Smartphone TEE: Booster for DC / EP offline applications of central bank digital currencies

Author: FIM Technology CTO Xu Gang

Source: Morion Technology

 

Solemnly declare: As of the writing of this article, the People's Bank of China has not formally published a document system to explain the central bank's digital currency DC / EP design. All the opinions in this article are based on the analysis and speculation of the public channel information of the relevant leaders of the central bank and related patents. This article does not represent the views of the People's Bank of China.

In June 2019, since the Facebook-led cryptocurrency project Libra released a white paper, central banks in major countries around the world have begun to release signals for the development of digital currencies. Since August 2019, the People's Bank of China has stated repeatedly that it will accelerate the pace of research and development of legal digital currency (DC / EP).

Mu Changchun, deputy director of the Payment and Settlement Department of the People's Bank of China, mentioned in the course of "Science and Technology Frontiers: Libra and Digital Currency Outlook" that the central bank's digital currency can achieve "dual offline payments" like paper money, that is, when both the revenue and expenditure are offline Payments can still be made in the future. In the future, as long as two people have installed digital wallets of central bank digital currencies, no network or signal is required. As long as the mobile phone has power, the two mobile phones can realize real-time transfers by touching each other.

Up to now, although there is not a lot of literature on how to implement "dual offline payment", some clues can be explored from the existing literature. This article attempts to discuss the principles, difficulties, and technical solutions of dual offline payments from the perspective of the transaction device.

NO.1 Overview

The main transaction scenarios of the central bank's digital currency are networked, and the transaction results are immediately reflected in the central bank's digital currency registration system. The dual offline payment scenario refers to a scenario in which both the receiving and paying parties of the digital currency transaction cannot directly or indirectly connect to the online ledger during the transaction, which is a supplement to the online transaction scenario.

According to the interpretation of public news reports and literature [1], the central bank's digital currency plans to adopt a two-tier operating system of centralized issuance and management. The owner of each digital currency is recorded and changed by the central bank's digital currency registration system. Specific scenarios In addition, there are commercial banks and other participants.

For the sake of simplicity, this article refers to the central bank digital currency book and management mechanism collectively as the central bank digital currency registration system, and will use the interactive protocol and key system between the terminal (possibly via commercial institutions) and the central bank digital currency registration system during the transaction. Submit a transaction message signed by the payer's private key to the central bank digital currency registration system for the terminal.

For the sake of simplicity, this article only discusses the scenario where the transaction terminals of the receiving and paying parties are both smart phones. The scenarios described in this article also apply to scenarios where the payee is a smart phone and the payer is a digital currency physical chip card, or where one or both parties are special equipment with a dedicated digital currency chip installed.

This article makes the following points:

1. The basic principle of digital currency dual-offline payment is that the payer constructs and signs the transaction message in the offline state, passes the signed transaction message to the payee through near-field communication, and submits it to the central bank during subsequent networking. Digital currency registration system. This process can be likened to writing a check on the spot for the payer, and the recipient then cashes the check with the bank afterwards [i].

2. The most critical issue of dual offline payments is to solve the anti-counterfeit identification of signed transaction messages, including verifying the authenticity of the digital currency itself, and verifying whether the payer who issued the transaction is the owner of the digital currency. Central bank digital currency wallets on smartphones must be under strong supervision by the central bank. The key technical measure to solve the anti-counterfeiting problem is to use the smartphone TEE to protect the central bank's digital currency wallet and resist malicious motives.

3. If dual-offline payment only requires a single offline transaction, that is, digital currency with offline income must be confirmed online and then accounted for again, then the use of indefinite denomination of digital currency is more conducive to the convenience of use. If it is required to support the secondary circulation of digital currency in an offline state, that is, the digital currency with offline income can be spent offline, then the fixed denomination of digital currency is more secure. The key technical measure to achieve offline secondary circulation is also the central bank digital currency wallet protected by TEE.

4. A central bank digital currency wallet can only be bound to one smartphone that meets security requirements at the same time, ensuring that a controller (the owner of the digital currency) has a public and private key pair account, and only one smartphone at a time When making a payment, the payee must verify whether the payer's wallet is a legitimate wallet certified by the central bank, so as to resist offline double spending. The key technical means to achieve wallet phone binding is remote attestation technology based on mobile phone root trust.

Characteristics and technical elements of NO.2 dual offline payments

According to the relevant statement of the People's Bank of China, the main purpose of the central bank's digital currency is to replace M0, which is the digitization of paper money. Taking paper money as a reference, in addition to the digital currency of the central bank, which can be used for online receipt and payment like today's online banking, WeChat payment, Alipay, etc., it must also be easy to use offline like paper money.

WX20191205-171239 @ 2x

1 Offline transactions The following is an analysis of the speculative reasons for the above characteristics of the central bank's digital currency.

Unlike paper money, which has no owner ID, central bank digital currency has an owner ID, and the central ledger of the digital currency registration system of the central bank maintains the owner ID of the digital currency. As the ownership of the central bank's digital currency is ultimately confirmed by the central bank's digital currency registration system, the mainstream transaction form of the central bank's digital currency should be online transactions [iii], while dual offline transactions are complementary to online transactions.

The basic principle of online transactions is that the payer uses the private key bound to it to sign the payment commitment (who is paid to whom) and submits it to the central bank digital currency registration system. The central bank digital currency registration system verifies the digital currency of the transaction. Valid. After the payer's signature and payment commitment are valid, the transaction confirmation is completed.

The essence of dual offline payment is a delayed transaction that is recognized by both the receiver and the payer. The dual offline payment process is that the payer signs the payment promise with the private key bound to it, and then hands the signed payment promise to the payee. The payee submits the payment commitment to the central bank after the network is restored. Because the payment commitment has been signed by the payer, although it was submitted to the central bank by the payee, the transaction confirmation can also be completed after the central bank passes the verification. This is similar to the check issued by the payer, and the payee later asks the bank for payment by check.

The basic flow of dual offline payments is shown in Figure 1.

Figure 1 Basic flow of central bank DC / EP dual offline scenarios

Paper money has the ability to transfer unlimited times. For example, merchant A receives the paper money paid by customer A, which can be paid to customer B as a change, and customer B can take this paper money to merchant B.

In terms of offline transactions, the central bank's digital currency faces two options: only supports a single offline transaction, that is, the digital currency of offline income must be confirmed online and then re-transaction; or it supports the secondary circulation of digital currency in offline status, that is, offline income Digital currency can be spent offline.

The offline secondary circulation is based on the recent networking status of the digital currency, and the owner of each offline circulation sequentially performs transaction signatures to form a continuous signature sequence. As long as the owner of the initial signature in the signature sequence is the same as the one registered in the digital currency registration system of the central bank, and the signature sequence is successive and valid, the central bank digital currency system can redeem the digital currency to the last signature after networking. Designated payee. Off-line secondary circulation is similar to endorsement on a check. As long as the endorsement is continuous and valid, the bank can redeem the payee designated by the last endorsement. As the final confirmation of the ownership of the digital currency of the central bank must be carried out online, due to risk control considerations, the central bank may limit the number of times that each digital currency can be transferred offline. After the number of offline transfers of a digital currency exceeds a certain threshold, it may be necessary to synchronize with the digital currency registration system of the central bank in order to be offline again.

The offline single transaction and the second circulation are essentially the difference between single and multiple times, but the second circulation faces more stringent anti-counterfeiting tests, and has to pay for the convenience and convenience (for details, see " Currency Identification and Currency Denominations "and" Anti-Counterfeiting "sections).

As a substitute for paper money and coins, in order to achieve similar offline circulation capabilities, the central bank's digital currency should be able to re-circulate offline. However, considering the almost ubiquitous network coverage in China today, it is beyond the scope of this article to explore whether it is worth paying the relevant price for the offline secondary circulation of digital currencies with a small probability.

2 Account / Token Paradigm

With reference to electronic non-cash M1, M2 accounts, WeChat Pay, Alipay accounts, and public chain digital currencies such as Bitcoin and Ethereum, there are two typical paradigms: account paradigm and token paradigm.

Today's bank account belongs to the account paradigm. Opening an account generally requires approval, and personal bank accounts and payment accounts must especially meet strict identity verification requirements.

Bitcoin, Ethereum, and other blockchain virtual currencies belong to the Token paradigm and are highly open to users. Anyone who has generated a public-private key pair based on a digital signature algorithm can own an address in the blockchain. Token paradigm has two main models according to different transaction processes and balance measurement: balance model and UTXO model [iv].

This section uses the fixed denomination UTXO model as an example when describing the UTXO model. For details, see the section entitled “Currency Identification and Currency Denomination”.

WX20191205-171256 @ 2x

The balance model has serious redemption order problems when dealing with the secondary flow under offline conditions. For example, the original 50 yuan on a merchant account first received the 100 digital currency paid by customer A offline (the payment commitment signed by customer A), and then paid the supplier A offline 120 yuan digital currency payment (the merchant signed the Payment commitments). According to information disclosed by the People's Bank of China and other institutions, the central bank's larger digital currency may adopt the UTXO model of the Token paradigm. From the perspective of offline payment, this article believes that the UTXO model is more suitable for central bank digital currencies than the balance model.

If the merchant has not yet reconnected to the network, Supplier A first connects to the network and submits a payment commitment of 120 yuan signed by the merchant to the central bank. At this time, the merchant has only 50 yuan on the central bank account book and cannot complete the 120 yuan payment. The solution to this problem is that the merchant sends the signed payment commitment of 100 yuan to customer A to supplier A. Supplier A first submits the signed payment commitment of customer A to the central bank, and then signs the merchant's signed payment. Commit to the central bank.

However, this is not perfect. When there are many customers and suppliers, and there are many offline transactions, multiple parties are required to negotiate the order of submission of signed payment commitments to the central bank, which is difficult to operate in practice.

The UTXO model's payment process revolves around each digital currency. Under the UTXO model, the digital currency is transferred offline for many times. In fact, the owner of the currency during the transfer process signs the payment commitments in turn, and transfers them to the next owner along with the previous signed payment commitments. . As long as each signature can be traced back continuously, and the first signature is consistent with the owner recorded in the central bank's digital currency registration system, then this digital currency can be honored to the receipt specified in the last signed payment commitment people. The digital currency received by anyone offline can be cashed when connected to the Internet, has nothing to do with others, and there is no requirement for redemption order. Therefore, from the perspective of offline payments, the UTXO model is more suitable for central bank digital currencies.

3 Currency identification and currency denomination

UTXO is subdivided into UTXO with fixed denomination and UTXO with fixed denomination according to whether the denomination is fixed.

Bitcoin uses the UTXO model of variable denomination. When one or more UTXOs are spent in a transaction, it is split into one or more UTXOs for one or more payees, one UTXO (if any) for change, and There are three parts of the transaction fee for the miner, and the sum of the three parts is equal to the sum of the UTXO amount spent.

Under this model, UTXO does not exist permanently. During the existence of UTXO, there is a unique owner (namely, the payee specified in the transaction signed by the previous owner) and the owner cannot be changed. Once it is spent, it will be destroyed. At the same time, a new UTXO was born, and the owner of the new UTXO was designated in the current transaction. UTXO is identified by the transaction that generated the UTXO. For example, Bitcoin uses the hash value of the transaction message plus the output sequence number of the UTXO in the transaction to identify the UTXO.

The fixed denomination UTXO model is very similar to paper money. In this model, each UTXO is issued with a permanent unique identifier when it is issued, and the ledger maintains the owner of each identified UTXO. At the time of consumption, like banknotes, fixed denomination UTXO can only participate in transactions based on its denomination. If the transaction amount is not equal to the denomination, then either multiple UTXOs with different denominations will be used to collect the transaction amount, or the receiver will change. If there is not enough change on both sides, the transaction may not be possible.

Under the fixed denomination UTXO model, unless the UTXO is marked as destroyed by the issuer, its identification is permanent, and its transaction is actually a change of the owner of the UTXO.

For bitcoin, because the transaction needs to pay different amounts of transaction fees, it can only use the variable denomination UTXO model. If a fixed denomination UTXO model is used, UTXOs other than this transaction may be required to collect transaction fees, and the use of other UTXOs actually constructs new transactions, and new transactions incur transaction fees, which ultimately results in the transaction model failing to converge.

The digital currency of the central bank, according to publicly reported purposes aimed at replacing M0, should have no transaction fees, so both technically denominated and fixed denomination UTXO models can be used.

If the central bank's digital currency uses the UTXO model of variable denomination, then:

  • Users do not need to change the amount of money in use, change is not restricted by fixed denomination, and the convenience is close to third-party payment such as Alipay and WeChat payment
  • Except that the UTXO originally issued by the central bank is generated by the central bank, other UTXOs are generated by transaction output
  • In order to meet the requirements for offline secondary circulation, the UTXO identification must be generated by and only through transaction algorithms (except for the initial UTXO issued by the central bank). This is because in offline transactions, only signed transaction messages can flow through near-field communication. If the generation of the UTXO identifier requires information other than the transaction message, then the UTXO identifier cannot be generated while offline, and thus cannot be re-enhanced. circulation.
  • Due to the previous reason, to meet the requirements of offline secondary circulation, the central bank can only sign the initial issued UTXO (for anti-counterfeiting), and other UTXO generated by the transaction can only be signed by the private key of the user who initiated the transaction ( In offline transactions, you can only determine the authenticity by verifying the signature of the UTXO owner). The security is weaker than the fixed denomination UTXO model.
  • The index of the central bank's digital currency registration system may be transaction-based, because the UTXO identification is dynamically identified by transaction messages.

If the central bank digital currency uses the fixed denomination UTXO model, then:

  • The user's use method is close to paper money and coins, and requires change, which is less convenient than third-party payments such as Alipay and WeChat payment.
  • Digital currency is marked with a permanent logo when it is issued by the central bank, and signed with the private key issued by the central bank digital currency. User equipment can verify the authenticity of digital currency through the preset central bank digital currency issuance public key check, and it can also be used in offline secondary circulation. It is verified that the security is higher than the UTXO model of variable denomination.
  • The index of the central bank's digital currency registration system may be based on the UTXO digital currency identification, because UTXO's identification is unchanged in circulation, and the ledger data structure is relatively simple.

Comparing the two models, the variable denomination UTXO model does not require spare change and is more convenient to use, but the UTXO logo is not fixed and the supervision of the central bank is more complicated. In the case of offline transactions, the UTXO central bank generated by the transaction cannot authenticate it, and it may not be easy for attackers to detect digital currency counterfeiting. Although the recipient is unlikely to be offline for a long period of time, once a counterfeit banknote occurs, it may cause a bad impression among the masses and affect the healthy development of the central bank's offline digital currency transactions. In order to control its risks, if the UTXO model of variable denomination is used, it may be necessary to limit a digital currency to only one offline transaction. After that, it must be synchronized with the central bank digital currency registration system before it can be traded again.

Although the fixed denomination UTXO model requires spare change and is slightly less convenient to use, because the public key of the central bank digital currency can be used to verify the authenticity of any digital currency, even if an offline malicious attack occurs, the attacker can only The same digital currency can be paid offline to multiple different people multiple times in a "double spend" manner, and the digital currency itself cannot be forged. This is more conducive to preventing financial risks, and can support offline secondary transfers.

The "Anti-Counterfeiting" section below will further explain the ability to use TEE to achieve anti-counterfeiting, especially offline anti-counterfeiting.

Based on the above analysis, this article believes that if dual offline payments only require a single offline transaction, that is, digital currency with offline income must be confirmed online for re-transaction, then the use of variable denominations in digital currencies is more conducive to improving convenience. If it is required to support the secondary circulation of digital currency in an offline state, that is, the digital currency with offline income can be spent offline, then the fixed denomination of digital currency is more secure.

4 Currency owner identification

Digital currency uses the public key (or some kind of hash value of the public key) in the public-private key pair to identify the owner. Only the digital signature signed by the paired private key can be successfully signed by the public key. Check the sign before you can use the digital currency. Relevant principles are not described in this article.

5 Anonymity

Anonymity refers to whether the true identity of the owner of the currency is public.

Since the owner of the digital currency is identified by the public key, the issue of anonymity is actually whether the association between the public key and the real identity of the person who holds the public-private key pair is public.

For central bank digital currencies, anonymity depends on the degree of KYC (Know Your Customer) performed by users when they open digital wallets. Generally, it is believed that only the central bank can grasp the user ’s real identity through the KYC process at a higher level of the KYC level, while ordinary commercial organizations do not have the relationship between the public key and the user ’s real identity.

6 Anti-counterfeiting

Anti-counterfeiting is the core issue of dual offline payments. This section mainly focuses on the fixed denomination UTXO model to illustrate the realization of anti-counterfeiting, and elaborates the differences of the indefinite denomination UTXO model where necessary.

In online transactions, after submitting a signed transaction message to the central bank's digital currency registration system, the central bank's digital currency registration system is responsible for authoritatively judging the validity of the transaction message. If it passes, the payee can immediately proceed from the central bank's digital currency registration system. Get confirmation of relevant UTXO owner changes.

The central bank's digital currency registration system must judge at least the following points:

  • Determine whether the UTXO logo involved in the transaction in the transaction message is issued or in circulation. If not, the UTXO is fake.
  • Determine whether the owner of the UTXO in the transaction message is consistent with the owner of the UTXO in the ledger of the central bank digital currency registration system. If not, the UTXO may be forged or attempted to be double spent.
  • Determine whether the signature of the transaction message can be correctly signed by the public key of the UTXO owner. If the signing fails, it means that the transaction was not initiated by the owner of UTXO, but a fake transaction.
  • Determine whether the payee address specified in the transaction message is a user address registered in the digital currency registration system of the central bank. If the address of the payee does not exist, the transaction is rejected, otherwise the digital currency transferred to the invalid payee will not be able to circulate because no one knows the private key corresponding to the invalid payee (equivalent to the banknote being burned out) [v])

In dual offline payments, the validity of the transaction message can only be determined by the transaction participants through the transaction terminal. Obviously, the trading terminal must have certain authority endorsed by the digital currency registration system of the central bank before the above judgment can be made.

It is inferred from this that the central bank digital currency wallet used for transactions must be strongly supervised by the central bank, enforce strict security standards, and enforce testing and certification. It should have the following characteristics:

  • The smartphone on which the wallet software is installed must support the Trusted Execution Environment (TEE), and enable secure boot, secure display (TUI), and other capabilities. The wallet software must use TEE to protect sensitive information such as the central bank digital currency issuance public key, central bank wallet authentication root public key, central bank wallet authentication sub-private key, central bank digital currency registration system server root certificate, UTXO ledger information, and user private key; Sensitive processing such as signature / signature verification, interactive transaction information in near field communication, UTXO transaction message assembly, and display / entry of user information must be performed within TEE / TUI to prevent tampering or theft. Although SE can provide a higher level of security protection, TEE can provide universality covering almost all smart phones, while SE phones can support much less.

In this paper, in addition to the sensitive information placed in the TEE, in addition to the user's private key and the central bank's wallet authentication sub-private key have high requirements that cannot be leaked or tampered with, other sensitive information is mainly required to be tamper-resistant, with relatively low security requirements. Although the user's private key is placed in TEE, although the security is lower than SE, the central bank can limit the maximum deposit amount of the digital wallet bound to the smart phone, thereby controlling its risk (larger deposit amount requires the use of digital currency chips Card instead of smartphone wallet). The central bank's wallet authentication sub-private key can control the risk by limiting the validity period and updating it regularly when connected to the Internet. In addition, as the bottom line, if necessary, the central bank's digital currency registration system may recover losses by rolling back the centralized ledger. In addition, users have the requirement to back up the private key so that they can import the wallet on the new phone when changing the phone. For security reasons, SE generally can only import the private key and cannot export the private key. Therefore, it is also convenient for the user's private key to be stored in the TEE. Users back up offline.

  • Each user account can only be bound to one wallet and can only be activated on one smartphone. When activated, the mobile phone must be connected to the network and the central bank's digital currency registration system to remotely authenticate the security of the mobile phone (for example, to detect that the mobile phone has not been rooted or in the debugging state. For details, see the section "A dual-offline payment solution that resists evil" ), After passing, register mobile phone identification information. Changing the mobile phone migration account must be completed in a networked state. In this process, the central bank digital currency registration system verifies user identity through verification codes, ID cards, and other methods. Ensuring that each user account can only initiate transactions on one smartphone is to ensure that there is only one set of UTXO offline ledger in the offline state, preventing malicious users from signing multiple different transaction messages for the same UTXO on multiple devices ( Resistant to "double flower").
  • The wallet should initially have a built-in central bank digital currency issuance public key, central bank digital currency registration system server root certificate, and central bank wallet authentication root public key in the TA (Trusted Application).
  • During the activation of the wallet, the unique wallet authentication private key derived by the central bank should be downloaded securely and stored in the TEE. The wallet should initially have a built-in central bank wallet authentication root public key for verification in TA
  • The wallet should be synchronized with the central bank's digital currency registration system when connected. The wallet should always store the latest UTXO information of the user account to which it is bound, in order to use this information to initiate transactions when offline, and submit signed transaction messages in the offline state to the central bank digital currency registration system.
  • Based on the above, the aforementioned judgment is performed in the transaction.
  • The roles of the three public keys / certificates that need to be preset in the wallet TA mentioned above are:

    (1) Central bank digital currency issuance public key

    The private key issued by the central bank digital currency is used to sign the digital currency issued by each central bank. The corresponding public key should be built into the wallet TA so that the authenticity of digital currency can be verified even when offline.

    If the central bank's digital currency uses the UTXO model of variable denomination, only the UTXO generated during the last online transaction can be signed by the central bank's digital currency issuing private key, and the UTXO generated during offline transactions cannot be signed by the central bank's digital currency issuing private key, which cannot be followed up. Signing in circulation, therefore, only a single offline transaction can be performed.

    If the central bank's digital currency uses a fixed denomination UTXO model, each digital currency is signed by the central bank with the central bank's digital currency issuance of the private key when it is initially issued, and there is no need to re-sign during the circulation process, so offline secondary circulation can be performed.

    (2) Server root certificate of the central bank digital currency registration system

    This root certificate is used when the wallet software is connected to the central bank digital currency registration system to verify that the central bank digital currency registration system is authentic, thereby resisting DNS attacks and man-in-the-middle attacks. The central bank digital currency registration system may have multiple service portals, and the root certificate is used to verify the certificates of all these portal servers.

    This certificate is also used to negotiate the communication key for remote communications.

    (3) Central bank wallet authentication root public key

    The central bank wallet-certified root public key pair is used in offline transactions when the receiving and paying parties verify each other's digital wallet is a legitimate wallet certified by the central bank.

    Because the user knows his or her private key, a malicious user may use the private key to sign a legitimate transaction message, and in the offline situation, issue multiple transactions to his own digital currency. In order to resist offline double spend attacks, the payee must verify that the transaction message of the payer is issued by a digital wallet certified by the central bank.

    During the activation process of the wallet, after the central bank completes the binding of the wallet and the smartphone through remote authentication of the mobile phone, the central bank's wallet authentication root private key derives the authentication sub-private of the wallet according to the wallet identification, binding time, key validity period and other factors. Key, and the secure channel established by the server root certificate of the central bank digital currency registration system is downloaded to the wallet and stored in the TEE.

    In the transaction, the payer must use the wallet authentication sub-private key to sign the message communicated in the transaction (which contains the elements derived from the sub-private key and the transaction message signed by the user's private key). The payee must derive the sub-public key corresponding to the payment wallet from the preset central bank wallet authentication root public key according to the derived elements, check that the key is within the validity period, and verify that the transaction communication message comes from a legitimate wallet.

    This key pair is also used to negotiate a communication key for near field communication.

    In addition to the above characteristics, in order to facilitate users' use in dual offline payments, the central bank digital currency wallet should also have these capabilities:

    • The payee wallet can tell the payee wallet via near field communication
    • If the central bank's digital currency adopts a fixed UTXO model, the payer's wallet should verify that there is sufficient UTXO for payment, and negotiate with the payee's wallet for change to determine how to combine the appropriate UTXO to make the transaction amount and make the change. .
    • The payee's wallet should detect whether the payee in the signed transaction message provided by the payer is correct, and use TUI to securely present the transaction amount to the payee for confirmation.

    NO.3 A method of dual offline payment

    1

    2

    Analysis of malicious motive

    As mentioned earlier, the basic process of dual offline payments is that the payer signs the transaction message with its private key and then provides it to the payee through near field communication. The payer or payee submits the transaction to The digital currency registration system of the central bank realized the account. This section analyzes possible malicious motives in the process.

    Because the dual offline payment can only be entered into the bank's digital currency registration system after the receiver has reconnected to the network, there is a time lag between the implementation of the transaction and the confirmation of the transaction. Both parties to the transaction (mainly payers) may use this time difference to do evil.

    For example, in the dual-offline scenario, Party A gives Party B a signed transaction message, and convinces Party B that the message can be transferred to Party B as expected, and Party B then provides Party A with a certain product. However, if Party B comes back online afterwards and finds that the message cannot achieve the expected account entry, then Party A has left, and due to the anonymity of the central bank's digital currency, Party B cannot know who Party A is, and it may be difficult to trace back.

    Anti-evil dual offline payment scheme

    Overall architecture

    Based on the foregoing analysis, this section introduces a dual offline payment scheme. The overall architecture of the program is shown in Figure 2.

    Figure 2 The overall architecture of a central bank's digital currency dual offline payment scheme

    (1) Digital currency registration system of the central bank

    In this article, the simplified central bank digital currency operating system is the "central bank digital currency registration system." This system is responsible for the issuance, destruction and change of ownership of the central bank's digital currency.

    (2) Smartphone and wallet

    In this article, the central bank's digital currency is based on smartphones. The sensitive part of the wallet is implemented in the trusted execution environment TEE.

    When networking, the wallet synchronizes UTXO information held by the account in the wallet with the central bank digital currency registration system. During offline transactions, the receiving and paying parties exchange transaction information and transaction messages through near field communication (NFC, Bluetooth, mutual scanning QR code, etc.). When the payee subsequently resumes the network, he submits the signed transaction message to the central bank digital currency registration system during the offline period to complete the transaction entry.

    (3) Mobile remote authentication system

    The mobile phone remote authentication system is provided by the mobile phone chip manufacturer or the mobile phone manufacturer. This function is used to verify whether specific data is sent from a specific phone. In the central bank digital currency wallet application, this function is used to implement that an account can only be in one wallet and bound to one mobile phone.

    Main process

    (1) Preset requirements during production

    The central bank's digital currency wallet requires prior authorization from mobile phone manufacturers to use their TEE. The central bank digital currency wallet APP does not need to be preset into the mobile phone when it leaves the factory, but it is located in the trusted application (TA) part of the TEE and should be signed by the mobile phone manufacturer in advance so that after the user downloads, the mobile phone allows it to be installed and run. How a smartphone uses its Rootof Trust to securely boot and check whether the TA is authorized is beyond the scope of this article and will not be expanded.

    The TA part of the central bank digital currency wallet is responsible for presetting the central bank digital currency issuance public key, central bank wallet authentication root public key, central bank digital currency registration system server root certificate, storing UTXO account information, central bank wallet authentication sub-private key, user private key, etc. Sensitive information, processing sensitive operations such as signatures / checks, interactive transaction information in near field communication, and assembly of UTXO transaction messages, and the use of secure display (TUI) to display / enter user information.

    (2) Wallet activation When a user applies for a digital currency account with the central bank's digital currency registration system, or when the mobile phone is changed for wallet migration, the wallet needs to be activated in order to register the device identification with the central bank digital currency registration system and associate its digital currency account to ensure that one account can only Transactions on mobile phones.

    ① Users download the central bank digital currency wallet on their mobile phones

    ② The digital currency wallet connects to the central bank digital currency registration system server and uses the preset central bank digital currency registration system root certificate in TEE to verify that the server is authentic

    ③ The central bank digital currency registration system uses a mobile phone remote authentication system to verify the mobile phone, confirm that the mobile phone is authentic and in a secure state (not an Android simulator, has not been rooted, etc.), and obtain a mobile phone's trusted identity through the verification process ( Unlike IMEI, this ID is the public key of the public-private key pair associated with the remote authentication function of the mobile phone, which can authenticate the mobile phone's signature in remote authentication), and register the association between the user's digital currency account and the mobile phone's trusted identity. Remote authentication essentially uses public-private key pairs that are pre-buried under security conditions during the production of the mobile phone to perform signature verification on subsequent data generated on the mobile phone (including the mobile phone's trusted identity). Huawei's mobile root key module and Qualcomm's QWES (Qualcomm Wireless Edge Service) all provide this function. The specific scheme of remote authentication is beyond the scope of this article and will not be repeated here.

    ④ The user performs the necessary KYC process. KYC has multiple levels with different strengths. From weak to strong may include: mobile phone verification code authentication, name identification number authentication, taking photos of ID cards + face comparison authentication, swiping second-generation ID cards or eID citizen network identity + face comparison authentication, counter handling Face-to-face certification. Except the counter, you can do everything online.

    ⑤ The central bank digital currency registration system derives the wallet authentication key, and sends the derived parameters and the generated sub-private key to the wallet.

    ⑥ All communication processes are encrypted

    (3) Ledger synchronization When the mobile phone is connected, the wallet is connected to the central bank digital currency registration system to synchronize the ledger. The ledger synchronization information mainly includes all UTXOs owned by the digital currency account in the wallet:

    • UTXO permanent logo
    • OTXO Owner

    In addition, in order to carry out risk control, according to different KYC levels, the central bank digital currency registration system may have certain daily transaction totals, transaction numbers, single transaction amounts, offline transaction limits, and maximum offline time limits for specific digital currency accounts. limit. The wallet needs to download relevant control strategies and implement them during transactions.

    (4) Offline transactions

    Offline transactions include multiple interactions between the receiving and paying parties. NFC and Bluetooth facilitate two-way communication and are more convenient. The two-dimensional code can only communicate in one direction. The two parties need to scan each other multiple times to realize two-way communication, which is inconvenient to operate.

    ① The receiving and paying parties establish a near-field communication channel, and send Challenge and own wallet authentication key derivation parameters to each other. The other party uses the preset central bank wallet authentication root public key in TEE to derive the counterparty ’s sub-public key, and determines that it is within the validity period. And verify their transaction messages to ensure that the other party is a wallet certified by the central bank. The two parties then negotiated the near field communication key, and the subsequent processes were encrypted. ② The payee's wallet sends the transaction amount and the payee's digital currency account number to the payer

    ③ The payer's wallet combines UTXO with various denominations according to the transaction amount to make up the transaction amount. If the central bank's digital currency uses a fixed denomination UTXO model, if it cannot be collected, then change will be negotiated through near field communication and the recipient. Or prompt the user for manual negotiation. If the UTXO model with variable denomination is used, it is only necessary to make up UTXO that is equal to or greater than the transaction amount.

    ④ Payer wallet constructs transaction message and signs it

    ⑤ The sender's wallet sends the signed transaction message to the payee. In the case of offline secondary circulation, all signed transaction messages of UTXO participating in the transaction that have not been recorded on the Internet before shall be sent to the payee.

    ⑥ The recipient's wallet uses the central bank digital currency to issue the public key to verify that the digital currency is authentic

    ⑦ The payee wallet verifies the transaction signature, checks the payee account, updates the local offline UTXO account information, and presents the transaction amount to the payee via TUI

    后 After the beneficiary confirms that it is correct, the goods purchased by the payer are delivered to the payer

    ⑨ If the central bank's digital currency uses a fixed denomination UTXO model, if there is a change, a payment from the payee to the payer is initiated. The process is the same as before. If the UTXO model with variable denomination is adopted, the change of UTXO is realized by the payer pointing the owner to himself in the payment transaction.

    To control risk, the wallet may limit the number of UTXO transfers in offline conditions. After a certain number of times, this UTXO can no longer participate in offline transactions, and must be networked and synchronized with the central bank's digital currency registration system. The wallet may also limit the maximum offline time, and after a certain period of time, it must also be synchronized online.

    (5) Delayed transaction entry

    After the beneficiary resumes the network, the UTXO's signed transaction message that was previously received offline and not spent offline is submitted to the central bank's digital currency registration system for accounting. If UTXO is obtained after the second transfer, all signed transaction messages of the UTXO during the offline transfer process must also be submitted together.

    references

    1. Zero One Think Tank Digital Bank of China: Operational Framework and Technical Analysis

    2. "China Finance" Yao Qian: New financial market infrastructure based on blockchain

    3. Zou Chuanwei, Chief Economist of Wanxiang Blockchain & PlatON: Preliminary Analysis of DC / EP of the People's Bank of China

    4. Patent CN201811240336-Digital currency-based offline payment method, terminal and agent placement equipment, Institute of Printing Science and Technology, People's Bank of China, Yao Qian, etc.

    5. Patent CN201610179317- Method and system for offline payment using digital currency chip card, Industrial and Commercial Bank of China Co., Ltd., Tong Chuanhui, etc.

    6.Bitcoin Transactions: https://bitcoin.org/en/transactions-guide

    7.Mastering Ethereum: https://github.com/ethereumbook/ethereumbook

    • Unless otherwise specified, when the terms "cash" or "cash" in this article are used in conjunction with offline digital currency, specifically when the Internet is connected after the fact, the owner of the digital currency in the central bank digital currency registration system is updated to be offline The owners are the same.
    • The double spending problem of central bank digital currencies in offline transactions is not the same as the double spending problem of public chain digital currencies. The double-spend problem of public chain digital currencies is caused by the inconsistencies in the ledger of different nodes (usually caused by malicious behavior). The longest chain or the maximum proof of work is used to decide which ledger to take. The digital currency of the central bank is centralized, and there is no double-spending problem of public chain digital currency, but there is a feature that the payer cannot immediately account in the offline transaction and maliciously repeat the spent digital currency during the offline period.
    • The term "connected transaction" used in this article corresponds to "offline transaction". "Online transactions" means offline transactions in which at least one of the parties to the transaction is connected to the Internet. In order to distinguish it from non-face-to-face transactions conducted by both parties on the Internet trading platform, the term "online trading" is not used in this article.
    • UTXO (Unspent Transaction Output) is a term introduced by Bitcoin. This term is used in this article to describe the Token paradigm similar to Bitcoin.
    • Once virtual currencies such as Bitcoin and Ethereum are sent to addresses that cannot be controlled by private keys in transactions, these virtual currencies are no longer "rescueable". Because the central bank's digital currency uses centralized management, in theory, even if the transaction is sent to an invalid address (such as in an offline transaction), the central bank's digital currency registration system may still "roll back" the transaction.