On 2011-06-14 6:13 PM, Adam Back wrote:
Auditable Anonymous Electronic Cash by Tomas Sander and Amnon Ta-Shma
in crypto 1998.
Its basically the idea of using non-interactive zero knowlede proof of
membership in a list of coins as an alternative to blinding.
The interesting thing is then the bank doesnt need a private key and doesnt
much need to be trusted. Anyone can audit the list of coins, it is
published; same for double spend database. The ZKP is a representation
problem (like Stefan Brands ecash/credentials).
They use Merkle trees to improve the computation efficiency (reduce the
of the representation problems that have to be presented and verified).
Like bitcoin it provides auditability, but better than bitcoin it provides
cryptographically secure anonymity. With bitcoin it is not anonymous, just
pseudonymous but traceable - because there is publicly auditable signature
chain showing transfers between pseudonyms.
Sander & Ta-Shma propose using it with a physical bank providing exchange,
but that could be replaced with variable cost hashcash like bitcoin.
I dont understood why bitcoin didnt use it
It is not a design, but an idea for a design.
There is no efficient zero knowledge proof that has the required properties.
cryptography mailing list