Crypto-making vs Crypto-breaking

[Nomen Nescio]

Ben Laurie wrote:
> Actually, Lucre uses the double-blinding method to avoid this. The paper
> discusses the ZK proof as an alternate way of doing it, but I chose not
> to use it because of its potential interpretation as a blind signature.

Quoting from an anonymous post to coderpunks, around December 13, 1999:

There is still a potential problem with the double blinding that the ZK
proof would fix.  The bank may intentionally  produce a bogus coin by
returning junk in the withdrawal transaction.

While this is not as useful as being able to specifically mark coins and
recognize them at deposit time, it could still be used in practice if
people don't very often try depositing junk.  After all, why should they
do so, since it will never work.

In that case the bank may be able to do a "sting" operation by producing
junk at deposit time and then assuming that anyone who attempts to deposit
a garbage coin is likely to have been the recipient of the junk coin.
If such garbage deposit attempts are few, then this will allow the bank
to effectively link the deposit to the withdrawal.  The bank can even
"eat" the cost of the bad coin and the depositor will never know he's
been tagged.

As a countermeasure there could be a band of cypherpunks who constantly
attempt anonymous deposits of junk coins.  These would all fail, but
they would provide cover.  They would make it much more difficult for
the bank to issue intentionally-bad coins with the expectation that it
could recognize them at deposit time.

But lacking such organized activity, it would be better for the withdrawer
to be guaranteed that the bank had behaved correctly.  If the ZK proof
is used then the original Wagner blinding using one factor should be
adequate.