This is a response to an untitled anonymous post which raised some good issues. My answers may be a little controversial; feel free to disagree. One question is the ease of theft in a digital cash environment, and the consequences of claiming that secrets have been stolen. This problem was recognized very early on in discussions of digital signatures. The whole point of a signature is so that someone can be held to a commitment. But an easy "out" would be to "accidentally on purpose" let the secret keys be stolen, then to claim that the signature was actually forged. Contrariwise, a business might be vicitimized by actually having its secrets stolen and a forged signature created that committed it to an unfavorable action. I don't know what the best solution of these kinds of problems will be. Probably in the next couple of years we will see some test uses of digital signatures, and then we can see how these conflicts will be handled by the courts. Obviously, traditional methods like handwriting analysis which rely on physical imperfections will not be useful. Instead the issues to be examined would include the security methods used to guard the secrets, who might have had access to them, what the reputations are of the parties involved, and so on. It seems like these cases will not be easy to resolve cleanly. On the other hand, I would hope that people actually can learn to use care in safeguarding their secrets. The pass words and PINs we use today may be complemented by physical checks for voice patterns, thumb prints, perhaps (ironically) handwriting. Another approach would be to raise people's IQ to about 1000, so they could do an unbreakable authentication protocol in their heads :o. Failing that, there have been suggestions (one here a couple of days ago) to use various kinds of information exchange between the authenticating device and the human user in order to prove authorization in such a way that even a thief who has snooped on past exchanges will not be able to use the device. This approach is sometimes called the use of "pass algorithms". Applying this to the double-spending case, I suspect that Bob Hettinga is more on the right track in seeing the solution in the legal system rather than a simple "shucks, you caught me" forfeiting of a bond worth triple damages. There really should be no excuse for double spending, even of a penny, and the penalties could be made strong enough to deter most people. If a bank does not think they will be able to find and prosecute a person who is withdrawing off-line digital cash, they will probably not give any to him. Then if the money is double-spent, the person who withdrew it would be prima facie responsible, with a reasonable presumption that they did it unless there is significant evidence otherwise. I don't know that this is how it will work out but it is one possibility (unless the uncertainty just scares everybody away - but I think the digital signature experience will get people used to the concepts and problems). The other point I wanted to discuss was this issue of the bank authenticating the people who receive the cash. This does raise the spectre of a big brother system where there is some way to identify people with 100% certainty. Obviously this could be abused. My feeling is that there is a rather fine line we could walk in which this potentially-oppressive technology exists, but in which it is wielded in a way which enhances privacy and gives people the maximum degree of control over information about themselves. By analogy, think of a surgeon using a scalpel. This is a tool which is capable of terrible damage, and it is only by using it with the utmost skill that it brings about great benefits. Shunning knives altogether would be as bad as allowing everyone to hack and slash indiscriminantly. In a similar way, authentication technology is IMO a necessary enabling step for uses of cryptography which will enhance privacy. Off-line cash is one example. We have to protect the interests of all parties involved in a transaction or else it will not occur (voluntarily). A bank will not want to give out ecash tokens for which it is liable unless it is confident that it has some recourse in the case of fraud (such as double-spending). If users have to identify themselves to the bank in an utterly non-private way, that is only so that they can then spend the money in perfect privacy. The authentication that exists at the withdrawal step is wiped out by the blinding of the cash that is done before it is spent. It is a matter of balance. Without the authentication, you're not going to have off-line cash, IMO. You will be stuck with on-line systems in which everyone has to verify everything before accepting it. This means you pay a cost in communications overhead and possibly other foregone opportunities. Another example would be digital credentials. These can be thought of as digital tokens, somewhat like cash tokens, which have specific, published meanings. One might mean, "salary > $40K". Another, "age > 18 years". Like ecash, they can be issued and then re-blinded so they are not recognizable. Here we do not have the double-spending problem, but there is still a need for authentication. In order for these credentials to be trusted, the organizations which issue them will have to validate your eligibility. You'll have to show birth certificates, pay stubs, and all of the other kinds of paraphernalia you do today. The thought of this may grate in the minds of those seeking the freedom of digital anonymity. But, again, once this authenticating step is completed, you gain the advantages of a system where you could potentially borrow money, rent cars, and do other things which all involve authentication today, in complete privacy. You authenticate yourself once, and from then on the system works for you. So, my vision of the ideal future is neither a database society, where everything is recorded and tracked and privacy is protected only by a flimsy shield of laws that are widely flouted, nor a digital anarchy where identity is meaningless and trust among transitory pseudonyms is virtually impossible. Rather, I see a foundation of careful, nit-picking authentication upon which is built an elaborate structure of information flows fully under the control of the individuals involved. By adding the option for authentication to the mix, you actually expand the opportunities offered by digital privacy technology. Hal Finney