How can e-cash, even on-line cleared, protect payee identity?

[Tom Weinstein]

In article <DGyIMI.KM9 at sgi.sgi.com>, Hal <hfinney at shell.portal.com> writes:

> tomw at orac.engr.sgi.com (Tom Weinstein) writes:
>> Perhaps the problem is that Bob insists that Alice's coin was not signed
>> by the bank.  In that case, how about this modification?  Alice should
>> first show Bob the doubly blinded coin she gave to the bank and the
>> signed doubly blinded coin she received back.  Bob can verify the
>> signature and then Alice can give him the blinding factor so he can
>> unblind it himself.  Bob also needs to sign the singly blinded coin that
>> he gives to Alice so that Alice can later show that she gave him the
>> correct blinding factor if Bob tries to claim that she didn't.

> The problem with this is that Bob and the bank can now collude to trace
> Alice, since he sees what she sent to the bank.  This is not as bad as in
> the forward traceability case of regular ecash, because it happens after
> Alice has completed her bank transaction, rather than before, but it
> would be better to be untraceable since that is the whole point of this
> variation.

Good point.  To guard against this, Alice needs to double blind what she
sends to the bank.  She can then remove one layer of blinding and show
the results to Bob.  Of course Bob and the bank can still colude because
of the timing of the transactions.  This seems to be a fundamental
weakness of this reverse e-cash scheme.

-- 
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything.  --  Washington DC motto          | tomw at engr.sgi.com