From solman@MIT.EDU Sat Jul 23 17:35:33 1994
Well I've skimmed the paper because this is non-intuitive to me, and I'm impressed by the level of security that Chaum requires from his protocols. He treats the absolutely impossible and the computationally infeasible seperately. Determining whether the coin is one of yours falls into the second category. In order to determine whether you have used a coin previously (in a maximally secure scheme) you need the bank's secret key. So you just wind up your 4096 bit number factoring machine, dump in the modulus, and presto, out come your factors from which you compute the secret key.
Yes, I remember that now. My interpretation, though, was that with the bank's help you could tell when a coin had been re-used. This could impair the anonymity of the cash.
So the problem we are now looking at is when a prior user and the bank team up, the person who finally redeems the cash at the bank can be identified as handling cash that the colluding user previously had. There is a simple solution to this, if you are this paranoid, don't redeem the cash yourself, just pass it to a non-bank. Once you do this NOTHING can be determined about you unless you double spend. (Unless the bank's private key is recovered.) JWS