Of course, I thought about it
The attack won't work because the spend proof must be sent from the
owner's address, not from any address.
What is an address ? e-mail or so ?
How do others checking the block chain know that this private transaction belongs to an address and how do they find out who had send what from which address ? I think I'm missing something. If you mean an address on a P2P networks, Kademlia style, then you've undone the anonymity. Because if the address of the sender is included in the block chain, then, eh, the spending history is just as pseudonymous as bitcoin (your address is associated with all you do). And it would also mean that your coins are attached to your P2P address private key.
In the simplest case, address is a hash of the public key, or something similar.
The validators need to check one simple thing: if there are two transactions that (1) embed the same spend proof and (2) are signed by the same address (roughly equivalent to private key), it is a double-spend. Everything else is fine.
Ah, essentially, you mean that the spend proof is in fact nothing else but a "burning transaction".
Ok, it took some time to start understanding it, but I'm starting to see now what you mean (I think).
Correct me if I'm wrong. The problem that Satoshi faced was to
1) avoid double spending, and for that, it is necessary to have a common, distributed ledger of spending proofs and
2) prove that you have an "original" coin, and not a newly invented one
and the way that Satoshi proposed to solve this was to put *the entire transaction* on the common ledger: you can see when the previous spend happened, and you can trace back each coin to its legit creation.
Indeed is there no way to "transmit a file" where the file is the money, like a bank note, because files can be copied.
What you propose, essentially, is to go back partially to "files are bank notes", and these files are individual transaction histories of the coin. On the common ledger only needs to be registered the hash of a spending signature. The "bank note file" itself needs to carry a proof of legit creation (in your proposal, a burning of bitcoin).
That is indeed not a bad idea ! It is of course not very private, in the sense that each individual "bank note" carries with it its entire spending history, but on the other hand, only the people receiving it get that file (and not the entire planet), and because of the linear nature of it, if one uses different signatures for each bank note, there's no "network analysis" that can be performed, so the pseudonymous nature is perfectly anonymous in this case, because no "joins and splits" can happen.
So if I understand correctly, the public block chain is just a "bag of hashes" which cannot be verified or anything by any node or miner. It is just a block chain of "data". These data only have meaning for the people receiving "banknote files", which allows them to check the validity of the whole "banknote". The hashes are in fact nothing else but hashes of "signed transactions", like with bitcoin, except that only the *signature hash* goes on the public block chain, and the actual transaction data remain on the individual banknote file. Is that the gist ? In fact, you need, as you say, TWO signatures (or hashes of signatures): one is the transaction signature (including the new beneficiary) and the other is the "spend" signature of simply the previous output. The first signature (spending signature) makes that you cannot do double spending any more (you have invalidated the file up to the point where you transmit it), and the second signature allows the receiver to have a valid "new address" that he can spend (and only he, because only he has the secret key that goes with it like on bitcoin).
This is indeed a very, very good idea ! Money becomes more "physical" again: it are files !
Now, the question is: how does the mining work ? Or is this meant as a parasite on top of the bitcoin block chain ?
The thing is, you need to burn a bitcoin to obtain something, irreversibly, that is not a bitcoin at all. Nobody is going to burn a bitcoin to have a new altcoin. You would automatically give that altcoin the value of a bitcoin, if you could redeem the whole payment history against a bitcoin again. But then, what you have constructed, is a *private sidechain* on top of bitcoin.
You "lock up a bitcoin" in the side chain. The side chain is not public, but is just the private "money file". Any legit owner along the chain can transmit the chain to the next one (as you describe more or less), OR can redeem the bitcoin from the original transaction, and as such, end the side chain. It is not *entirely* what you propose, but close.
The redeeming of the bitcoin at the end of the chain is probably somewhat more tricky.