“Digital cash” without privacy is meaningless
I am involved in both the standardisation and implementation of so-called CBDC: Central Bank Digital Currency. This is supposed to be the payment system of the future.
The ECB published an initial announcement to proceed with the Digital euro project a few years ago. Its web site looks really nice, and has an FAQ section, where I found this (Question 7: how would the Digital euro work?):
Digital euro payments would always be safe and instant — whether in physical stores, online shops or between people.
The digital euro would offer both online and offline functionalities, meaning you could use it even when you have poor or no network reception. Moreover, personal transaction details of offline digital euro payments would only be known to the payer and the payee, providing a cash-like level of privacy.
I really do like the fact that they emphasize on privacy and security, that’s what cash money is supposed to do. Unfortunately, there is a small problem with this description: this is impossible (see below). The following three properties of a payment system cannot be simultaneously true:
- Cryptographically secure.
- Allowing for offline payments.
- Providing privacy.
If you want to have to have all three properties, you have to compromise somewhere. Currently, there are two methods we use for payments:
Cash allows for offline payments (by definition) and very good privacy. Unfortunately, its security is limited by complicated technical measures that aren’t always easy to verify.
Electronic money, including credit cards, debit cards, and other payment means all have pretty good security, but offer no privacy at all. These systems provide limited possibilities for offline payments.
Alternative to cash
CBDC is announced as an alternative to cash. For me, that means that privacy protection is a fundamental property of a good solution. If I want to pay electronically without regard of privacy, there are many solutions already available today.
To understand why privacy is important, let me give you an example: Say you are a teenage girl who wonders if you are pregnant. You probably don’t want to tell your parents. What would you use to buy a pregnancy test? At the moment, there is no electronic payment method that you would want to use. Fortunately, there’s still cash.
A system called CBDC would be completely worthless if it didn’t provide privacy. I for sure don’t want to live in a world where privacy protection during payment is not available. Do you?
A CBDC without built-in privacy protection would be yet another electronic payment system, and probably overly complicated for no good reason.
Oh, and just in case you’re wondering, the use of “block chains” with proof of work makes no sense for payment systems, unless you are a fan of systems wasting energy and lacking financial stability.
Why can’t I have a perfect payment system?
The three properties that we would all like to have can’t be all satisfied. The reason that it is impossible is mathematical. Mathematics has the irritating property that it does not listen to rhetoric.
Let me try to explain this.
Let’s start with security. If you want something to be secure, you need cryptography. The most important rule about cryptography is that it is as secure as the way you manage your keys. So where are these keys going to be? The user will have to have some kind of device (in practice, her mobile phone) that contains keys. If these keys are owned by the system (which is the case for all keys used by payment applications today), you as a user cannot see what is going on in the system. The system can promise to give you privacy, but you cannot check it. Even worse, the system can take away your privacy without your consent.
On the other hand, if the keys are owned by you, there are ways to make the payment method protect your privacy. There are a few experimental systems, such as GNU Taler, that work this way. These systems need an online connection (at least once in a while) to prevent you from copying your money and spending it multiple times.
Offline payments require that two users can verify each other’s money during payment without an online connection. This means some kind of signature is needed (like the literal signature on most bank notes). But since digital data is trivial to copy, there is need for protection against abuse. This implies that there needs to be a “secret compartment” in the payment application to prevent this: this again reduces privacy because the user can’t see what is going on.
Note that a payment method never can be completely offline: every once in a while, “clearing and settlement” is needed. Even in pure cash systems, money is regularly taken in by banks for cleaning, verification and counting.
Privacy (which happens to be the subject of my Ph. D. thesis) is only possible with systems that give users ownership of their keys. In a time before electronic payments and mobile phones, there was DigiCash, which offered a very high level of privacy and offline payments. Security depended on the smart cards. If a user could break her own card, she could spend money more than once (to be detected afterwards). The payments were offline, where users had to “withdraw” digital money from the bank.
A clever protocol ensured the users identity was completely hidden. But if someone managed to break her card and spend money twice, this action would divulge information that would eventually lead to her identity. The clever mathematics can be found in this article.
Conclusion: a message for CBDC providers
If you want to provide a payment product claiming it is a “replacement for cash”, please start with privacy. If you don’t plan to start with privacy, you’re wasting your time, because you’re making something that is already there.
If you do care about privacy, have a good look at systems that have been designed in the past, like ECASH, IEP, CAFE, GNU taler. Study these, and find out why these work in the way they do.
Specifically note how the old IEP allowed to provide a level of payment privacy in offline payments even using only symmetric cryptography. It was quite popular in the Netherlands and Belgium (under brand names like “Chipknip”, “Chipper”, “PROTON”). [Note: the current “Chipper Cash” is something different, and doesn’t provide privacy.]
These systems aren’t popular today because they are seen as “too complicated” or “too expensive”. That is true: making a privacy protecting payment system is complicated. But “expensive” is not relevant: whether a system is expensive is only determined by popularity, and not the other way around.
Your solution will probably be complicated, because it needs to be. But if you do it right, you have a chance help the world move forward, and giving future people an option to buy what they need, even if embarrassing.
For a lot more on CBDC, including how China pushes it, see this article by Bill Buchanan.
