· 4 min read

Delivering Offline Capability

John Winchcombe
John Winchcombe · Editor
Delivering Offline Capability

The Bank for International Settlements (BIS) has published ‘A Handbook for Offline Payments with Central Bank Digital Currencies’ (CBDCs).

This is a comprehensive record of key decisions and options open to central banks if they want to set up their CBDC to allow the transfer of value between devices without connection to a ledger system. According to a BIS central bank survey, 49% of central banks saw this as vital for their CBDC and 49% as advantageous.

Offline options

There are three modes of offline payments and the decision which to use depends on the circumstances and goals of the central bank.

Fully offline. Final settlement occurs offline, and each party can spend the value transferred to them immediately and without time limit.

Intermittently offline. The offline parameters could limit the ability of purses to transact, and the purse may have to synchronise with the central system intermittently to continue to function.

Staged offline. Value is not settled until there is a connection to the ledger. Value cannot be spent until settlement has taken place.

The mode to be used is determined primarily by the policy objectives of the central bank including its risk tolerance and risk management approach, such as how to handle lost value and balancing between privacy and complying with Anti-money laundering (AML) and Countering Financing of Terrorism (CFT) regulations. If providing payment resilience is important, then an offline capability may be wanted.

If an offline capability is required, then the system will need to deliver an end user experience that is reliable, easy to use, convenient and widely accepted whether on- or offline.

Policy requirements supported by offline payments

Objectives listed include:

  • Financial inclusion

  • Universal access

  • Payment system resilience

  • Privacy

Supporting reasons for having an offline capability include:

  • Lack of developed communication infrastructure

  • The wish to have a near-cash alternative payment option (although it would not be fully anonymous)

  • Trust – to generate confidence and trust in online CBDCs, having an offline capability may build confidence

  • Lower transaction costs – if batched messaging takes place during off peak times, costs may be lower, although an offline capability comes at a cost including offline infrastructure, acquiring and distribution costs for user devices and merchant point of sale devices 

  • Performance and scalability support of the general CBDC system. If CBDCs are widely used, it is possible that micro-transactions will proliferate, generating significantly more transactions than occur today. An alternative processing option may be useful 

  • Civil contingency against extreme events including conflict and disaster

  • Digital person-to-person and person-to-business payments.

Lessons from history

Offline payment systems have been tried in the past, some successfully. The handbook reviews a number of lessons that are applicable for today.

  • Commercial model – a significant challenge about to create an attractive model for payers, payees and payment intermediaries so that they will provide and use the system 

  • Security

-Needs tamper resistant purses and cryptographic protocols

- Today’s mobile devices protect the master cryptographic key less securely than the historic solutions

  • Risk – defence against double spending and counterfeiting of value

  • User experience – needs to be better than the alternatives, including cash.

Technology, security and operational design of the system

A glimpse of the complexity, which is covered in detail, is shown in the diagram of the architecture of an offline system.

The list of threats and vulnerabilities hints at the complexity of the required solutions. Conceptually counterfeiting via physical breaches or cryptographic protocol analysis is relatively straightforward to understand. The need to ensure the solutions are upgradeable and the requirement to ensure that third party devices don’t offer the criminal an entry point make sense.

Side-channel attacks occur when an attacker tries to access data inside a device by attacking it from the outside, by exploiting information leaked by the device. For example, an attacker could measure and perform signal analysis on the electromagnetic radiation emitted and recreate cryptographic keys and therefore potentially create counterfeit value.

Fault-inducing attacks are where there is an attack on a secure element to induce faults during cryptographic processing by placing it under stress through some external method, eg. heat or radiation. Cryptanalysts may then be able to deduce key values by comparing outputs.

Solutions need to be found for device obsolescence, double-spending, fraud, lost value, third party vendors and supply chain risks, the complexity of the technology stack, the ability to identify breaches and defence against insider threats.

Final word

Decisions made about the technology, security and operations of an offline capability need to be made at the start of any CBDC project, given the complexity and implications that this has for the CBDC. Tamper resistance solutions can be delivered through the hardware, software or hybrid options. These need to work with existing technology and infrastructure, but also need to be capable of being upgraded to meet future changes.

This handbook gives detailed information about the policy, technology, risk and security options and the decisions and trade-offs required.

Subscriber content

Read the full article

Full access to Cash & Payment News articles, newsletters and archives.

Sign Up to Cash & Payment News Weekly

Receive regular updates on the latest news and articles posted on our website.