It's not impossible: techniques like those monero uses can allow for good on-chain privacy, and the limited amount and central administration of cash going in and out makes money-laundering worries a much smaller concern. The offline transactions are interesting though, I suppose again the central administration means that double-spending is not going to be quite as exploitable.
There is off course the technical issue: crypto is hard, attacks never progress to get weaker. In the realm of privacy this is especially important because you have to loose your privacy only once to not have it.
There is also the issue of contradicting incentives. To keep payments safe from crooks, no-one should be able to follow any trails. But to trace crooks making payments, the authorities need to be able to follow the money.
A central digital coin concentrates a lot of power. Money and power are a magnet for crooks.
Not saying this can't/won't/shouldn't work, but it's quite a promise to make...
Sure! If everything crypto were as simple as hashing, but protocol design and in particular privacy is not.
I was thinking along the lines of Bruce Schneier's infamous “Attacks always get better, they never get worse”.
In terms of hashes, md5 was once pretty secure. But we can't go back in time, we can't unlearn how to create hash collisions. And we can't force the world to only use 8 bit, 16 bit hardware from the 90s when brute forcing.
If the privacy of EU citizens were to solely rely on securely designed crypto of around a public ledger consider that 20 years of unbreakable crypto might be too little. What if every transaction you made 20 years ago was accessible to anyone? What if in 25 years they figured out how to make changes and no one could tell which one was authentic?
Sounds like scifi? Would probably be trivial for a block chain based on good old trusted DES.
