Objectives and Design Principles in Offline Payments with Central Bank Digital Currency (CBDC)

In this work, fundamental design principles for a central bank digital currency (CBDC) with an offline functionality and corresponding counter measures are discussed. We identify three major objectives for any such CBDC proposal:(i) Access Control Security - protection of a user’s funds against unauthorized access by other users; (ii) Security against Depositor’s Misbehavior - preservation of the integrity of an environment (potentially the wallet) against misbehavior of its owner (for example, double-spending), and (iii) Privacy by Design - ensuring privacy is embedded into the system architecture. Our central conclusion is the alignment of the objectives to concrete design elements as countermeasures, whereas certain objectives and countermeasures have no or minimal interferences with each other. For example, we work out that the integrity of a user’s wallet and, accordingly, the prevention of double-spending race attacks should be addressed through the adoption and integration of \textit{secure hardware} within a CBDC system.

💡 Research Summary

This paper provides a foundational analysis of the design principles and objectives for a retail Central Bank Digital Currency (CBDC) with offline functionality. The authors begin by defining an “offline CBDC” as a system that allows for the transfer of funds between two parties using only peer-to-peer communication (e.g., NFC, Bluetooth), without requiring contact with a Trust Anchor (TA), such as the central bank, and supports consecutive offline transfers (transferability).

The core contribution of the work is the identification and detailed examination of three paramount objectives that any offline CBDC design must pursue:

1. Access Control Security: Protecting a user’s funds from unauthorized access by third parties without physical access to the user’s device or Trusted Execution Environment (TEE). This addresses “first-kind” security threats, such as remote attacks.
2. Security against Depositor’s Misbehavior: Preserving the system’s integrity against malicious actions by the fund owner themselves, primarily the risk of double-spending. This addresses “second-kind” security threats emanating from the user.
3. Privacy by Design: Ensuring that user privacy is an inherent, architecturally embedded property of the system, not merely an add-on feature.

A central and critical insight of the paper is that double-spending during offline periods is inherently unavoidable in principle; it can only be made difficult. Any attempt to prevent it translates into an attempt to exclude the user from their own execution environment and memory. The most prominent proposal for achieving this is through the use of secure hardware (e.g., Secure Elements). Consequently, introducing offline functionality inherently introduces the manufacturers and suppliers of this trusted hardware as additional trust anchors alongside the central bank, thereby expanding and complicating the system’s trust model.

Based on this analysis, the paper proposes a key design principle: the alignment of specific design elements as countermeasures to each primary objective, while minimizing interference between them. For instance:

• The integrity of a user’s wallet and prevention of double-spending (Objective 2) should be addressed primarily through the adoption and integration of secure hardware.
• Privacy protection (Objective 3) should be achieved through architectural choices like Privacy by Design, potentially leveraging cryptographic techniques such as Zero-Knowledge Proofs (ZKPs).
• Access Control Security (Objective 1) is supported by strong cryptographic authentication mechanisms.

The paper concludes that designing an offline CBDC is a complex task that goes beyond technical implementation, requiring careful consideration of expanded trust models and fundamental privacy protections. Its proposed framework of aligning objectives with dedicated, non-interfering design elements offers a pragmatic pathway for future CBDC architects.