Offline digital cash?

The question of using digital money in the event of a network outage comes up again and again. Here is an overview of the options and their pros and cons.

More information on digital money, digital assets and blockchain is available here. Auch auf Deutsch 🇩🇪: «Digitales Offline-Geld?»

Tamper-proof hardware

The first ATMs had offline capabilities, either as standard or as a fallback in case of network failure. In this context, both the ATM itself and the magnetic stripe on the bank card were considered tamper-proof, as magnetic stripe readers were not widely available at the time.

Many years ago, magnetic stripes lost their tamper-proof aura. Chip cards, which are much more difficult (but not impossible) to manipulate, have replaced them.

Many modern processors also allow software to run in a special environment to make tampering with that software and its data difficult or impossible, approximating tamper-proof hardware on consumer devices.

If only tamper-proof systems are used on both sides of a financial transaction, that transaction can be executed offline. Only a connection between those two devices is necessary at the time of transaction. However, this requires a very high level of trust in the supplier of the relevant systems, as they cannot be independently inspected due to the nature of the system, especially not by the customer.

Visualization of the CAP theorem and where possible solutions are placed. Not a distributed system and therefore not in the picture: tamper-proof hardware.

Transparent solutions

But as soon as the system should be independently inspectable (e.g. FOSS), the playing field change and we have a Distributed System. In particular, we need the ability to prevent — or at least detect — the attempt of spending a digital asset more than once. To protect against this double spending, someone has to keep records of the spending. As a result, we have a trusted third party, which is only reachable over a network.

Two levels

It should be noted that we have distributed systems at two levels:

  1. The transaction system between the two payment parties, the (accounting) witness and the network connecting them.
  2. The witness’s database system where the transactions are stored; the distributed system also including a network to connect them.

The structure, scaling, and failure tolerance of the database system is left to the “witness” (classically a payment service provider). Without loss of generality, we can think of it as a centralized system, i.e., a single database master. (Typically, the system is likely to be a computer cluster with primary/secondary or active/active replication).

(There is nothing fundamentally preventing the database to be implemented as a blockchain. However, the complexity, lack of predictability or tuning options for system properties, poor manageability, difficulty to assess behavior in the event of an error (network failure/partitioning), and costs must be weighed against a solution implemented by clearly defined players with transparency, accountability, and defined responsibility.)

We are mainly interested in the transaction system, which we will now examine in more detail:

Basic solution (“centralized”)

In this system, both payment participants contact the witness. As long as the witness is reachable and functional, the transaction is executed.

In this case we have maximum consistency (“Consistency”), however, in case of a network failure (“Partition”) the availability (“Availability”) is zero.


The database system is often implemented using a quorum and geographical distribution. Even if a single data center were no longer accessible, transactions could still be carried out.

Even if individual network connections fail, the system can remain consistently available.

(This case could also have been mapped to a change in internal structure of the database system; however, it allows for an helpful intermediate step before the next point).

Regional resilience

Often, some of the digital coins, similar to real-world cash, mainly circulate locally. Then, a regional data center can be assigned the sole (or, at least, main) responsibility for keeping track of these monetary items. This would allow the system to continue to operate even if global network connections are disrupted; as long as they still work locally.

In many cases (money acquired locally is also re-issued locally), this results in higher availability in the partition case, while fully maintaining consistency.

Offline: Consistency

If the network is not available at all, consistency and availability cannot be achieved at the same time. If consistency is indispensable, availability will be omitted, i.e.:

Payments are no longer possible. (Identical to “central” in case of failure).

Offline: Availability (“opportunistic”)

If availability is key, we get an opportunistic payment system: the merchant must trust customer’s promise that she has not yet spent that particular coin. If a trust relationship exists and the payment amount is small, the risk of failure can be kept negligible. Once the network is back up and working for everyone again, the merchant gets the certainty, one way or the other.

Payments are possible, but only based on trust.

In the eCash anonymous payment system and its derivatives, such as GNU Taler, the customer is automatically deanonymized if one of her coins is spent multiple times. Thus, the bilking customer can be identified and prosecuted. If needed, this process could also be automated; however, so far the offline operation is only provided as a stopgap.


Offline financial transactions seem to be possible only in black box payment systems. As soon as insight into its functions are requested, offline transactions are possible only opportunistically or not at all.

Blockchain ecosystem

More posts in the blockchain ecosystem here, with the latest here:

  • The year in review
    This is the time to catch up on what you missed during the year. For some, it is meeting the family. For others, doing snowsports. For even others, it is cuddling up and reading. This is an article for the latter.
  • NFTs are unethical
    As an avid reader, you know my arguments that neither NFT nor smart contracts live up to their promises, and that the blockchain underneath is also more fragile and has a worse cost-benefit ratio than most believe. Similarly, I also claim the same for the metaverses built on top of them all. And that the… Read more: NFTs are unethical
  • Inefficiency is bliss (sometimes)
    Bureaucracy and inefficiency are frowned upon, often rightly so. But they also have their good sides: Properly applied, they ensure reliability and legal certainty. Blockchain disciples want to “improve” bureaucracy-ridden processes, but achieve the opposite. Two examples:
  • The FTX crypto exchange and its spider web
    Yesterday, the U.S. Securities and Exchange Commission (SEC) released its indictment against Sam Bankman-Fried. It details the financial entanglements of FTX, Alameda Research and more than a hundred other companies and individuals. We have tried to disentangle these allegations somewhat for you.
  • Web3 for data preservation? (Or is it just another expensive P2P?)
    Drew Austin raises an important question in Wired: How should we deal with our accumulated personal data? How can we get from randomly hoarding to selection and preservation? And why does his proposed solution of Web3 not work out? A few analytical thoughts.
  • Rejuvenation for Pro Senectute through NFT and Metaverse?
    Pro Senectute beider Basel, a foundation to help the elderly around Basel, launched its NFT project last week and already informed about its Metaverse commitment beforehand. According to a media release, Michael Harr, managing director of the 15-million Basel-based company, wants to use the purchase of these “properties” in a “central location” in two online… Read more: Rejuvenation for Pro Senectute through NFT and Metaverse?

Let’s stay in touch!

Receive a mail whenever I publish a new post.

About 1-2 Mails per month, no Spam.

Follow me on the Fediverse

Web apps

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.