How to design a Public Key Infrastructure for a Central Bank Digital Currency

TL;DR

This paper discusses designing a robust, scalable PKI for Central Bank Digital Currencies, proposing a certificate hierarchy and rollover concept to ensure trust and continuous operation, including offline hardware wallets.

Contribution

It introduces a specific PKI design tailored for CBDC ecosystems, addressing unique challenges like offline wallets and system continuity.

Findings

Proposed a certificate hierarchy for CBDC PKI

Introduced a rollover mechanism for continuous operation

Addressed offline hardware wallet considerations

Abstract

Central Bank Digital Currency (CBDC) is a new form of money, issued by a country's or region's central bank, that can be used for a variety of payment scenarios. Depending on its concrete implementation, there are many participants in a production CBDC ecosystem, including the central bank, commercial banks, merchants, individuals, and wallet providers. There is a need for robust and scalable Public Key Infrastructure (PKI) for CBDC to ensure the continued trust of all entities in the system. This paper discusses the criteria that should flow into the design of a PKI and proposes a certificate hierarchy, together with a rollover concept ensuring continuous operation of the system. We further consider several peculiarities, such as the circulation of offline-capable hardware wallets.