jim bell writes: [re: payee anonymity]
It seems to me that this should be possible, within limits, if the potential payee could generate a "blinded" note to be delivered to the payer by anonymous means. The payer could get the note certified by the bank, possibly given an extra "blind" if necessary (is this possible? Desirable? Why not?) and then the resulting still-blinded but certified note is posted (in encrypted form, I supposed) to the 'net so that only the payee can decrypt and unblind it.
This sounds like a version of "Hey, I'll pay you $10, if you give me a ten dollar bill first." As I understand your protocol, Bob gives Alice an enote, then Alice gives Bob an enote. Alice isn't paying Bob in any meaningful sense, since Bob ends up with the same amount of e$ with which he started. Perhaps you could clarify what you meant.
It sounds like you understand even less about the details of digital cash than I do. First, read the August 1992 issue of Scientific American, the article by David Chaum. He explains, with a certain amount of detail, how blinded digital cash operates. To become validated and worth money, it first has to be electronically "written," blinded, and then signed by the bank. Then it is unblinded, at which point it can be spent. What I was saying is that the notes would be written by the payee, then blinded by the payee, given to the payer, and then signed by the payer's bank. At this point, they are worth money, and they are then returned to the payee, possibly by encrypting them and publishing them in encrypted form on a publicly-accessible portion of the Internet, so "anyone" could read them. Only the intended payee would be able to decrypt them, however, and only the payee would be able to unblind the notes.