The solution to this is a technique known as blind signatures.
This gives us a way to associate a unique ID with a bill
to be able to detect double spending but doesn't allow the bank to associate
the unique IDs on the bills with the person who acquires that bill.
Here's the idea--Alice will deposit her $100 in the bank,
and along with the bill she'll generate a message that says Bill # rA--
some unique ID generated by Alice--Invisible Primes Bank owes the bearer $100.
She'll go to the bank, give the banker the $100 bill, and ask the bank to sign the message m.
To make it a blind signature, though, she'll insist the bank wear a blindfold
before bringing out the message m and the banker will have to sign it
without being able to see this message.
The bank will give that signed message back to Alice.
This protocol has an obvious flaw in it. The bank doesn't know what it's signing.
Alice could deposit $100 and ask the bank to sign a message for $100 gazillion.
When someone deposits that bill, the banker will no longer be smiling.
The solution to this is a technique known as cut-and-choose.
This is somewhat similar to what we saw in auditing for mix nets.
It has lots of applications to other cryptographic problems as well.
The way we would do that with this scheme is instead of just generating one message like this,
Alice would generate a large number of messages--
let's say 100 of them--send them all to the bank.
The banker who is no longer blind folded or frowny
will randomly pick one of these messages.
Let's say he picks message 38. We'll look at the other ones.
Each one of those should have a message like this but with a different random value.
Check that they're all okay.
If they're all okay, then without looking at message 38, then the banker will be blindfolded
and sign message 38.
The point of this is that Alice generates all the messages,
transfers them to the bank, but the bank doesn't see them until the bank randomly picks one.
Since the bank is picking the one to sign randomly and inspecting all the others,
the probability of Alice being able to cheat without getting caught is 1 in the number of messages.
That could work with blindfolds.
We'd have to be careful how we deliver the messages to the bank
and let the banker pick one and then see them without the blindfold.
But that could work. It's not very convenient though.
What we want to do is figure out a way to do this using cryptography instead of blindfolds.
