Balancing Compliance and Privacy in Offline CBDC Transactions Using a Secure Element-based System
Panagiotis Michalopoulos, Anthony Mack, Cameron Clark, Linus Chen, Johannes Sedlmeir, Andreas Veneris
TL;DR
This work tackles the tension between privacy and AML/CFT compliance in offline CBDC payments by proposing a compliant-by-design platform that uses Secure Elements and Zero-Knowledge Proofs. It provides an end-to-end offline payment prototype with mobile wallet and SE components, a mutual-authentication-based secure channel, and an online synchronization mechanism to reconcile offline and online ledgers. Key contributions include a detailed system design, a prototype evaluation showing latency around the modern payment-system range, and a discussion of how ZKPs and verifiable credentials can enable attribute-based, privacy-preserving compliance. The results indicate the approach can adapt to varying regulatory requirements while maintaining payment integrity, and they outline directions for formal verification and deeper digital-identity integration to enhance security and accountability.
Abstract
Blockchain technology has spawned a vast ecosystem of digital currencies with Central Bank Digital Currencies (CBDCs) -- digital forms of fiat currency -- being one of them. An important feature of digital currencies is facilitating transactions without network connectivity, which can enhance the scalability of cryptocurrencies and the privacy of CBDC users. However, in the case of CBDCs, this characteristic also introduces new regulatory challenges, particularly when it comes to applying established Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) frameworks. This paper introduces a prototype for offline digital currency payments, equally applicable to cryptocurrencies and CBDCs, that leverages Secure Elements and digital credentials to address the tension of offline payment support with regulatory compliance. Performance evaluation results suggest that the prototype can be flexibly adapted to different regulatory environments, with a transaction latency comparable to real-life commercial payment systems. Furthermore, we conceptualize how the integration of Zero-Knowledge Proofs into our design could accommodate various tiers of enhanced privacy protection.