Bryce <wilcoxb@nagina.cs.colorado.edu> writes:
In an on-line clearing e-cash scheme, Chaum's "double-spender identifier" fields are unnecessary, but a "serial number" type field to uniquely identify the e-coin is still necessary. Using blinding, this serial number may be unknown to the bank, but it will be known to the payer. If the payer and the bank are collaborating to identify the payee, then they can simply use this serial number to identify the recipient of the coin.
Is there a scheme which will prevent this collusive payee identification, and if so where can I read about it? (On-line is preferable of course, but I don't expect to be that fortunate.)
One proposal I have seen here is to have a "coin changer" service which turns the received coin in at the bank for you. Then the payer and the bank and the coin changer all have to collude to identify you. However you have to trust the coin changer not to steal your money. So it better be a pretty trustworthy organization.
Now even if it were the case that the payee is always identifiable by a collusion of the bank and the payer (such as is the case in DigiCash Ecash), all this means is that you shouldn't accept a coin using one nym, and deposit it in the bank using another. You need one bank account per nym, as well as one bank account per anonymous transaction, and then you have complete control over revelation of your identit(y/ies).
It would still be less than perfect to have all of a given nym's transactions known. In an ideal electronic cash system no transactions are linkable if the participants don't want it.
I can imagine a future in which this requirement is not difficult to meet. Perhaps it will be the case that you can accept a coin, open up a new ("anonymous") account with the bank, deposit the coin, withdraw a new coin of the same amount, close the account, and now have an untraceable coin all in a fraction of a second.
In such a system you don't need an "account" as such, but rather the bank simply allows used cash to be checked and exchanged for fresh cash via anonymous connections. This would be the most privacy-protecting system. Hal