David Chaum gave a talk at the Crypto 2002 conference recently in which he briefly presented a number of interesting ideas, including an approach to digital cash which he himself said would "avoid the ecash patents". The diagram he showed was as follows: Optimistic Authenticator z = x^s Payer f(m)^a z^b Bank -----------------------------> [f(m)^a z^b]^s <----------------------------- m, f(m)^s -----------------------------> It's hard to figure out what this means, but it bears resemblance to a scheme discussed on the Coderpunks list in 1999, a variant on a blinding method developed by David Wagner. See http://www.mail-archive.com/coderpunks@toad.com/msg02323.html for a description, with a sketch of a proof of blindness at http://www.mail-archive.com/coderpunks@toad.com/msg02387.html and http://www.mail-archive.com/coderpunks@toad.com/msg02388.html. In Chaum's diagram it is not clear which parts of the key are private and which public, although z is presumably public. Since the bank's action is apparently to raise to the s power, s must be secret. That suggests that x is public. However Chaum's system seems to require dividing by (z^b)^s in order to unblind the value, and if s is secret, that doesn't seem possible. In Wagner's scheme everything was like this except that the bank's key would be expressed as x = z^s, again with x and z public and s secret. f(m) would be a one-way function, which gets doubly-blinded by being raised to the a power and multiplied by z^b, where a and b are randomly chosen blinding factors. The bank raises this to its secret power s, and the user unblinds to form f(m)^s. To later deposit the coin he does as in the third step, sending m and f(m)^s to the bank. For the unblinding, the user can divide by (z^b)^s, which equals z^(b*s), which equals (z^s)^b, which equals x^b. Since x is public and the user chose b, he can unblind the value. Maybe the transcription above of the Chaum scheme had a typo and it was actually similar to the Wagner method. Chaum commented that the payer does not receive a signature in this system, and that he doesn't need one because he is protected against misbehavior by the bank. This is apparently where the scheme gets its name.