Anonymous offline digital cash scheme

Question

Can a digital cash scheme exist that is anonymous and offline using blind signature and anonymous signature?

Answer 1

Blind signatures are online by definition. They involve at least two independent parties that interact during the signature generation process. A protocol is "online" if a successful execution of the protocol requires an exchange of messages between two or more independent parties. Consequently, no application of blind signatures, including a digital cash system, can be completely offline.

Furthermore, any transaction within a digital cash system has to be, to some extent, completed "online". "Digital cash" refers to a system that allows you to complete a transaction by exchanging nothing more than information and in which, somehow, your credits are stored digitally on your device. Your digital cash can't be spent without access to the digital information only you possess.

This means, firstly, that each potential owner of credits in a digital cash system has to appear as a black box to any other potential owner of credits within the same system. The only requirement is that each potential credit owner is able to play out the protocol steps involved in a transaction. There is no way for one party to digitally verify that another party is using specific hardware or software that guarantees that the other party is not tampering with audit trails of transactions that have never been committed to any other party.

With logical necessity: If you want to pay someone some amount, you have to communicate this somehow to someone, or else there will be no transaction. You cannot commit to a transaction if you keep all records of the transaction to yourself, because in such case you could simply delete those records at a later time, and there would be no way for anyone to know that the transaction had ever taken place.

Answer 2

Usually by offline digital cash we mean that, contrary to credit cards protocols, when the payment is performed between a Spender and a Merchant, none of them needs to communicate with a Bank or with a Central Authority.

If we agree on that definition of "offline", then YES, there exist several schemes that guarantee anonymity, prevent counterfeiting (double spending of the same digital coin) and are totally offline. Such schemes have usually three phases: withdrawal, spending the coin, deposit.

• withdrawal: Spender asks the Bank for a digital coin of a certain amount, the Bank checks if such amount is less then the money the Spender owns, and, if that's the case, gives a digital coin to Spender.
• spending the coin: Spender goes to Merchant's shop and spends the coin buying some goods. In this phase no communication with the Bank or any Central Authority is needed.
• deposit: some days later, Merchant deposits the coin to the Bank and the Bank accredits the amount to Merchant's account.

When I say "digital coin" I mean just a file which is transferred from Bank to Spender, from Spender to Merchant and from Merchant to Bank. Of course such a file must have several properties, as digital stuff is maybe the easiest thing to duplicate (and you really don't want that for money). This is why those files must be signed. And if you want payments to be anonymous, then we need to use blind signatures.

Such schemes are usually very complicated, as they need to guarantee all these properties (anonymity, double-spending prevention, offlinety -is that even a word?), and that's why I'm not going to describe any here. But be aware they do exist: you can find Brand's digital cash scheme on the book "Introduction to cryptography with coding theory" by L.Washington and W.Trappe. For my master thesis I'm studying this scheme.pdf proposed by C.Popescu. Both the schemes achieve the properties you required in the question.