[cryptography] sander & ta-shma + bitcoin, b-money, hashcash (Re: Is BitCoin a triple entry system?)

James A. Donald jamesd at echeque.com
Tue Jun 14 05:40:10 EDT 2011

On 2011-06-14 6:13 PM, Adam Back wrote:
> See also:
> Auditable Anonymous Electronic Cash by Tomas Sander and Amnon Ta-Shma
> in crypto 1998.
> http://www.math.tau.ac.il/~amnon/Papers/ST.crypto99.pdf
> Its basically the idea of using non-interactive zero knowlede proof of
> membership in a list of coins as an alternative to blinding.
> The interesting thing is then the bank doesnt need a private key and doesnt
> much need to be trusted. Anyone can audit the list of coins, it is
> published; same for double spend database. The ZKP is a representation
> problem (like Stefan Brands ecash/credentials).
> They use Merkle trees to improve the computation efficiency (reduce the
> size
> of the representation problems that have to be presented and verified).
> Like bitcoin it provides auditability, but better than bitcoin it provides
> cryptographically secure anonymity. With bitcoin it is not anonymous, just
> pseudonymous but traceable - because there is publicly auditable signature
> chain showing transfers between pseudonyms.
> Sander & Ta-Shma propose using it with a physical bank providing exchange,
> but that could be replaced with variable cost hashcash like bitcoin.
> I dont understood why bitcoin didnt use it

It is not a design, but an idea for a design.

There is no efficient zero knowledge proof that has the required properties.

More information about the cryptography mailing list