Offline Digital Euro: a Minimum Viable CBDC using Groth-Sahai proofs
Leon Kempen, Johan Pouwelse
TL;DR
The paper tackles the offline privacy gap in CBDCs by proposing an offline-first digital euro protocol that uses hash-based blind Schnorr signatures and Groth-Sahai zero-knowledge proofs to achieve strong privacy with digital pseudonyms. It provides a four-phase protocol (initialization, withdrawal, transactions, deposit) where each transaction carries a GS proof, enabling retrospective double-spending detection while remaining offline-capable. The design yields linear growth in token size with the number of transactions and shows that verification time scales roughly linearly as well, with curve choice materially impacting performance. A public, open-source prototype demonstrates correctness and practical feasibility, though it relies on a trusted setup and invites future optimizations around CRS trust, curve selection, and offline communication channels. Overall, the work contributes a concrete blueprint for a privacy-preserving, offline-capable CBDC and highlights the trade-offs between privacy, efficiency, and governance in real-world deployments.
Abstract
Current digital payment solutions are fragile and offer less privacy than traditional cash. Their critical dependency on an online service used to perform and validate transactions makes them void if this service is unreachable. Moreover, no transaction can be executed during server malfunctions or power outages. Due to climate change, the likelihood of extreme weather increases. As extreme weather is a major cause of power outages, the frequency of power outages is expected to increase. The lack of privacy is an inherent result of their account-based design or the use of a public ledger. The critical dependency and lack of privacy can be resolved with a Central Bank Digital Currency that can be used offline. This thesis proposes a design and a first implementation for an offline-first digital euro. The protocol offers complete privacy during transactions using zero-knowledge proofs. Furthermore, transactions can be executed offline without third parties and retroactive double-spending detection is facilitated. To protect the users' privacy, but also guard against money laundering, we have added the following privacy-guarding mechanism. The bank and trusted third parties for law enforcement must collaborate to decrypt transactions, revealing the digital pseudonym used in the transaction. Importantly, the transaction can be decrypted without decrypting prior transactions attached to the digital euro. The protocol has a working initial implementation showcasing its usability and demonstrating functionality.