ProgressSoft: Offline Use in Central Bank Digital Currencies - Between a Rock and a Hard Place

Posted on Aug 23, 2022 by Jeff Stewart, ProgressSoft Consultant, ProgressSoft Corporation

---

The Need for Offline Capability in a Retail CBDC

Offline central bank digital currency (CBDC) transactions can be completed between users without a connection to an external power source or general ledger. Offline use is considered a core feature of a retail CBDC^[i] and integral to the successful achievement of key policy objectives, including continued public access to central bank money. It is also key to financial inclusion and accessibility, where use may be constrained by geographic remoteness and/ or a lack of a communications network or power infrastructure.

A recent Bank for International Settlements (BIS) survey of central banks in emerging market economies ranks offline use as the most important feature to promote financial access.^[ii] Digital financial services expert David Birch observes that “a digital currency that is to function at population scale in both developed and developing countries must be able to work off-line. If it cannot work off-line then it is not a viable cash replacement.”^[iii]

Payment system resilience to interruption or unavailability of existing online infrastructure is another key driver for offline CBDC capability.^[iv] Examples of the frailty of online infrastructure abound: an eight-hour failure in Europe’s TARGET2 large-value payment system,^[v] Canada's recent massive outage of one of its two national telco networks,^[vi] AWS interruptions with significant knock-on effects,^[vii] and even the crash of a fledgling retail CBDC early in 2022, when the Eastern Caribbean Central Bank’s (ECCB) DCash went offline for weeks.^[viii] Accordingly, a US Federal Reserve paper contends that “a CBDC could enhance the operational resilience of the payment system if it were designed with offline capability.”^[ix]

Offline use may also be a critical differentiating factor in the value proposition^[x] of a CBDC for end users, compared with its commercial bank card and electronic counterparts. Because consumers understandably do not appreciate the difference between commercial bank and central bank liabilities, offline use, along with other capabilities such as privacy enhancement and programmability, may be the features that win them over.

Offline Use Cases

Offline payment scenarios are defined by their relationship to the general ledger. A Riksbank paper notes “all CBDC payments involve a remote ledger, no CBDC can be genuinely peer-to-peer [and] offline … like cash.”^[xi] While cash settles upon transfer, an offline CBDC transaction must be recorded in local ledgers on user devices and settlement is not final and irrevocable until subsequently reconciled with the general central bank liability. Hence, design choices for offline functionality of a retail CBDC are informed by the degree of asynchrony with the general ledger:

• Intermittent and temporary outages: In this case, a system may feature some resilience for short network or power interruptions. Payment data for limited transaction amounts and volume may be temporarily stored on CBDC devices for completion when connectivity is re-established.

• Out-of-range use: For specific geographic areas, high volume/ value transactions, or longer time spans with persistent unavailability of network services, more robust offline processing may be required. In this scenario, out-of-range capacity would need to be reset through periodic network-based authentication and reconciliation, similar perhaps to occasional PIN re-entry with contactless payment cards.

• Off-grid use: This case would require tamper-proof storage and applications to reduce end user settlement risk and allow a high number of transactions to occur over local devices over a long period of time. Off-grid use would necessitate more complex distribution, interoperability and reconciliation when connectivity with the general ledger is re-established.

Offline Challenges

However, offline capacity inherently introduces technical and policy challenges for CBDC design, including:

• Double spending^[xii] and forging,^[xiii] where the same value objects may be spent more than once, or beyond the balance available, if an offline device is hacked or malfunctioning. Indeed, a compromised device could enable a “printing press,” generating seemingly valid transactions undetectable until reconciliation.^[xiv] A World Economic Forum paper warns that “double spend transactions could be sent to entities that are offline without the high-security validation process that would normally occur online.”^[xv] This risk can be exacerbated through coordination between bad actors.^[xvi] Forgeability of value objects or tokens is a related problem that any CBDC system must counteract both on and offline.^[xvii]

• Loss of funds: Because offline use requires device-based storage, transactions and funds may be lost if the device is damaged, misplaced or stolen. Indeed, annual risk of device loss has been estimated between 8–16 percent^[xviii] and any backup data to restore funds introduces a double-spending risk.^[xix] A Bank of Canada paper posits an offline spending “trilemma” where a system can only offer two out of three features at a given time: offline, spending, lack of double spending and maintenance of recovery data.^[xx]

• “Unique” and “separate” user devices: Offline payment requires the use of unique user devices separated from the global ledger,^[xxi] enabling the storage and processing of funds in a tamper-proof environment. The device must also have enough interactivity to perform basic user-initiated operations and display the updated ledger state. Typically, the smartphone, harnessing its internal Trusted Execution Environment (TEE), is considered to be the main contender for offline CBDC use. However, as the Riksbank contends, “unfortunately, such 100 per cent tamper-proof devices do not exist.”^[xxii] Furthermore, the economic incentives for tampering with such devices are strong, and the system would not support “graceful degradation.”^[xxiii] Bank of Canada analysis asserts that “the literature is still unclear on whether tamper-resistant devices can survive unbreached for long periods of offline use,” and that “any CBDC store of value and supporting applications running on a smartphone would have a complex, multi-factor threat surface.”^[xxiv] Furthermore, to ensure financial inclusion and accessibility to a CBDC, system designers must develop other technologies in addition to smart or feature phones—such as interactive smart cards—that introduce a host of costs, risks and difficult design problems.^[xxv]

It may be tempting to conclude that lack of connectivity is a dwindling problem, particularly in the face of other policy efforts to expand fast internet access.^[xxvi] However, ubiquitous broadband access is still a long way off, particularly in sparsely populated areas and developing economies,^[xxvii] so offline capability remains a crucial feature.

Most central banks also contend that a CBDC would co-exist with cash for the foreseeable future. While this might obviate some offline CBDC challenges, the difficulty is that cash use is declining in advanced economies—dramatically in some cases^[xxviii]—and its acceptance and availability as a medium of exchange is tapering concomitantly.

Offline Solutions

Potential remedies may exist for the challenges of offline CBDC use. For instance, constraining offline transactions by amount and number of transactions or number of “hops” before reconciliation with the integrated ledger may reduce risk, as would controlling the amount of funds available for use, loss and possible settlement failure in offline devices.^[xxix] Local multi-factor authentication^[xxx] also makes offline devices more secure. A Bank of Canada paper suggests that funds stored in offline devices could “expire” to be reissued as online funds, or be automatically renewed through online authentication or reconciliation with the general ledger.^[xxxi]

The challenge is that trusted third parties must deliver on the security and performance of their proposed solutions. This puts central banks in a position where they may not be able to adequately control risk and where, in addition to concerns about robustness, integrity and performance of their offerings,^[xxxii] “manufacturers exert control over the platform and can limit access to critical system components, including embedded secure enclaves and subscriber identity module (SIM) cards.”^[xxxiii]

Conclusion

In addition to myriad other design challenges for central bankers in introducing a retail CBDC that is robust, secure and widely adopted, offline use presents a particularly thorny challenge. However, this functionality likely must be established for the digital currency to meet its objectives and present a useful central bank payment alternative for end users.

---