James Donald writes:
> What is wrong with the original solution proposed in my original
> article, <http://www.jim.com/jamesd/kong/anon_transfer.htm>
>
> The client uses an existing used coin for blinding the newly created
> coin, preferably a coin that he got from someone else, not a coin
> issued to him by the issuer. If the coin issuer marks coins by using
> a different key for some coins and not others, the blinding will
> generate unrecognizable garbage and the system will fail.
This could help, but it might not completely eliminate the problem.
The difficulty from the bank's perspective is that although it can still
mark a coin and recognize it at withdrawal, if that coin is then used as
the base for blinding further coins, those other coins will be completely
bogus. If the bank does not want to be caught in its marking, it must
be prepared to accept bogus coins, which policy might be discovered.
However if marking is a rare and seldom applied technique, then the
bank could usually reject bogus coins, and only go into "permissive"
mode for a short while after marking a coin. In that case it might get
away with it. Unless people are constantly trying to deposit bogus coins,
which may be a difficult procedure to maintain over long periods of time,
the bank could get through its window of vulnerability.
All in all it seems superior to have the bank prove that it is behaving
properly. That closes off the possibility of marking and also of the
bank intentionally creating bogus coins which it later pretends are valid.
