I don't have time to write much now, but lots of good points have been made. I'll just toss out the other main idea for handling offline cash, which is Chaum's "Observer". The Observer is a tamper-proof device that sits inside (or plugs into) your computer, smart card, or PDA, and makes sure that you don't double spend. In fact, it is impossible to double spend because the Observer has to participate in every transaction. Yet Chaum has designed the protocols such that the Observer learns nothing about who you are or where you are spending.

The technical requirements of the Observer in Brands' scheme are that it store 146 bytes plus 18 bytes per coin, and be able to do the discrete log signature, which basically requires 512-bit multi-precision arithmetic. And it has to be tamper-proof. At one time I was skeptical about that but we see with Clipper that the NSA appears to be confident that data can be protected in tamper-proof modules.

With Observers you can have off-line cash that is as secure as on-line but without the costs of on-line validation. As a vendor, which would you rather accept: off-line cash where you rely on legal sanctions to track down cheaters; on-line cash where you call the bank and verify it for every transaction; or off-line cash where you can validate it right there locally without checking with any bank? Depending on the costs which the Observer adds to the digital wallet, that latter choice might be the most attractive.

Hal <hfinney@shell.portal.com>
.