Ah, essentially, you mean that the spend proof is in fact nothing else but a "burning transaction".
No, spend proof and burning transaction are not the same. Burning transaction happens only once to convert bitcoins to BBC, while spend proof is sent with every subsequent transfer of the private currency.
Ok, it took some time to start understanding it, but I'm starting to see now what you mean (I think).
Correct me if I'm wrong. The problem that Satoshi faced was to
1) avoid double spending, and for that, it is necessary to have a common, distributed ledger of spending proofs and
2) prove that you have an "original" coin, and not a newly invented one
and the way that Satoshi proposed to solve this was to put *the entire transaction* on the common ledger: you can see when the previous spend happened, and you can trace back each coin to its legit creation.
Indeed is there no way to "transmit a file" where the file is the money, like a bank note, because files can be copied.
What you propose, essentially, is to go back partially to "files are bank notes", and these files are individual transaction histories of the coin. On the common ledger only needs to be registered the hash of a spending signature. The "bank note file" itself needs to carry a proof of legit creation (in your proposal, a burning of bitcoin).
That is indeed not a bad idea ! It is of course not very private, in the sense that each individual "bank note" carries with it its entire spending history, but on the other hand, only the people receiving it get that file (and not the entire planet), and because of the linear nature of it, if one uses different signatures for each bank note, there's no "network analysis" that can be performed, so the pseudonymous nature is perfectly anonymous in this case, because no "joins and splits" can happen.
So if I understand correctly, the public block chain is just a "bag of hashes" which cannot be verified or anything by any node or miner. It is just a block chain of "data". These data only have meaning for the people receiving "banknote files", which allows them to check the validity of the whole "banknote". The hashes are in fact nothing else but hashes of "signed transactions", like with bitcoin, except that only the *signature hash* goes on the public block chain, and the actual transaction data remain on the individual banknote file. Is that the gist ? In fact, you need, as you say, TWO signatures (or hashes of signatures): one is the transaction signature (including the new beneficiary) and the other is the "spend" signature of simply the previous output. The first signature (spending signature) makes that you cannot do double spending any more (you have invalidated the file up to the point where you transmit it), and the second signature allows the receiver to have a valid "new address" that he can spend (and only he, because only he has the secret key that goes with it like on bitcoin).
This is indeed a very, very good idea ! Money becomes more "physical" again: it are files !
Wow, you made a good job of explaining the concept in a clearer way! Anyone who didn't understand the OP should jump here and read your post. Except for one correction: in the below paragraph, where you say "signature" you are actually referring to "hash" rather than a cryptographic signature.
So if I understand correctly, the public block chain is just a "bag of hashes" which cannot be verified or anything by any node or miner. It is just a block chain of "data". These data only have meaning for the people receiving "banknote files", which allows them to check the validity of the whole "banknote". The hashes are in fact nothing else but hashes of "signed transactions", like with bitcoin, except that only the *signature hash* goes on the public block chain, and the actual transaction data remain on the individual banknote file. Is that the gist ? In fact, you need, as you say, TWO signatures (or hashes of signatures): one is the transaction signature (including the new beneficiary) and the other is the "spend" signature of simply the previous output. The first signature (spending signature) makes that you cannot do double spending any more (you have invalidated the file up to the point where you transmit it), and the second signature allows the receiver to have a valid "new address" that he can spend (and only he, because only he has the secret key that goes with it like on bitcoin).
Now, the question is: how does the mining work ? Or is this meant as a parasite on top of the bitcoin block chain ?
We are talking about two similar but distinct designs here:
1) BBC proposed in the OP is a parasite on top of the bitcoin blockchain. It was never implemented.
2) Blackbytes in Byteball, the coin I launched earlier this week
https://bitcointalk.org/index.php?topic=1608859.0, there is no mining at all, the coin is in testnet phase, and you can already play with blackbytes.
The thing is, you need to burn a bitcoin to obtain something, irreversibly, that is not a bitcoin at all. Nobody is going to burn a bitcoin to have a new altcoin. You would automatically give that altcoin the value of a bitcoin, if you could redeem the whole payment history against a bitcoin again. But then, what you have constructed, is a *private sidechain* on top of bitcoin.
You "lock up a bitcoin" in the side chain. The side chain is not public, but is just the private "money file". Any legit owner along the chain can transmit the chain to the next one (as you describe more or less), OR can redeem the bitcoin from the original transaction, and as such, end the side chain. It is not *entirely* what you propose, but close.
The redeeming of the bitcoin at the end of the chain is probably somewhat more tricky.
You can't redeem BBC back to bitcoin. "Unburning" would mean dumping the entire history of the coin to the public, which is clearly against its purpose. But you can exchange it.