Adam Back wrote:
Yes I remember the introduction of a 2nd blinding factor, your other post in the thread where you reposted the remaining issues with taggability jogged my memory; just the terminology threw me.
(Probably more proper to call it the introduction of another blinding factor -- the result is just more effectively blinded -- Brands constructs use 3 blinding factors in some scenarios for example and that is still considered blinded not "triple-blinded")
2-factor blinding might be a better way to express it.
Brands has an optimization of his scheme where (as the user receiving a coin) you have the option of not bothering to perform one of the verifications, the weaker assurance being you are still assured that the bank can't distinguish between tagged coins, though it can distinguish an untagged coin from a tagged coin.
However as with Lucre I don't find this very convincing because the bank can still tag one person at a time. If you add in the general lack of connection anonymity, it could certainly be used to confirm suspicions and probably to effectively tag multiple users at once.
So I would consider the lucre two blinding factor approach still flawed.
As I mentioned in another post, the bank either has to reveal its subterfuge, or honour forged coins, so I'm not convinced. Anyway, the ZK proof is available if you want to use it. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff