Johnathan Corgan <jcorgan@netcom.com> writes:
The authors consider this the first ideal untraceable electronic cash system.
T. Oamoto and K. Ohta, Universal Electronic Cash Advances in Cryptology--CRYPTO '91 Proceedings Berlin: Springer-Verlag 1992 pp. 324-337
(This should be Okamoto & Ohta.) This paper is not available electronically as far as I know. The crypto proceedings can be found in good university libraries. I believe the Okamoto scheme has the problem that payments by a person are all linkable. Basically when you open an account with the bank you get a "license" number B which you keep for all the time (and which the bank doesn't know). But every time you spend you have to send B. So all of the payments from a person will use the same B. True, this doesn't reveal his identity, but it allows a given pseudonym's spending patterns to be recorded and studied, which may be almost as bad. Okamoto forgot unlinkability in his laundry list of ideal cash characteristics. Hal