I just ftp'd, printed, and read the paper which Derek mentioned: NetCash: A design for practical electronic currency on the Internet by Gennady Medvinsky and Clifford Neuman I didn't think it was any good. They have an incredibly simplistic model, and their "protocols" are of the order, A sends the bank some paper money, and B sends A some electronic cash in return. They don't even do blinding of the cash. Each piece of cash has a unique serial number which is known to the currency provider. This would of course allow matching of withdrawn and deposited coins. "In particular, at the point that a client purchases coins from a currency server by check, or cashes in coins, it is possible for the currency server to record which coins have been issued to a particular client. It is expected that currency servers will not do so, and it is likely that the agreement with clients will specifically preclude it." Right. It is expected that they will not do so. I feel so much better now. These guys seem to have read the work in the field (they reference it) but they don't appear to have understood it. Hal Finney hfinney@shell.portal.com