Quantum threats: securing CBDC cryptography

The numbers provide the proof: 11 countries around the world have rolled out a version of a CBDC, while a further 103 are researching, developing, or piloting their own projects.¹ The same study points out these 114 countries combined represent 95% of global GDP. Given this amount of interest, it is important that all stakeholders consider the pain points in the CBDC sphere, both those that exist now and those in the future.

Let us focus on security. The design of CBDCs might differ, but CBDC wallets are generally protected through cryptographic algorithms facing threats from actors using quantum computers, which are increasingly available.

It should be noted that experts disagree on a timeline for when such an attack will find success. One cryptographer and privacy advocate blogged about the question of when quantum computers will be able to break 256-bit elliptic curve (EC) keys, which is currently an industry standard. His answer was clear and succinct: “Not even remotely soon.”² There is clearly a threat to CBDC security (and many other applications) from this new, powerful wave of computers, however. And the time to plan for a threat is before it arrives.

Securing money

Since a CBDC is a digital form of cash, it is helpful to think about how a transaction works in relation to its physical counterpart, i.e., cash. Consider the image below, which sets out the security requirements a CBDC must fulfill. Cash doesn’t have these issues for the most part, because it is a physical bearer instrument.

1. Establishment of identities With cash, the payee and payer meet each other, and trust enters the equation.
2. Authenticity Done visually and haptically in the case of cash. In certain cases, as for large transactions, additional checks – such as ultraviolet light, etc. – can be deployed.
3. Proof of ownership If someone shows up with banknotes, they’re (most probably) the rightful owners.
4. Non-repudiation When the banknotes change hands, the value is physically transferred. Settlement is immediate and cannot be repudiated.
5. No double spending Banknotes can’t be in two places at the same time.
6. No tracing/privacy Given how quickly cash moves, it is practically impossible for a third party to trace a payment pattern.

CBDC is digital by definition. Therefore, all these security requirements must be controlled for with cryptographic primitives. But classical cryptographic algorithms are now seen as being threatened by quantum computing, which illustrates the scale of the issue.

To understand this better, let’s look at how cryptography is used in digital assets like CBDC.

Types of cryptography

Any digital asset needs multiple types of cryptography.

Hash functions are used for fingerprinting data, among other uses. They are a key ingredient for many protocols. A cryptographic hash function is a mathematical one-way function, which typically takes inputs of variable lengths to generate outputs of a fixed length. Cryptographic hash functions add security features to typical hash functions, making it more difficult to tamper with the input without anyone noticing.

Symmetric cryptography is used for end-to-end encryption, for example in secure communication channels. A symmetric cryptographic algorithm uses the same secret key for encryption and decryption. Participants agree on the use of the secret key, and it cannot be disclosed to anyone else. The Advanced Encryption Standard (AES) utilizes symmetric cryptography.

Asymmetric cryptography, also known as public key cryptography, is used for digital signatures, which are intrinsic to any digital monetary asset. Pairs of related keys are utilized; each pair contains a public and a corresponding private key. Security depends on keeping the private key secret, as the public key is, well, public. The private key signs, while the public key validates. Key examples include the cryptosystem RSA and the previously mentioned EC. Currently, leading cryptocurrency players follow this model. To date, most CBDCs follow it as well. To that end, let’s explore asymmetric cryptography further.

Asymmetric cryptography

Incoming payments require the sender to know the recipient’s public key, which is often referred to as an “address.” Conversely, outgoing payments require producing a digital signature, which uses the private key, but which can be validated with only the knowledge of the public key. This public key is typically recorded in a blockchain or, in the case of CBDC, the register.

Anyone can send a payment to someone else, but only the specified payee can spend the funds received. The payee’s assets are directly tied to their keeping their private key secure and confidential. It should be noted that all of these key operations are carried out by a digital wallet’s software and hardware automatically.

The problem with asymmetric cryptography

In its current incarnation, a CBDC’s usability requirement means it demands little or no intervention from users, aside from long-term hardware upgrades. This is similar to the two-to-five-year cycle that bank cards, smartphones, and wearables typically experience. Therefore, the cryptographic algorithms that keep it secure need to be updated in a rolling fashion. In fact, as in your phone, new and old algorithms will coexist for a period ranging from a few months to several years (this depends on whether the algorithm is used only in software, or in hardware as well).

This opens the whole system up to breach, as both RSA and EC can be easily broken by quantum computers, which can compute the private/secret key from the easily available public key. This can lead to theft and to unauthorized use of funds by malicious actors.

Peter W. Shor’s eponymous 1994 algorithm shows us that this operation, i.e., the computation of a private key from its corresponding public key, can be performed with some efficiency, given sufficiently powerful quantum computers.³ Quantum computers are now at hand, though fortunately they are not (yet) sufficiently powerful.

Protecting CBDCs against attacks

Hash algorithms and symmetric cryptography are far less affected by quantum computers, fortunately. Sufficiently long hashes should be able to protect your assets while they’re at rest in your wallet, even from quantum computers. But you must produce the public key to the register for validation when you want to spend your assets. Your assets are at risk at that moment, when they’re in transit. Other types of asymmetric cryptography are indicated in this situation: these are called PQC (post-quantum cryptography) algorithms, and they are a field of active research at G+D.

Certificates will remain the obvious choice for authentication. However, they are also affected, since they are based on asymmetric cryptography. As a nation’s issuer of its CBDC, the central bank is the obvious choice to entrust with building a public key infrastructure (PKI) designed with quantum threats in mind.

It is important to factor in the long validity period of most certificates. As those certificates will be around for some time, the agility of the cryptographic mechanisms that secure them must be front-of-mind.

Shutting down existing PKI, and deploying an entirely new infrastructure, isn’t practical. Quantum robustness must happen on the move, as it were; classical and quantum-proof certificates must exist side-by-side, at least to begin with, until the entire ecosystem is secure and all users are onboard.

Security comes first at G+D. That’s why we have partnered with Germany’s leading cybersecurity company, secunet Security Networks AG (affiliated with the G+D Group), to provide the best framework for security architecture and public key infrastructure for our retail CBDC solution, Filia^®.
 

Just as banknotes are protected by haptic, optic, and other security features against counterfeiting, CBDCs must also adhere to the highest security requirements to be a trusted complement to cash. We strongly advise that post-quantum cryptography be incorporated into a CBDC’s design.

Published: 22/06/2023