Tourbillon: Payer Anonymity in CBDCs. Finally!! (Part II)

A look at questions the Tourbillon Project of the BIS brought to mind and additional information on this type of CBDC solution.  

This part II of my article on “Project Tourbillon” by the BIS. This project is great news and the first thing to take away is the following:

Project Tourbillon shows that it is feasible to implement a CBDC design that provides payer anonymity, while preventing tax evasion, money laundering and illegal activities. This is the best combination of characteristics for CBDCs seem so far.

This is the first CBDC proposal that actually provides great privacy protection (in its EC1 prototype) for retail CBDC users. EC2 is a different story.

While reading the report, a number of questions came to mind, that the Project Tourbillon report failed to answer. I wanted to share them in the following paragraphs in the hope that it will spur further discussions and ultimately lead to answers.

Project Tourbillon builds on the working paper “How to issue a central bank digital currency” that Christian Grothoff, Thomas Moser and David Chaum wrote in 2021, based on the initiative of Prof. Christian Grothoff and his GNU Taler project (the furthest evolved solution based on blind signatures then and now). When Chaum was invited to participate because of his historic contributions, he had seemingly abandoned his original idea 20 years earlier when he shut down his business. From what I heard, he apparently picked up an idea that Florian Dold had discarded for lack privacy protections in his PhD thesis in 2019 and subsequently published his eCash 2.0 proposal, which was then included in Project Tourbillon.

The Tourbillon project proposes 2 prototypes, EC1 and EC2. EC1 and EC2 have similar designs, but differ in how CBDCs are recorded by the central bank. In EC1, unique identifiers from CBDC coins are recorded upon redemption; thus, EC1 keeps a spent CBDC coins list. In contrast, in EC2, unique identifiers from CBDC coins are recorded upon issuance; thus, the central bank maintains an unspent CBDC coins list.

The EC1 prototype in the Project Tourbillon report is a simplistic version of Prof. Grothoff's GNU Taler, without advanced features, that is providing the same privacy assurances. Exact comparisons of the open-source GNU Taler solution and EC1 were not possible as the source code for EC1 has not been made public by the BIS (in comparison to the US Federal Reserve’s Project Hamilton).

We will revisit the GNU Taler features and as good a comparison as possible with EC1  in part III of this article.

I quote Morten Bech, Head of BIS Innovation Hub Swiss Center, whom I thank for this great report with regards to the priorities for a retail CBDC "Privacy is indeed a key requirement for a retail CBDC. But it cannot be the only one: security and scalability are also crucial to how payments are handled." My questions specific to the proposed EC1 and EC2 implementations and their performance are grouped around these 3 main points.

1.     Performance & Scalability:

The initial performance of EC1 with 250 TPS remained a factor 4 slower on their modern hardware than the GNU Taler implementation in Florian Dold's PhD thesis was 5 years ago when 1000 TPS were reached.

Code optimization, horizontal and vertical scaling brought EC1 to 2450 TPS when GNU Taler in 2021 delivered 28’500 TPS in a real life simulating test (see here) and the GNU Taler team is now aiming for 100’000 TPS at their next measuring attempt.

I wonder why Project Tourbillon took the approach of building a new prototype in EC1, when a much more evolved free/open-source was available in GNU Taler. This seems more to me like rebuilding ChatGPT-2 for prototyping when ChatGPT-4 was readily available for free under an open-source/FLOSS license. A different approach could have completely eliminated the poor performance of the project on the scalability side. Would it not have been in the interest of the BIS, the project and all privacy-loving citizens to make this privacy-preserving CBDC solution look as good as humanly possible?

It is also clear from the report that the tested solutions, EC1 and EC2, with quantum safe cryptography become totally unusable as a means of payment in a real life setting, with a performance levels similar to that of Bitcoin. GNU Taler has not published any results on this subject, but is working with the world leading post-quantum research team on the subject. So, something to keep an eye on.

2.     Anonymity:

What was the reasoning behind the selection of EC2 as a potential solution for a privacy preserving CBDC? EC2 basically throws the anonymity assurances of EC1 overboard, for questionable benefits in my opinion. The report states this clearly:

"Overall, the design change in EC2 weakens privacy assumptions, which could compromise consumer anonymity. Although the mix network anonymizes withdrawals, an attacker with access to information on withdrawals and payments across mix network batches might be able to link the identity of consumers to payments using statistical techniques."

3.     Security:

EC1 has basically one attack vector, which is that someone steals the private master key to the system from the central bank. This is similar to someone stealing the banknote printing plates for $100 notes today. It seems to me that there are simpler and better remediations to this risk, that can be implemented without throwing the system’s anonymity assurances overboard in the way EC2 does. HSMs, split keys and threshold signatures are possible ways to mitigate this one risk to a point where a large conspiracy would be necessary for a successful attack. Split keys typically refer to the partitioning of signature keys, while threshold signatures are specific to the process of creating digital signatures in a distributed manner. Simply combine all available tools with good HSMs for mitigation…

Also remember that more privacy leads to more security. Data minimization also plays into that. Data that is not collected cannot be stolen, that is the beauty of EC1 and GNU Taler and the higher level of security they offer.

If I am a central bank insider and steal the EC2 master key, why can't I add new coins to the list as well? Is there really a difference in that attack vector (between EC1 and EC2) when the systems is running at speed?

The central bank (and there security staff) will in all cases have ONE job only: protecting those keys. Do we think they can do that?

3.1     Post-quantum cryptography:

Cryptography of course affects security more than anything else. It is the foundation of it all. It would be interesting to learn more details on the exact post quantum cryptographic algorithms used (even though the performance levels are disqualifying already). What is my point here? The report states the following:

Project Tourbillon implements a lattice-based blind signature scheme, described in Beullens et al (2023). Lattice-based cryptography is a potentially quantum-resistant approach, used in NIST-standardised quantum-safe schemes, namely CRYSTALS-Kyber and CRYSTALS-Dilithium.

The CRYSTALS-Kyber used in the project is a standard set by NIST. The NIST is highly relied on for crypto-standards despite having, in the past decades, contributed majorly to a few security fluctuations (Dual_EC_DRBG, DES, DSA...) and that is why it is important to closely follow what is happening at NIST at all times. The NIST recommended post-quantum Kyber512 has been put into question most recently by Prof. Daniel J. Bernstein, one of the leading heads in post-quantum, because the published security assurances of NIST were based on such basic, erroneous high-school math, that it seems too blunt to effectively sneak by all NIST mathematicians and their quality controls. See his blog for more details. In addition, Bernstein has proven through numerous FOIA (freedom of information act) requests enforced by lawsuits, that the NSA was significantly involved with NIST in the creation of Kyber. So the NSA mathematicians also failed at high school math like the NIST's? What is the likelihood of that?

It would hence be great to know if this questionable Kyber512 algorithm (with the erroneous high school math) was used for the published Project Tourbillon post-quantum performance measurements. I would expect the crypto specialists from Chaum to IBM to be aware of such issues and avoid them. Having to move to Kyber768 or Kyber1024 would further destroy the already bad performance numbers of the solution, therefore it would be great to know what algorithms the current Tourbillon performance numbers were realised with.

4.           Freedom to spend your money:

This point does not originate from the Tourbillon report, but from a recent article by Legder Insights on Project Tourbillon which states that “solutions such as Tourbillon are significantly superior to others in protecting details about transactions in a cash-like manner. However, …, all digital mechanisms will allow central banks to limit access. That applies equally to Canadian truckers and their bank accounts and Tourbillon style CBDCs”.

This conclusion by Ledger Insights is incorrect as stated. Solutions, like EC1 and GNU Taler, do not allow for the digital cash, which was put in someone's wallet, to be locked or limited . Whatever EC1 coins you have in your wallet, you can spend them the way you like (same as with physical cash in your back pocket) because nobody knows what coins are in someone's wallet (due to the blinding). The only possibility to prevent someone from spending the EC1 coins in his/her wallet is to shut down the complete payment system – something rather unlikely to happen for some trucker donations.

With EC2 on the other hand, this is significantly different. As the EC2 system (and the central bank) have identified all the emitted coins on a list and we know that the anonymity in EC2 is weakened (see point 2 above, with the quote from the report), it may allow to block certain coins on the list from being used by their owners. EC2 could allow what Ledger Insights describes as access limitations, while EC1 and GNU Taler never will.

I conclude part II of the article by thanking the BIS once more for this exciting report that helps interested parties understand payer anonymity is possible while eliminating tax evasion, money laundering, and terror financing at the same time.

In addition, the report also states the important fact that “Tourbillon’s payment process is easy to integrate into today’s payment landscape. It uses existing technology such as QR codes, builds on existing infrastructure such as PoS systems and uses existing account relationships between consumers, merchants, banks and central banks.

The BIS will be able to experience that in front of their doors in Basel in the coming months. More on that in part III. For now, I hope that the BIS will be able to answer the questions above the report generated, and maybe consider making the prototypes open-source.