With all due respect @riksbanken, offline anonymous CBDCs are perfectly possible and reasonably secure. As a first note, the arguments the paper brings against offline CBDC could very well be used against cash itself. It's not 100% counterfeit-proof, thus useless ... thread below https://twitter.com/business/status/1361684016878006279

Cash itself has been around for hundreds of years and nobody has ever argued that it needed to be 100% secure to work. It was "hard enough" to counterfeit and the penalties for doing so strong enough to deter most attackers. Why do we suddenly need it to be 100% secure?

Secure hardware is tamper-resistant, not tamper-proof, that is correct. However, it is very expensive and very time consuming to break and the rest of the world (that you would need to pass your fake cash to) still plays by the rules.

None of the CBDC projects I'm aware of would allow unlimited balances or large offline transactions. Rate limits and expiration dates would make sure you cannot split your payments into smaller ones or spread them over time, making it a frustrating experience for the attacker.

Finally, it's been done before. @dgwbirch and @chyppings have been involved in Mondex back in the 1990s that used tamper-resistant hardware to do exactly what you're describing as impossible. to see Dave talk about it.

@riksbanken @business I'm happy to show you our implementation of an offline CBDC with controlled anonymity that allows parties to transact offline indefinitely, without _ever_ syncing up with a remote ledger. https://whisper.cash/whispercash-20201102.pdf