Secure wallets for CBDC: how do they work?

Lars Hupel from Giesecke+Devrient reveals the secret technical ingredients that make CBDC wallets achieve their goals, in a safe manner.

Everybody knows that to keep CBDC, you need a wallet. Those wallets can come in different shapes, be they physical devices, such as smartphones or smartcards, or virtual, i.e., managed by a financial institution. Wallets are used to perform transactions between users and at the point of sale.

For a tool so crucial, little thought is spent on how they can be secured. Many CBDC security requirements are focusing purely on the backend system, such as the ledger. Of course, the ledger is important too. But the user will interact with the ecosystem primarily through wallets. Let us take a look and understand how to build secure wallets.

Recent articles on the Paypers have explored the CBDC project of the European Central Bank, the Digital Euro, as well as the British counterpart, the Digital Pound. Both projects focus on use cases for retail customers. For example, lots of consideration is given to the processes of how users can top up their wallets at their bank, pay each other (possibly offline), and use CBDC for purchases both in ecommerce and in brick-and-mortar stores. This makes sense: a well-designed CBDC can function as a digital public infrastructure, unlocking many benefits for the economy.

Of course, users must have a way to interact with the CBDC ecosystem. Most central banks are exploring a two-tier model, whereby the central bank acts as the sole issuer of CBDC, but intermediaries – such as commercial banks, fintechs, and other financial institutions – are responsible for onboarding users and distributing CBDC. In this setting, intermediaries would provide CBDC wallets and services to users, according to the rules set by the central bank and regulators. In other words, central banks would not be dealing with end users directly.

Figure 1. Some key design criteria of a CBDC

At the core of this discussion are wallets. As I have explained in an earlier article, wallets are combinations of hardware and software that serve as containers of cryptographic keys. Depending on the CBDC implementation model, the keys may either represent funds directly or serve as credentials to unlock funds stored elsewhere. Notably, wallets must satisfy high-security requirements, such as countermeasures against tampering and cloning. Of course, wallets should also provide an easy-to-use interface that allows holders to carry out transactions.

As mentioned above, wallets can come in different form factors. Naturally, this affects their implementation. The most important distinction is between bearer wallets and custodial wallets. A bearer wallet is a device that is in your possession, where CBDC is physically stored on. Conversely, a custodial wallet is located in a data centre and managed by a financial intermediary. Think of it this way: The cash in your purse you bear, whereas a safe deposit box with cash at a bank branch is in custody. In both cases it is your money; just the location differs.

Figure 2. CBDC wallets can be categorized according to their location: Custodial wallets are operated by financial intermediaries; bearer wallets are in the user's possession.

For the sake of this article, I will focus on bearer wallets, such as smartcards. They are not a brand-new concept, but they have recently gained a lot of popularity in CBDC design. The reason is simple: bearer wallets enable offline payments. This capability is widely considered to be one of the main drivers of CBDC adoption. At its most advanced, it would allow two people in remote locations without online connectivity to pay each other.

Fortunately, we do not need to invent new devices for that. A small, commodity hardware chip called a secure element provides everything that is needed. Secure Elements are ubiquitous: credit and debit cards, passports, ID cards, smartphones and smartwatches, SIM cards, and many other devices already contain one. For example, in countries with high smartphone penetration, it would make perfect sense to use their embedded Secure Elements as CBDC wallets. That way, users could get onboarded by simply downloading an authorised CBDC app.

CBDC, being a digital asset, is at risk from various attacks. The most described attack is double-spending, whereby a malicious payer uses the same funds to make multiple transactions. If successful, two or more payees would believe to have received the exact same money. In the worst case, this would mean that the amount of money in circulation has increased, like counterfeit cash.

Just as with counterfeit cash, the central bank has tools to detect and prevent attempted CBDC double-spending. These tools only work online, though: in the offline world, a wallet simply cannot reach the backend systems!

Consider the following attack model:

1. An attacker records the storage contents of the payer wallet.

2. The attacker performs a payment to an unsuspecting payee.

3. Now, the attacker resets the storage contents and performs a second payment.

The payees have no way of detecting this unless they are connected to the internet. Therefore, the security of offline CBDC payments hinges on stopping the attack from occurring in the first place.

This is where Secure Elements come into play. Those cryptographic chips are tamper-resistant, which means that they protect against extraction, reset, manipulation, cloning, and other related attacks. For example, they have special shielding and coating and can detect physical attempts to break into the chip. The job of a Secure Element is to safely store cryptographic keys and other sensitive data.

Figure 3. A few examples of popular devices with secure elements. Different form factors, similar functionality.

How is that useful? We need one additional ingredient, still. In the absence of an online connection, we need secure hardware to establish trust between transacting parties. Trust here refers to the mutual understanding that both transacting parties follow the payment protocol faithfully. The easiest way to ensure this is to block unauthorised wallets from participating in the system in the first place. We can guarantee that through certificates.

Bearer wallets can be equipped with individual certificates that prove that they have been issued through authorised intermediaries. For example, when using a smartphone, the vendor would authenticate the wallet; for smartcards, it would be the bank that issued it to the user. This way, wallets can recognise each other’s authenticity before conducting a payment. Payments from an attacker using a fake wallet would be rejected because the attacker’s wallet would not have an authentic certificate. The strong protection mechanisms of Secure Elements guard not only the CBDC value stored therein but also the certificate itself.

We have seen how Secure Elements contribute to the goal of secure bearer wallets. Those small chips are available in different devices and form factors, such as smartcards, smartphones, or SIM cards. They meet high-security requirements to prevent tampering and cloning, which makes them ideal candidates for bearer wallets that physically store CBDC. This in turn enables offline payments, one of the main drivers of CBDC adoption. Secure Elements also mitigate double-spending and other attacks.

But of course, the story does not end here. Relying on one single protection mechanism is never enough. This is why a holistic approach to security is needed: the ecosystem does not just comprise wallets, but also financial intermediaries, the central bank, merchants, and other industry players. Securing the wallets is an important, but only the first step.

About Lars Hupel

Software engineer Lars Hupel has a passion: modern payment services. Happily, as Chief Evangelist at G+D, it is their job to share this passion with others. In public lectures and workshops with banks and central banks, Lars spreads the word on Central Bank Digital Currency (CBDC) to a broad audience.

About G+D

Giesecke+Devrient (G+D) is a global securitytech company headquartered in Munich, Germany. G+D makes the lives of billions of people more secure. The company shapes trust in the digital age, with built-in security technology in three segments: Digital Security, Financial Platforms and Currency Technology.