle between the first and penultimate points is less than or equal to p, then there is a redemption point at which a token may be accepted as valid. This could, for example, be defined to be a point whose location among the sequence of locations of commitment points is closest to the midpoint of the clockwise arc from the first to the last location (with a suitable tie-breaking condition to cover the eventuality that there are two locations equally close to the midpoint). With such a definition, and taking the time coordinate for a redemption point to be the earliest time at which all relevant signals reach the location of the given redemption point, there can be at most one redemption point at which the token is found to be valid. As in embodiment 15, this example may also be varied by substituting any angle Q such that tt<q<2 p in place of

7G.

19. A variation on the preceding example would be to require that the binary function evaluates to 1 also at the last in the sequence of M commitment locations, and to 0 at all the intervening locations. (In this case, we need not also require that the clockwise angle between the first and penultimate locations is less than or equal to p, though this could of course be imposed as an additional condition should the parties so wish.) The redemption point (meaning, the point at which the token is found to be valid), could be defined as in point 18.

20. Another example for a network of commitment points whose spatial locations lie on a sphere, as in example 17., would be to take some fixed source location P on the network, and a binary function f defined at each of the commitment locations. One would then say that the token is valid at a redemption space-time point whose location is that of the one of the locations of commitment points Q at which f(Q) = 1 that is closest to P. The time coordinate of a redemption space-time point may be taken to be the earliest time at which communications of commitment data reach the location of the redemption point from all commitment points required to verify the condition for validity of the token, i.e. from all points Q no further from P than the location of the redemption point.

21. A variation on the example just given would be to consider some circle C on the sphere (which may for example be the surface of the Earth, to suitable approximation), taken to be of constant latitude in some agreed co-ordinate system, and to define the redemption point to have the location Q above (or below) this latitude such that f(Q)=1 that is closest to the circle C, among all the locations of commitment points P such that f P) = 1

22. Finally, consider a general form of the sorts of problem that may be addressed with schemes according to the invention, that subsumes some of the above examples.

Suppose that there exists a set S = {P1 , ... PN} of locations in space with communication channels between them; and suppose that agents of the token user at some or all of those locations, at prescribed times (which may depend on the location), generate commitment data that consist of nominations of respective subsets of the set S. If an agent at a particular commitment point does not make a commitment, her subset is taken to be the full set S as a default option. These data are broadcast to all other locations in the set S at whatever speeds the network communication channels allow. Then the token may validly be redeemed at one of those locations, P, once all the commitment data have arrived and the corresponding committed data have been unveiled at P, provided that the unveiled committed data allow the issuer to verify that the intersection of all of the committed subsets is precisely the set containing the single point P.