PayOff: A Regulated Central Bank Digital Currency with Private Offline Payments
Carolin Beer, Sheila Zingg, Kari Kostiainen, Karl Wüst, Vedran Capkun, Srdjan Capkun
TL;DR
PayOff tackles regulation-driven offline CBDC by combining an account-based model with state commitments and zero-knowledge proofs to achieve cash-like privacy, offline local settlement, and regulatory enforcement such as holding limits. It introduces dependency ZKPs and dependency commitments to support multiple offline payments while maintaining privacy and allowing centralized fraud detection and accountability. The design provides strong privacy and correctness guarantees, including offline-session unlinkability and mechanisms for counterfeit creator identification and recipient de-anonymization, with a robust state-recovery and synchronization framework. Performance results from a Go prototype show the approach can support tens of thousands of offline payments per second on multi-core hardware and achieve end-to-end offline payment times compatible with regulatory expectations, while highlighting the main limitation that message and storage requirements grow with the number of offline transactions between online reconnects.
Abstract
The European Central Bank is preparing for the potential issuance of a central bank digital currency (CBDC), called the digital euro. A recent regulatory proposal by the European Commission defines several requirements for the digital euro, such as support for both online and offline payments. Offline payments are expected to enable cash-like privacy, local payment settlement, and the enforcement of holding limits. While other central banks have expressed similar desired functionality, achieving such offline payments poses a novel technical challenge. We observe that none of the existing research solutions, including offline E-cash schemes, are fully compliant. Proposed solutions based on secure elements offer no guarantees in case of compromise and can therefore lead to significant payment fraud. The main contribution of this paper is PayOff, a novel CBDC design motivated by the digital euro regulation, which focuses on offline payments. We analyze the security implications of local payment settlement and identify new security objectives. PayOff protects user privacy, supports complex regulations such as holding limits, and implements safeguards to increase robustness against secure element failure. Our analysis shows that PayOff provides strong privacy and identifies residual leakages that may arise in real-world deployments. Our evaluation shows that offline payments can be fast and that the central bank can handle high payment loads with moderate computing resources. However, the main limitation of PayOff is that offline payment messages and storage requirements grow in the number of payments that the sender makes or receives without going online in between.