Ben Laurie wrote:
Actually, Lucre uses the double-blinding method to avoid this. The paper discusses the ZK proof as an alternate way of doing it, but I chose not to use it because of its potential interpretation as a blind signature.
Quoting from an anonymous post to coderpunks, around December 13, 1999: There is still a potential problem with the double blinding that the ZK proof would fix. The bank may intentionally produce a bogus coin by returning junk in the withdrawal transaction. While this is not as useful as being able to specifically mark coins and recognize them at deposit time, it could still be used in practice if people don't very often try depositing junk. After all, why should they do so, since it will never work. In that case the bank may be able to do a "sting" operation by producing junk at deposit time and then assuming that anyone who attempts to deposit a garbage coin is likely to have been the recipient of the junk coin. If such garbage deposit attempts are few, then this will allow the bank to effectively link the deposit to the withdrawal. The bank can even "eat" the cost of the bad coin and the depositor will never know he's been tagged. As a countermeasure there could be a band of cypherpunks who constantly attempt anonymous deposits of junk coins. These would all fail, but they would provide cover. They would make it much more difficult for the bank to issue intentionally-bad coins with the expectation that it could recognize them at deposit time. But lacking such organized activity, it would be better for the withdrawer to be guaranteed that the bank had behaved correctly. If the ZK proof is used then the original Wagner blinding using one factor should be adequate.