1: A coin is almost twice the size of a coin in the RSA protocol
Nah, it can be the same size as in the RSA-based Digicash protocol. (Pick x to be 128 bits, and repeatedly iterate SHA to get a 1024 bit y value, like Digicash does in their RSA-based Chaumian protocol.)
2: Nobody except the bank can verify that a coin has face validity.
So your comment makes me glad I posted the scheme (even if it turns out to be only of academic interest :-). I claim that statement 2 is also true of Digicash's protocol as well. Recall that Digicash is using an *online clearing* protocol-- so you can't tell whether a coin is valid without consulting the bank. Consulting the bank is absolutely necessary to prevent double spending. So if you ever wrote an application which made a security-critical decision based on whether the RSA signature verified correctly in the Digicash protocol, and you didn't consult the bank re: double spending, you'd be 100% vulnerable to a simple double spending attack. In particular, I claim that the only reason the bank needs to publish its RSA public exponent e is to allow you to blind the RSA signature: it's specifically *not* intended for you to verify coin validity. Everyone, feel free to jump in correct me if you disagree.
For computer mediated management of contracts, transactions, and credit ratings, we need contracts such that all intermediate transactions can be reduced to locally verifiable cryptographic protocols.
Well, if that's what you want, no currently shipping protocol gives you that. The current Digicash protocol does *not* let you do offline clearing. I don't claim to be able to solve the offline clearing problem; I just hoped to point out that there is/(seems to be) nothing special about RSA. (Indeed, one researcher has kindly emailed me to point out that several well-known digital cash schemes use a El Gamal-based protocol.)