The real solution is to let the receiver of the money have a "verify" button which will, if connected to the internet, contact a central server and check that no double-spends etc. have happened. Up until verification is done, the money shows as "provisional" in your account - but you can still spend it. Only one person in the chain needs to verify for the whole chain to become permanent.
Then the users and merchants can decide if they wait to click the verify button. And the default for anyone with data connectivity should probably be auto-verification. There is an incentive to verify, because if any double-spending has happened, the first to verify is the one who gets the money.
Double-spends will happen in any system that allows offline transactions, because a user has to be allowed to log into a new device (if they lose their old one), and there is no way to know if the money spent from their old device was synced to the server yet.
I get the idea, but I think this is a terrible UX. People shouldn’t have to worry about whether they have real money or not. Either the system is secure or it isn’t.
> because a user has to be allowed to log into a new device (if they lose their old one)
You can solve for that by having short validity of the offline tokens on device and having that equal the cool-off period for reclaiming those funds when new device is provisioned. If I had ₹100 unspent tokens in my offline capable device that I lost, and got a new device provisioned the same day, then that ₹100 will show up in my account and be available to load on my device only after, say 7 days, of cooling-off period. In those 7 days, if someone who found your device could spend it and if so you lose it. If you know you are likely to be offline only sporadically for few hours and not for days, you can reduce the validity (and hence cooling-off period) significantly to just 12 or 24 hours.
I think this system has to be designed for some users who will never be online. Think of villages where there is no internet access yet (only 8% of Eritrea has access to the internet for example!). Hence there can't be a 'if you don't log in for 7 days you lose your money' mode.
Let me clarify: if you have you device with you (didn't lose the device) and you didn't make contact with another online device for more than cool-off period, your device tokens won't be refreshed and they will expire and become unspendable. You don't lose that money – it is still in your account and will be available for you spend as soon as you go online. The "lose your money" scenario is only if you lose your device and someone finds your device and spends the money on the device within the cool-off period. It is equivalent to losing your cash wallet and someone else spending your cash. Except in case of cash, that stolen/found cash is lost forever and is valid to be spent by the thief/finder forever whereas in this case there is a small time-window after which you automatically don't actually lose your money!
> Up until verification is done, the money shows as "provisional" in your account - but you can still spend it.
Who would accept "provisional money" though, if there is a realistic risk of it being double spent and therefore effectively worthless?
> Double-spends will happen in any system that allows offline transactions
Only if you assume untrusted devices. That's why in most past and existing stored-value systems, smartcards are being used – these have different security properties.
But these aren't mandatory: Physical cash also can't be replaced when lost, and only rarely when physically destroyed. That model might be preferred in some scenarios.
Then the users and merchants can decide if they wait to click the verify button. And the default for anyone with data connectivity should probably be auto-verification. There is an incentive to verify, because if any double-spending has happened, the first to verify is the one who gets the money.
Double-spends will happen in any system that allows offline transactions, because a user has to be allowed to log into a new device (if they lose their old one), and there is no way to know if the money spent from their old device was synced to the server yet.