Yes they do. This is basically Group Signatures. I am just asking whether BBS04 is the state of the art still. In there, the group manager is the only one who can deanonymize people.
Is there any way to provably opt out of this latter feature, so we can be sure NO ONE can link signatures to users? That’s Chaum’s original 1991 conception.
The alternative is to use ZK mixers on distributed ledgers that have solved the double spend problem, but the jury is out on just how anonymous and unlinkable they really are in practice: https://arxiv.org/pdf/2201.09035.pdf
Is there any way to provably opt out of this latter feature, so we can be sure NO ONE can link signatures to users? That’s Chaum’s original 1991 conception.
The alternative is to use ZK mixers on distributed ledgers that have solved the double spend problem, but the jury is out on just how anonymous and unlinkable they really are in practice: https://arxiv.org/pdf/2201.09035.pdf