Cash is the most familiar form of central bank currency. Cash is but one form of money. Money is a three legged construct, a numeraire (or unit of account) used for quoting prices, a medium of payment and a store of value. For most retail uses, the forms of money include commercial bank deposits and cash. The issuance of cash by the central bank is an expression of monetary sovereignty. Commercial bank deposits are already digital and widely used through debit cards and indirectly through credit cards. These use private networks. A digital version of cash can provide a modern public payment alternative. 80% of central banks are working on central bank digital currency according to a Bank of International Settlement survey from January 2020. Now the percentages are probably higher.
Cash has many positives. One of its greatest negatives, its physicality, causes cash to require physical presence to spend. It is also a mark of its greatest positive, cash is an anonymous token, physical possession is enough to ensure the ability to use cash. Two other properties are notable, cash can work in an offline setting, a formal bank account is not needed to hold and spend cash. All of these effects are interrelated. This is one of the greatest challenges for CBDCs, physical limitations are taken away, but the ability to function in an offline setting and privacy have to be solved. An analogue of physical possession has to be re-introduced into the digital sphere to address these questions. The proposed solutions run the gamut from smart bank notes to mobile devices and smart cards. Smart bank notes have the form factor of a regular bank note. A solution for peer-to-peer offline payments is described in a paper published by Visa
Visa proposes a two-tier hierarchical infrastructure, undergirded by public-key cryptography. Public Key Infrastructure (PKI), with its familiar Certificate Authority(CA) and intermediate CAs creating a chain of trust that terminates at the edges is the core idea. The central bank is the root CA for generating digital signatures, other financial institutions function as intermediate certificate authorities. These are the two tiers. These institutions on-board customers and provision their devices. The offline capability enables secure peer-to-peer offline payments using verified and certified hardware. A offline payment system (OPS) protocol for CBDC enables instant payments through a point-to-point channel without any intermediary. Consistency with the accounting system is achieved when reconnection to the network happens. Due to the decentralized nature of these payments, each payment can be done in real time and creates an elastic and scalable system for payments. The absence of intermediaries causes a double spend problem due to the absence of a global witness. The paper discusses how such a problem is solved due to the security of an offline protocol running on trusted hardware.
The main contribution of the paper is the Offline Payment System (OPS) protocol which prevents double-spending using digital signatures generated in the Trusted Execution Environments (TEEs) available on smartphones and tablets. Any reasonably modern smartphone, or a tablet or laptop has a TEE. The protocol guarantees the following properties: the payor must be able to pay any amount upto the balance noted in their wallet; the payee must be able to independently verify the authenticity of the received payment; payee owns the funds transferred with instant certainty; the payee must be able to participate in another offline transaction as a payor; the total amount between any payor and payee is conserved . This results in the following security properties: no double spending; complete wallet security; no generation of money from thin air.
Notwithstanding all this, there are several limitations with this scheme. Some are noted in paper: the ability to counterfeit CBDC has a strong incentive and hence will attract the attention of criminals and state actors; such an ability can be replicated frictionlessly compromising the whole system (they call this an inability to gracefully degrade- the whole system may have to be shutdown to protect against large scale failure) ; recovery of funds due to loss of device through theft, damage or loss is impossible. One of the others relates to readiness, the offline balance on the protected device has to be created during an online session. Since emergencies and crises happen without warning, such a contingency needs planning and forethought; not everyone’s forte. A behavioral tweak would be to support a wallet feature that segregates a set percentage or a fixed amount into offline storage every-time it detects a stable connection to the dispensing server.
The reason for an offline interaction can be a result of a planned trip to a location where there is no internet, residence in an unconnected location or a loss of connectivity due to a natural disaster. The efficacy of such a system will depend on several factors like the size, extent and resilience of such a payment network. In other words, are there people willing to accept payments in the offline setting and how long and how wide the disaster driven disconnection lasts. An independent and decentralized system with solar or mini hydro-electric generation capability can also create a resilient system that can protect users from the dangers to a nation-wide grid outage due to a solar storm or a deliberate cyber-attack. Some powered devices are necessary to run these cryptographic protocols. A large scale tech-destroying solar storm could disrupt the electric grids and hence internet connectivity sometime in the next hundred years. It behooves the designers of a large scale payment system to take this into account.
If a two-tier architecture is dispensed with, a system of direct Fed accounts is possible. The two tier model can also be revived, if the customer facing tier is managed by the United States Postal Service for the US or some other expression of a distributed national infrastructure in other countries. Such a scheme is not very far-fetched as the USPS used to administer bank accounts with low balance requirements and low barriers to entry. The distribution of stimulus payments directly to small businesses and individuals has faced criticism due to its over-reliance on commercial banks and the inefficiency of such a network. The federal government already sends social security, WIC, SNAP, disability and other direct payments to many people. Many of them are unbanked and pay check cashing outfits and other private operators large fees.
A retail CBDC with a wallet that implements an effective offline privacy protocol may create a more private token, disconnected from a central system. Of course the OPS protocol as it stands has to be modified to fit this paradigm. Especially the registration and the provisioning parts of the protocol. Privacy and transparency for compliance are in opposition. There are three classes of data that need to be protected for privacy. One is the direct identity data, i.e. one that can be tied to a specific entity like a social security number or even a pseudonymous string like a public key, the second is transaction data like a payment amount, the third is meta-data, a device address where the transaction originated is one example. Each of these classes of data have known techniques to protect them. However a determined and well-funded attacker can subvert them. Many of the cryptographic techniques are also computationally costly. Better privacy protection seems to be a combination of these techniques along with legal protection. Although the north star of privacy is cash; even cash requires a non-private payment. A full exploration of privacy in CBDC is beyond the scope of this article.
To recap, offline and disaster readiness as well as privacy are desirable properties for a CBDC, these are derived from our experiences with cash. All of them seem to be tied to physical possession of digital goods. An oxymoron that holds a contradiction in its heart.es