Bank of England examines privacy enhancing technologies for CBDC

Getting your Trinity Audio player ready...

The Bank of England (BoE)—the United Kingdom’s central bank—has released a paper in collaboration with the Massachusetts Institute of Technology Digital Currency Initiative (MIT DCI) exploring privacy enhancing technologies (PETs) for a possible digital pound.

The paper is the result of an increasing enthusiasm from many countries around the globe for some form of central bank digital currency (CBDC)—the digital form of a country’s fiat currency, regulated by its central bank—which has come into conflict with an equally strong anti-CBDC lobby, whose primary concerns revolve around the thorny issues of state surveillance and citizen privacy.

According to the Atlantic Council’s CBDC tracker, as of December 2024, 35 retail CBDCs are already in the pilot stage, with 13 more in development. Additionally, 25 wholesale CBDCs are also in the pilot stage, with 11 further in development.

CBDCs can be broadly broken down into two main categories, ‘retail’ and ‘wholesale’. A retail CBDC is a digital currency issued by a central bank for public use, enabling individuals and businesses to make everyday transactions. A wholesale CBDC, on the other hand, is designed for financial institutions to conduct large-scale interbank transactions, improving efficiency in the financial system.

The former of these two forms of CBDC seems to inspire the greater fears around ‘big brother’ and the insidious overreach of government surveillance. While overblown, these fears are not without foundation, as a monetary system based on blockchain’s immutable, distributed ledger technology would potentially allow a central bank to track exactly when and how every individual citizen is spending their money.

For this reason, the BoE—currently developing both a retail and wholesale CBDC—partnered with the MIT DCI to publish a paper exploring privacy-enhancing solutions.

“The Bank of England and HM Treasury’s 2023 Consultation Paper on the digital pound made clear that rigorous standards of privacy would be fundamental to trust and confidence in a digital pound and that measures would be put in place to ensure the public has confidence in using any digital pound, were one to eventually be launched,” explained the paper.

Commitment to privacy and law

In response to a previous consultation on a retail CBDC, in which respondents emphasized concerns around privacy, the BoE and the British government committed that any proposed digital pound would not give them access to users’ personal data and that legislation introduced by the U.K. government for a digital pound would guarantee users’ privacy. In addition, they promised to explore technological options that would prevent the bank from accessing any personal data through the bank’s core infrastructure.

However, the BoE was keen to point out that laws and regulations require financial services providers to use data to verify customers’ identities and understand spending patterns to help mitigate the risk of facilitating financial crime.

Meaning, a digital pound would not be for anonymous payments. Rather, the aim would be to find a balance that allowed for payment verification and appropriate checks but prevented the government from having all the private identity data through legislation and technical means.

The BoE/MIT DCI research paper, published December 6, explored the latter of these two means:

“This research showed that emerging types of PETs… might feasibly be applied to digital currency systems such as the digital pound to minimize the sharing of data both with the central bank and between payment intermediaries, giving users greater control over their data and enhancing user privacy. This presents opportunities for a digital pound to be at least as private as current forms of digital money and potentially even more private, although as with any technology, there are limitations to what emerging types of PETs can achieve.”

Specifically, the paper outlined three potential PETs: pseudonymity, Zero-Knowledge Proofs (ZKPs), and multi-party computation (MPC).

Pseudonymity

Pseudonymity is a system that avoids using a person’s name, phone number, or social security number to attempt to obfuscate a person’s identity. As explained by the paper, “pseudonymization replaces user information or another piece of data with a reference, or identifier, that does not reveal that information.”

Blockchains often use addresses (which might derive from cryptographic public keys) as pseudonymous identifiers, yet several service providers can identify wallet holders. That is partly because wallet addresses often persist across multiple blockchain transactions, but different wallet addresses can also often be linked. Hence, pseudonymity improves privacy but does not guarantee it.

The paper argued that pseudonymization has several key benefits: it is easy to generate and use pseudonyms and does not require complex cryptographic operations; it does not add significant overhead in terms of data storage or transmission requirements, so it will not significantly slow down systems that use it; it is compatible with other privacy-enhancing techniques and can be combined and layered in a more advanced system to provide different properties; and it is already widely used in practice, meaning its properties (including drawbacks) are well-understood and well-tested.

The research particularly highlighted the possibility that issuing pseudonyms could be handled by third-party know your customer (KYC) providers rather than Payment Interface Providers (PIP), effectively decoupling the identity verification process (handled by KYC providers) from the transaction facilitation process (handled by PIPs). This could increase privacy by adding a further abstraction layer between the user’s verified identity and transactional activity.

However, there are also limitations. For example, the digital pound and other CBDCs often impose holding and transaction limits. If someone had CBDC accounts with multiple payment providers that use different pseudonymous identifiers, these holding limits would be hard to police.

The paper made three suggestions to address this issue: i) for the user to have a personal wallet that connects to multiple payment provider balances and gives an aggregate proof of the total holdings or transactions to an automated auditor; ii) for each payment provider to give a daily total for each user and that data is aggregated across payment providers; and/or iii) based on a person’s name or national insurance number, a pseudonymous hash could be inserted into all their transactions for a specific day, but the hash would change every day and not be linkable.

The second major limitation of pseudonymization noted was that it “alone is insufficient to provide strong levels of privacy” in a CBDC. Thus, the paper recommended using such a system in combination with other PETs.

Zero-Knowledge Proof

One such PET that could be used in combination with pseudonymization was Zero-Knowledge Proof (ZKP), a cryptographic technique that can be used alongside blockchain to allow one party to prove to another that a statement is true without revealing any details about the statement itself, ensuring privacy and security in a transaction.

For example, by distributing and segregating off a person’s various ‘identity data,’ ZKP could allow that individual to prove that they had passed a KYC check or had a sufficient balance for a transaction without providing their name or actual balance.

However, the paper noted limitations around efficiency and performance (depending on the complexity of the statement being proved), a lack of expertise to monitor and maintain such a system, and a lack of standardization in ZKP.

Multi-party Computation

The final PET outlined was multi-party computation (MPC), which allows multiple parties to access data for use by an algorithm without releasing the underlying data.

“We can use multiparty computation and related techniques to distribute trust and authority,” argued the paper. “This includes systems that deliberately distribute information so that it is never available in a centralized form, and then use multiparty computation to reconstruct it. A notable concrete example here is using multiparty computation to protect cryptographic key material.”

However, as noted by the research, this system also has its limitations.

One challenge with MPC is that many require multiple servers to achieve efficiency, and the system’s benefits become moot if servers collude. Thus, it would be crucial to have a well-defined regulatory framework to address the main challenge of maintaining trust among several autonomous authorities and guaranteeing that they do not collude.

Another more general limitation, which the paper argued broadly applies to other complex PETs as well, is the challenge of carefully describing the problem it could be used to address and determining whether it is a good fit for the exact privacy or security goals.

The BoE and MIT DCI rounded off by emphasizing that one of the main goals of the research was to “help inform public dialogue on a digital pound in the U.K. as well as in other countries studying the potential issuance of a CBDC.”

With this in mind, it welcomed continued dialogue on the digital pound and the PET solutions outlined.

“While PETs, on their own, do not guarantee privacy, the approaches we explored in this paper seek to safeguard consumers’ private information, enable compliance with existing regulations, and strengthen trust and confidence in a digital pound, should one be launched in the future,” the paper concluded.

Watch: Finding ways to use CBDC outside of digital currencies