To make a CBDC secure, Lars Hupel from Giesecke+Devrient outlines the approach necessary to achieve a high degree of resilience while allowing the CBDC to cater to plenty of use cases.
Admittedly, this is a catchy title. In my previous article, I explained how secure CBDC wallets work, in particular, hardware wallets. One of their chief purposes is to prevent double-spending in offline situations. Now, I would like to focus on the technical details: what is double-spending, how it can be exploited, and how it can be prevented.
Consider cash in the form of banknotes. They are physical objects. In the physical realm, objects cannot (easily) be duplicated. Therefore, a banknote can only be in one place at a time. If I tender some banknotes to another person, the payment is completed at the time when the other person accepts the cash. This is a very simple process.
Unfortunately, we do not have this luxury in the digital world. Broadly speaking, double spending refers to an attack where a digital asset is copied in such a way that two or more people believe that they are the legitimate owner. In digital currencies, it would be like giving the same monetary amount to two recipients. One of them will have received a genuine amount, the other a fake. But which is which?
Another similar attack is counterfeiting. In the physical world, that would be either a completely fake banknote or a real banknote that has been altered to appear to have a higher face value. This also applies to digital assets, where a counterfeiter could convince someone to have received a genuine amount of money. In the digital world, the line between counterfeiting and double spending is blurry, and both could be used interchangeably.
Note that overdraft may sound related, but it is technically different. For example, when paying with a credit card, my account could reach a negative balance. This does not constitute an attack: as a cardholder, I have an agreement with my issuing bank, and they allow me to be in debt. If I do not repay within a time limit, they will charge fees and/or interest.
Let us take a look at digital currency wallets. They must store some form of cryptographic data representing a monetary value. For that, the literature distinguishes two major models: accounts and tokens. (I provide a more detailed discussion in my article about tokens.)
In an account system, individual wallets have an account number (or address), containing a balance. As opposed to credit cards (or traditional deposit/checking accounts), a CBDC account would not allow overdraft. The account is protected through a cryptographic key pair. The private key is stored in the wallet and is used to create signatures and authorise transactions.
In a token system, a wallet instead holds individual keys, each representing some monetary value. To spend a token, its private key is used to authorise a transaction, creating one or more fresh tokens in the process.
Both models have advantages and disadvantages. I do not want to go into full detail here, but there is one important aspect: In order to understand how double spending affects digital cash, we need to look at the fundamental property of offline payments.
In their pivotal 2021 paper, Kahn et al. describe the ‘offline payment trilemma’, which can be explained very easily: no digital payment scheme can simultaneously be offline-capable, prevent double-spending, and accommodate for loss recovery.
Figure 1. The offline payment trilemma
This can be visualised using the above triangle. When designing a system, you need to pick a side. Physical cash can be used offline and prevents double-spending. But if you lose your wallet, you lose your money. Similar for the other sides.
Interestingly enough, this correlates to a well-understood result from computer science, the so-called ‘CAP theorem’. It describes a fundamental limitation of database systems, which need to compromise on either availability, consistency, or resilience against loss of connectivity. This is not caused by poor engineering, but by the physical properties of networks: a law of nature.
With CBDC being a central bank liability, there is no compromise on double-spending. And in terms of features, offline capabilities are highly desirable for resilience and financial inclusion. This leaves us only with one choice: designing CBDC similar to banknotes.
Now, let’s put ourselves into an attacker’s shoes and attempt to double-spend. Consider a hypothetical online-only CBDC.
In an account system, the central bank must check for every outgoing transaction if the payer’s balance is sufficient. In a token system, the tokens used must not have been used before.
If both parties are connected to the internet, these checks are simple: before a transaction is completed, they send it to the central bank, which returns either ‘yes’ or ‘no’ (simply speaking). To do that, the central bank needs to keep some form of ledger. It does not have to be a distributed ledger or blockchain; a simple database will do.
The story becomes more complicated if there is no connection to the internet. For offline double spending, I have outlined a possible attack in my previous article, where a malicious actor would clone the contents of an offline wallet. Recall that this attack works regardless of how the CBDC is set up. It uniformly affects tokens, accounts, and other/hybrid models.
The crux of the matter lies in information asymmetry. No matter what data you pass between payer and payee, the payee will only ever have local knowledge of the system’s state. But double spending is a global property that can only be determined by the central bank.
Now, let us focus on the details: what defence mechanisms can we utilise? In computer science, the term ‘defence in depth’ refers to cybersecurity concepts that do not rely on a single measure, but multiple layers. We can adapt that to digital currency.
Figure 2. Defence in depth for digital currency
The bottom layer is strong hardware security. I already touched on that in the previous article: Secure Elements are tamper-resistant chips that provide a strong defence against attacks such as the one outlined above. Alternatives exist, such as special trustworthy compartments in Intel or ARM processors, but care needs to be taken to evaluate security trade-offs.
In the middle, secure payment protocols and channels provide protection against attacks when money is being moved. For example, wallets should always employ end-to-end encryption to prevent eavesdroppers from cloning tokens.
Finally, the central bank must always be able to tell authentic from counterfeit money. This is very easy with a token system because every token can only be used once.
For offline payments, it is particularly important that all layers work together. Even if a wallet cannot validate a token on the spot during payment, it should reconcile it when it regains connectivity, for example, when the user tops up from their bank account. This reduces overall risk in the system.
It sounds simple: Tokens could be reused – constituting double-spending – so a CBDC should be designed with accounts. But it is also wrong. In this article, I have explained the fundamental properties and limitations of digital cash. Especially when it comes to offline payments, we have to make some trade-offs. For example, perfect loss recovery is not possible. To make a CBDC secure, we therefore must rely on a multitude of measures. I have outlined a three-layered approach comprising hardware security, end-to-end encryption, and a ledger at the central bank. Taken together, these achieve a high degree of resilience while allowing the CBDC to cater to plenty of use cases.
About Lars Hupel
Software engineer Lars Hupel has a passion: modern payment services. Happily, as Chief Evangelist at G+D, it is their job to share this passion with others. In public lectures and workshops with banks and central banks, Lars spreads the word on Central Bank Digital Currency (CBDC) to a broad audience.
About G+D
Giesecke+Devrient (G+D) is a global securitytech company headquartered in Munich, Germany. G+D makes the lives of billions of people more secure. The company shapes trust in the digital age, with built-in security technology in three segments: Digital Security, Financial Platforms and Currency Technology.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now