How can e-cash, even on-line cleared, protect payee identity?

[Simon Spero]

On Sun, 22 Oct 1995, Bryce wrote:

> Now it seems to me that any ecash scheme, whether cleared on-line or
> off-line, with or without double-spending-detection, will put the
> payee at risk of identification by a collusion of the payer and the

I can't remember off hand, but isn't blinding transitive? If so, there's 
an obvious way to get two way anonymity with an on-line system. If Alice 
wants to pay Bob $10, then Bob could prepare the usual squillion copies 
of the note, each with a serial number known only to Bob, then blind them 
and send them to Alice. 

Alice would then reblind them and send them to Nick, the banker. Nick
would then pick one of the notes, and ask Alice for the blinders for the
rest. Alice would then ask Bob for his blinders for the rejected notes,
and would forward both sets on to Nick, who would check them, and if
they're legit, sign the remaning copy, and return it to Alice.  

Alice cound then remove her blinding factor, and sent the result on to
Bob. Bob then removes his blinding factor, and can now spend the coin. 

Since Alice doesn't know the serial number, she can't reveal it to Nick 
so that he can find out who deposits the coin. Also, since Nick doesn't 
know the serial number, he can't collaborate with Bob to find out who 
Alice is. 

Does this work, or am I missing something?

Simon

---
(defun modexpt (x y n)  "computes (x^y) mod n"
  (cond ((= y 0) 1) 	((= y 1) (mod x n))
	((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n))
	(t (mod (* x (modexpt x (1- y) n)) n))))