Offline Digital Euro: a Minimum Viable CBDC using Groth-Sahai proofs

TL;DR

This paper presents an offline-capable digital euro design utilizing zero-knowledge proofs to ensure privacy, enabling transactions without online dependency, and includes a privacy-preserving decryption mechanism for law enforcement.

Contribution

It introduces a novel offline digital euro protocol with privacy guarantees and a practical implementation using Groth-Sahai proofs, addressing online dependency and privacy issues.

Findings

Protocol enables offline transactions with privacy preservation.

Implementation demonstrates practical usability and functionality.

Decryption mechanism allows law enforcement access without compromising prior transactions.

Abstract

Current digital payment solutions are fragile and offer less privacy than traditional cash. Their critical dependency on an online service used to perform and validate transactions makes them void if this service is unreachable. Moreover, no transaction can be executed during server malfunctions or power outages. Due to climate change, the likelihood of extreme weather increases. As extreme weather is a major cause of power outages, the frequency of power outages is expected to increase. The lack of privacy is an inherent result of their account-based design or the use of a public ledger. The critical dependency and lack of privacy can be resolved with a Central Bank Digital Currency that can be used offline. This thesis proposes a design and a first implementation for an offline-first digital euro. The protocol offers complete privacy during transactions using zero-knowledge proofs. Furthermore, transactions can be executed offline without third parties and retroactive double-spending detection is facilitated. To protect the users' privacy, but also guard against money laundering, we have added the following privacy-guarding mechanism. The bank and trusted third parties for law enforcement must collaborate to decrypt transactions, revealing the digital pseudonym used in the transaction. Importantly, the transaction can be decrypted without decrypting prior transactions attached to the digital euro. The protocol has a working initial implementation showcasing its usability and demonstrating functionality.