A question about offline digicash:
Is it possible to arrange digicash as follows:
If A, the original issuer, issues a unit of digicash to to B, and B gives it to C, and C gives it to D, and D, gives it to E, and E cashes it with A, -- and everyone colludes except C and D, it is impossible to prove that C got this unit from D.
I assume you mean the last line to read "to prove that D got this unit from C". Chaum has demonstrated (In a paper I discussed here a little over a month ago) that when A, B and E collude they can be sure that the cash D gave to E is part of the same banknote that B gave to C. HOWEVER, it is possible to design a protocol such that it is NOT possible for A, B and E to be sure that C gave his money directly to D. (i.e. a protocol can be designed such that A, B and E can not rule out the possibility that the cash went from C to F to G to H to I to J to D. Thus, the solution for entities that are worried about having their cash marked is to exchange banknotes anonymously with randomly selected entities before using them again.
If A, the original issuer, issus a unit of digicash to to B, and B gives it to C, and C gives it to D, and D, gives it to E, and E cashes it with A, -- and C double spends it to D', who then gives it to E' who then attempts to cash it with A, -- then A will detect the double spending and rebuff the attempt, E' will complain to D', and D', with information supplied by E' and A, can then prove that C dishonorably double spent the money, without discovering that C gave the money to D, and hence without discovering that D gave the money to E.
Anonymous e-cash can be created such that the identity of the cheat is immediatelly known as soon as the second copy of the banknote (or of a part of the banknote) reaches A. I should think that any protocol which requires backtracking would be highly undesirable (i.e. D' and idealy E' should not be bothered). Cheers, Jason W. Solinsky