On 14/06/11 6:13 PM, Adam Back wrote:
See also:

Auditable Anonymous Electronic Cash by Tomas Sander and Amnon Ta-Shma
in crypto 1998.

In their setting Sander & Ta-Shma also can identify double-spenders because
their identity is included in one attribute of the DLREP that is
revealed by
simultaneous equation if two different shows are made for the same coin.
Maybe would be something useful you could do with that feature in the
bitcoin setting.

Yes, that feature puzzled me too (I'm working from long dim dark memory here).... When I talked to Tomas back in that time, he gave me the impression he was exploring how Central Banks would do digital cash. The notion at the time was some sort of recoverable privacy.

Which, to my mind was the same sin as the alternate: obsession with privacy, including to the extent of eliminating the core requirements of money. The first law of money is that it has to be safe:


This is the fundamental reason why we have reversable transactions in systems to account for money ... (whatever we think of the result, there is a reason why we have that feature).

This is also why nymous (public-key identified) transaction systems will always beat out coin-based (blinded) systems in the long run.

cryptography mailing list

Reply via email to