Thank you for the detailed critique! I think, we're not talking about the same Chaumian cash. The referred 1988 paper proposes an off-line system, where double spending compromises anonymity and results in transaction reversal. I agree with you that it was a mistake on my part to deny its peer-to-peer nature; should be more careful in the future. I strongly disagree that potentially anonymous systems do not deserve to be called cash. For the past approx. 100 years, banknotes have been used as cash and there seems to be no preference on the market for coins, even though banknotes have unique serial numbers and are, therefore, traceable. I maintain, that anonymity and untraceability are primarily not privacy concerns but -- to some extent -- necessary conditions for irreversibility, which is the ture reason why cash is such a mainstay in commerce and why I would expect its electronic equivalent would be a desirable financial instrument in the world of electronic commerce. In a low-trust environment, irreversible payments are preferable to reversible ones. Simple on-line Chaumian blinded tokens, where the value is determined by the public key and the signed content is unimportant, as long as it is unique, are more like coins. And the most serious problem with them is that of transparent governance. Unfortunately, those hyperinflating their currency are not caught early enough. One way to handle this problem is by expiring tokens. For example, for each value, keys can be introduced in a brick-wall pattern: keys are replaced in regular intervals with two keys being valid at all times, with one expiring in the middle of the lifetime of the other. Tokens signed by the old key are always excahnged for those signed by the new one. This would allow a regular re-count of all tokens in circulation (by the time a key expires, at most as many tokens would have been exchanged for the next key as have been issued), but it raises other concerns. With simple blinded tokens, naive transactions are possible only with the already unblinded ones. One can accept them on faith, and pass on without exchanging. This does not require additional equipment/software. I know of no protocol for transfering blinded tokens with a receipt, but I do not rule out the possibility of its existence. Without it, however, the blinded tokens are useful for a very narrow range of transaction values. Namely, those small enough not to be bothered about receipts, but large enough so that the effort of making a payment does not exceed the transaction value. This confines their usability to part of the micropayment market. To reiterate, the main advantage of the proposed system is that it allows for a very large range of transaction values by providing adequate security for high-value ones, while requiring extremely little effort for low-value ones. And all that at the sole discretion of the users. Regards, -- Daninel