In a permissionless blockchain used for crypto applications, all transactions are public. Privacy is maintained
by hiding the user’s real identity behind a private key. In this sense, there is pseudo-anonymity.
1
By contrast, a
monetary system based on users’ real names raises the question of how to safeguard their privacy. Privacy has
the attributes of a fundamental human right. Nobody else needs to know from which supermarket an
individual buys their groceries. Therefore, a basic task of a decentralised monetary system based on real
names is to find a way to ensure both that the ledger is secure without the need for a central authority, while
at the same time preserving the privacy of the individual transactions.
One possible route is through permissioned DLT systems. In these systems, only select users that meet
eligibility requirements can obtain access. Interactions between system participants are thus invisible to people
outside the system. One example is the permissioned DLT system Corda, which is used by private financial
institutions (eg for trade finance platforms) and in a number of central bank wholesale CBDC projects,
including Projects Helvetia, Jura and Dunbar at the BIS Innovation Hub.
In Corda, updates to the ledger are performed through a validation function and a uniqueness function.
Validation, which involves checking that the details of the transaction are correct and that the sender has the
available funds, is done by the system participants. In fact, only the participants that are involved in a transaction
are responsible for validating it.
Checking that the sender has a valid claim to funds does not, however, ensure
that they will not attempt to spend those same funds twice. Transaction uniqueness (ie the prevention of
double-spending) is ensured by a centralised authority called a “notary”. Notaries have access to the entire
ledger and hence can ensure that funds being used in a particular transaction are not being used elsewhere. In
the case of wholesale CBDCs, a natural candidate for the notary is the central bank, as this institution already
plays a similar role in maintaining the integrity of the overall transaction record in centralised systems.
In such permissioned systems, a tension can arise between payment integrity and transactional privacy.
Transactional privacy in a peer-to-peer exchange means that only the two participants involved in a transaction
can see that it occurs – very much like when one person hands over a one-dollar bill to a friend. In the case of
a digital banknote, the validation process performed by the participants requires that the recipient can trace
the banknote back to its origin, which in turn entails seeing every one of the banknote’s previous holders. In
the context of Corda, this is called the “backchain problem”. While the system does not allow everyone to see
everything, it does allow participants to have a view beyond their own transactions. Solving the backchain
problem is an important design problem in central bank CBDC projects. The challenge is to arrange matters
so that they can truly emulate paper banknotes and preserve people’s transactional privacy.
Recently, system architects have been exploring the use of zero-knowledge proofs (ZKPs) to generate a
cryptographic record that a transaction has occurred, without revealing either the identity of a participant or
the content of the transaction. ZKPs let one party prove to another that a statement is true without revealing
any information beyond that fact. In a payment system, the goal is to prove that the sender of funds obtained
those funds through a legitimate chain of transactions, going all the way back to and including the origination
of the funds, without sharing any details of these transactions. The goal is achieved by replacing each
individual transaction with a ZKP and transferring these proofs,
in place of the individual transaction details,
during each successive transaction. This technique allows recipients of a digital banknote to know that it can
be traced back to its origin, without knowing the details of this banknote’s history. Instead of seeing the
history of all previous transactions, the verifier, and, if desired, the notary, can observe only a series of ZKPs
(see Graph C1).
The ZKP technique is generally understood to be an effective means of generating transactional privacy,
but using cryptographic proofs erodes system performance by reducing its speed. Currently, the most popular
ZKP systems are the so-called succinct non-interactive arguments of knowledge (SNARKs), succinct transparent
arguments of knowledge (STARKs) and Bulletproofs. Each solution has different costs in terms of verification
and overall proof time and overall proof size; these are shown in Table C1. Long verification and proof times
may reduce transaction throughput to levels that are insufficient to settle typical payment system volumes
without adding an unacceptable amount of delay. Researchers are looking for ways to reduce these times.
