Today the Swiss National Bank (SNB) and BIS Innovation Hub published a paper on Project Tourbillon, which explores privacy for a retail central bank digital currency (CBDC). The solution enables anonymous payments at scale.
Privacy is one of the potential blockers to the adoption of retail CBDCs. There are two aspects to the concern. One is that the government can see precisely how you spend money. The other is that a government could prevent access to digital money.
We believe solutions such as Tourbillon are significantly superior to others in protecting details about transactions in a cash-like manner. However, regarding the second point, all digital mechanisms will allow central banks to limit access. That applies equally to Canadian truckers and their bank accounts and Tourbillon style CBDCs. That doesn’t make this a bad solution, it’s just something to bear in mind.
Tourbillon is based on eCash developed by David Chaum, the inventor of DigiCash during the 1990s.
One aspect of the trials used quantum proof encryption. Researchers found quantum cryptography significantly impacted performance and is an area where further work is needed. Another topic that was tested was eCash 1 versus eCash 2. This demonstrated tradeoffs between security and anonymity, which we’ll come back to.
Achieving anonymity despite being compliant
What’s clever about the solution is its novel approach to anti money laundering. It enables the payer and their transactions to remain anonymous, but not the recipient who has to hand over the CBDC to their bank.
That doesn’t mean the payer can use an illicit stash of money. Because the payer is issued the CBDC via their bank, which will have already conducted know your customer compliance.
Anonymity is achieved because when a bank issues the CBDC to their client, the bank doesn’t know the unique identity of the digital bank notes. It uses blind signatures. The analogy is that the consumer requests CHF 100 by putting the request with specific bank note numbers in an envelope. The bank doesn’t open the envelope but digitally signs the outside, enabling the issuance of the CBDC.
When the consumer pays a merchant using the notes, the merchant does not know the payer’s identity, similar to cash.
eCash 1 versus eCash 2
In eCash 1, when the merchant deposits the CBDC received, the central bank adds the note to a list of spent funds. Whenever anyone makes a payment, it’s checked against this list to ensure the CBDC hasn’t been counterfeited to prevent double spending. This approach has two drawbacks. Firstly, if someone steals the central bank’s private keys, they could mint their own CBDC. And the central bank might have no idea about it. A second issue is that the list of spent notes to check against will grow, potentially impacting performance.
eCash 2 switches it around a little. Instead of the central bank storing a list of spent digital notes, it stores unspent CBDC. This solves both of the above issues.
However, remember that envelope that the bank signed blind? The only person that knew the serial numbers of your digital money was you. Now the central bank knows them as well. To achieve anonymity an additional step is required.
At the point of issuance, the CBDC goes through a mix network. This is like a card shuffle where the serial numbers of your CBDC get shuffled with the serial numbers of several other people’s CBDC issued around the same time. Hence, nobody can tell who the serial numbers belong to. That’s unless there’s some underhand stuff happening through the mix network, which could undermine the anonymity. However, Chaum reckons he has a mix network design to address these concerns.
The Swiss National Bank has been working with Chaum for a couple of years. It started with a 2021 joint report with Thomas Moser, an alternate board member at the SNB. A year ago they co-published a paper on eCash 2.0. The SNB isn’t the only central bank to take an interest in eCash for CBDC. The Bank of Israel trialed eCash combined with Zero Knowledge Proofs.
IBM was the technology implementation partner on Project Tourbillon.
Meanwhile, the SNB is unlikely to issue a retail CBDC any time soon. On the other hand, it’s pretty advanced on the wholesale CBDC front. SIX Digital Exchange is currently using a wholesale CBDC in a production environment as part of Project Helvetia III.