A secure and privacy friendly offline digital euro

I have been following the development of the digital euro from a certain distance. Today I was invited to discuss my views in a European Parliament/ECON Technical Seminar on Digital Euro. In preparation I studied the current proposals of the European Central Bank (ECB) for an offline digital euro. This got me thinking, and led me (through a twisted path) back to my PhD days at the CWI and the work on Wallet With Observers by my then fellow PhD student Stefan Brands. Which I think offers a very nice solution to the problem of implementing a secure and privacy friendly offline digital euro! Allow me to explain.

The offline digital euro should be an electronic equivalent to cash, that one can use in case there is no network connection. I discussed earlier that the unique properties of cash are impossible to achieve in full in a digital form of money. I was also sceptical of the promise of making it as privacy friendly as cash, because of the transaction monitoring necessary to detect ‘double spending’. This is especially a concern in the offline setting where fraudulent copies of digital money cannot be detected in real time.

To prevent double spending of offline digital euro, the current proposals for an offline digital euro assume that the wallets include a tamper resistant hardware element (like a SIM card, a secure element or other trusted component), that cannot be easily copied. The wallet needs the cooperation of this trusted hardware element to spend money, making it much harder to double spend. Because there always is a small risk that a sufficiently resourced and capable attacker is able to break the security of this trusted hardware element, transaction monitoring still needs to take place to detect double spending after the fact. As the current proposals state, this should be done in a privacy friendly manner.

Eurosystem [will] receive the minimum amount of data compatible with the need to detect forgery. This data would not enable Eurosystem to identify individuals.

The question is: how? In essence, a proper method for transaction monitoring should respect privacy, unless a user double spends. This is a prime example of my research on revocable privacy, which was in fact motivated by the work of David Chaum studying digital cash thirty years ago. So I started thinking how to apply these ideas to such a system of digital euro wallets including a secure element. Using direct anonymous attestation the secure element could prove its valid. The money in the wallet should be linked to the secure element though, so any blind signature used to prevent the bank from following the coins it issued, should guarantee that the (hidden) identity of the user stored in the secure element is indeed encoded in the coin blindly offered for signing to the bank. A search for such a blind signature scheme allowing proofs of statements over the blinded part led me to this blog post by Matt Green. Which discusses the work of Stefan Brands.

And this made me feel (very) stupid.

As I was thinking about this problem the last few days, I was of course aware of David Chaum’s work. And there was nagging feeling that, given that the study of digital cash is already decades old, someone must have solved this problem before. Yet I never thought of the work of Stefan Brands, who actually worked on this problem as he was a fellow PhD student (of David Chaum in fact) at the CWI right at the time I did my PhD there as well! In fact, I knew of his work back then. Luckily Matt’s blog put me on the right track. And prevented me from wasting days on research that had already been done.

His paper Untraceable Off-line Cash in Wallet With Observers describes exactly what is needed. The Observer is the trusted hardware element. The wallet is the app that, in cooperation with the observer, can withdraw and spend digital coins. Without such cooperation, it cannot do so. The observer keeps track of all current coins that the wallet has not spend yet. This prevents the wallet from double spending. The payment protocol perfectly hides the identity of the wallet, and coins are issued in a blind way to prevent the bank from linking spent coins. This way, transaction privacy is guaranteed as desired. However, should an adversary be able to hack the Observer, and convince it to cooperate in double spending, the spending protocol guarantees that if a coin is spent twice, the identity of the wallet is nevertheless released. The wallet and the observer can then be blocked. (Although strictly speaking in Brands original protocol only coins can be blocked, which would require the bank and the payment terminals to store a database of all double-spent coins, until they expire - see below. Adding a direct anonymous attestation like protocol to force the observer to prove it is not blacklisted would remove this limitation.)

To further limit the risk, the bank can limit the amount of offline cash that it issues to a particular wallet on a day, because wallet identities are known when issuing coins. This is also necessary to implement the holding limits envisioned for digital euro. (Although, to be clear, a fraudulent wallet cannot be prevented from collecting more digital euro than allowed over a longer period, because by necessity the amount a wallet spent in the mean time cannot be traced.) The bank can also limit the lifetime of coins, by frequently rotating the keys it uses to sign coins. Both measures limit the amount of damage any particular fraudulent wallet can do. Forcing terminals that accept offline cash to go online regularly to deposit any offline coins it accepted, limits the time that a fraudulent wallet can do damage.

Note that Brands’ scheme does not allow wallet to wallet payments, which is one of the requirements for the offline digital euro. (Remember, it should resemble cash as closely as possible.) But keeping track of offline payments in a such system to detect double spending, while still maintaining privacy for honest users, appears to be very difficult. So perhaps wallet to wallet payments should be dropped as a feature.

Let’s hope the ECB is aware of this work (and if not, they now should), so at least for offline digital euro we get the privacy we deserve (and have enjoyed using ordinary cash).