True offline payments are impossible. Or are they?
Sometimes, I hear the claim that true offline payments are impossible. Fortunately, that false claim can be debunked quite easily.
But first, we need to understand where this claim comes from. In their pivotal 2021 paper, Kahn et al. describe the “offline payment trilemma”, which can be explained very easily: no digital payment scheme can simultaneously be offline-capable, prevent double-spending, and accommodate for loss recovery
This can be visualised using the above triangle. When designing a system, you need to pick a side. Physical cash can be used offline and prevents double-spending. But if you lose your wallet, you lose your money. Similar for the other sides: Debit cards cannot be used offline. Credit cards and paper cheques do not prevent double-spending.
This correlates to a well-understood principle from computer science, the so-called “CAP theorem”. It describes a fundamental limitation of database systems, which need to compromise on either availability, consistency, or resilience against loss of connectivity. This is not caused by poor engineering, but by the physical properties of networks: a law of nature.
The connection between Kahn’s trilemma and the CAP theorem is quite simple:
Where should CBDC sit? By its nature, it is a central bank liability, so there cannot be any compromise on double-spending. And in terms of features, offline capabilities are highly desirable for resilience and financial inclusion
The CAP theorem teaches us that we can – in theory – simultaneously achieve offline capability and prevent double-spending. We can accept some restricted availability, for example, it is not possible to top-up one’s offline wallet from a bank account without online connectivity. Many database systems choose a similar trade-off.
领英推荐
But how can we achieve all that in practice? More concretely, what defence mechanisms can we utilize to protect against double-spending?
The answer is a “defence in depth” approach, where we do not rely on a single measure, but multiple layers.
For CBDC, there are three layers:
For offline payments, it is particularly important that all layers work together. Even if a wallet cannot validate a token on the spot during payment, it should reconcile it when it regains connectivity, for example, when the user tops up from their bank account. This reduces overall risk in the system.
Unfortunately, while the other layers are uncontroversial, the use of strong hardware security is repudiated by some, leading to the claim that true offline payments are impossible. This argument does not hold up to scrutiny for a very simple reason: Strong hardware security is already employed in today’s payment system – as well as connectivity and many other industry sectors – in the form of hardware-based Secure Elements.
To this day, there are no known exploits on payment cards, despite the large incentive: imagine an attacker that could clone credit cards at a large scale. If it works well in this highly exposed landscape, it will work well for CBDC. Users have the choice whether they want to store their holdings on special-purpose devices (like a dedicated smart card), or on an existing device (like a smartphone).
To conclude: true offline payments are possible. They rely on, among other measures, strong hardware security, which is well-established in the industry. What is new is that CBDC will enable additional use cases, for example when both payer and payee are offline. But the technology for that is already there.
Tec Tribe Lead BMS CS
8 个月But in difference to cash we need a device that's authorized by central authorities. Don't we?
Hello Lars. You mentioned that loss recovery corresponds to availability. I would characterise loss recovery as the ability to restore an offline balance in the event of device loss or failure. Is this what you mean by availability, i.e. funds availability? I agree with the trilemma and that all three MUST be met. My view is all three can only be met with the intermittently offline model of CBDC and most likely only using a smartphone wallet app rather than a smart card because of the need for the payer to transmit their history to the payee within the proof package. I think we may have discussed this before. Regards, Michael
Head of Consulting and CBDC lead at Thales
8 个月While Secure Elements in smart cards have not been compromised in the field in the past 30 years (to the best of my knowledge), they have been in the lab. These attacks actually led to enhancements in the security features of Secure Elements. At Thales, we believe a Secure Element based offline CBDC system, will be under attack, possibly by government backed criminal organisations with access to considerable means. Will they succeed in compromising offline capable devices and retrieve the necessary material to fraudulently create digital money offline ? Perhaps no, perhaps yes. Our view is that an offline CBDC system should not based on the bet that it will not happen but rather on methods to detect such fraud should it happen. Our offline CBDC solution functions truly offline and does not require online reconciliation but it does include online mechanisms to detect fraud resulting from device compromise. You can read more on our views and design in the white paper available here: https://www.thalesgroup.com/en/markets/digital-identity-and-security/banking-payment/digital-currency
Head of Nordic Centre, BIS Innovation Hub at Bank for International Settlements – BIS (personal views) | Board Member | Senior Advisor | Artificial Intelligence | Cybersecurity | AML & AFC | Future of Money & Payments
8 个月Zhijun William Zhang, Ph.D. and Ben Dovey
Author, Consultant, Dr. Business Administration
8 个月Dr. Lars Hupel Offline payments were implemented in the Mondex system in the UK in the 1960s, so ain't 'impossible' The problem is not the value exchange it is the catch-up and reconciliation ??