-----BEGIN PGP SIGNED MESSAGE----- Well I've decided that the best way to learn is to stick my neck out and say something probably stupid in public. So here I go again: In an on-line clearing e-cash scheme, Chaum's "double-spender identifier" fields are unnecessary, but a "serial number" type field to uniquely identify the e-coin is still necessary. Using blinding, this serial number may be unknown to the bank, but it will be known to the payer. If the payer and the bank are collaborating to identify the payee, then they can simply use this serial number to identify the recipient of the coin. Is there a scheme which will prevent this collusive payee identification, and if so where can I read about it? (On-line is preferable of course, but I don't expect to be that fortunate.) Now even if it were the case that the payee is always identifiable by a collusion of the bank and the payer (such as is the case in DigiCash Ecash), all this means is that you shouldn't accept a coin using one nym, and deposit it in the bank using another. You need one bank account per nym, as well as one bank account per anonymous transaction, and then you have complete control over revelation of your identit(y/ies). I can imagine a future in which this requirement is not difficult to meet. Perhaps it will be the case that you can accept a coin, open up a new ("anonymous") account with the bank, deposit the coin, withdraw a new coin of the same amount, close the account, and now have an untraceable coin all in a fraction of a second. Bryce signatures follow "To strive, to seek, to find and not to yield." <a href="http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html"> bryce@colorado.edu </a> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMIrRpvWZSllhfG25AQFWTQQAgxDWvYrBpoM5D0Idn7ZeCHbZSxMGFr50 Ut40sE83Yfctb6nJdrA+trpynEcu1wJkBbZ7zKDw/TFEUHZy1v4lhZPe+yxmYZcD w9fPC5HaJQqcTp/hhiw9L4iMswdbrmJu/SkUz85ZVosy8blasdOgFwcoZTIFpZHk tyATeEGYygo= =xqJ6 -----END PGP SIGNATURE-----