MikeIngle@delphi.com writes:

According to the Chaum-protocol description on chaos.bsu.edu, this is an online system - both parties must talk to the bank before a transaction is concluded. Are there any true offline systems? i.e. I can send you an email which is worth money, with no third parties involved, and there is no audit trail or means of tracing.

The main problem is that there is no digital "coin" or object which can be passed around but not duplicated. Other than the bank method, I've read about an "observer" chip which keeps you honest, but the design of the chip would have to be secret, or at least the chip would have to know a secret (i.e. a key) which it would never tell you. If you could extract the key, you could write a "cheater". Shades of Clipper.

Is there a system which allows anonymity and at the same time prevents people from double-spending their cash? How does it work?

Well, one thing that could be done is to write an "electronic check". Someone would deposit money in a bank, and then pay money to other people by writing checks, encrypting each check with with their private key for authentication, and then with the recipient's public key to protect against the possibility that the message might be intercepted. The recipient would then decode the first layer of encryption with his private key (leaving the sender's key-authentication), add his account number to the message and send it to the bank (preferrably, encoding it with the bank's public key). The bank would be able to verify the authenticity of the check by means of the sender's public key, and would then transfer the funds to the recipient's account. Basically, this works the same way paper checks work today, and might be a feasible system. This eliminates the need for both parties to talk to the bank before making the transaction; only the recipient would need to talk to the bank - to cash his check. This doesn't completely solve the traceability issue however. Although accounts could be numbered and the owner's identity kept "secret", it is still theoretically possible to trace the money from one account to another. However there is another way to do it. The bank could simply issue numbered "bills" in exchange for conventional cash, and this would be done completely anonymously. Each number would be worth a certian set value, such as a US dollar, a gram of gold, etc. The numbers could be of a form such that there would be one valid number in a billion or a trillion (or more possible) combinations, eliminating the possibility that someone might find a valid number by random guessing. (As a side comment: Creating different unique numbers is not too difficult. Suppose a bank was going to issue one million bills out of a trillion combinations. They could number the valid bills 0-999999, leaving numbers 1000000-999999999999 as invalid combinations. Each number would then be encrypted with a conventional private-key system, meaning that the valid combinations would end up randomly distrubited thruout the possible domain of numbers. The bank would easily be able to tell anyone who asked weather or not a number was valid, by using its cipher to decode the number, but nobody else would know how to find valid combinations because the bank would keep its cipher secret.) When someone wanted to spend some money, he would give the recipient the numbers of the bills he wanted to spend. To eliminate the possibility of double-spending the same numbers, the recipient would then call the bank, and give them the numbers, and the bank would flag those numbers in its database as being spent (so they couldn't be spent again), and issue new numbers. Since all calls to the bank would be anonymous, there would be effectively no way to trace the money, while security against double spending would be maintained.