Central Banks, Secure Elements And Digital Currency
Why Apple’s iPhone policies matter for the digital euro.
Dateline: Singapore, 30th July 2024.
A board member at the European Central Bank (ECB), Piero Cipollone, wrote to Thierry Breton, the European Commissioner for the internal market, to warn that Apple's current plans are likely to make the iPhone incompatible with making offline payments in any future European central bank digital currency (CBDC). If you want to know why this is, well, read on…
The Problem
Mr. Cipollone rightly notes that Apple’s proposed commitments to the European Commission would not give third parties full access to the secure element (SE) in the iPhone, but only allow for what is known as host card emulation (HCE). Let’s break this down before we move on to look at the implications.
First, the SE. The SE is a secure computer chip in the handset that is much the same as the secure computer chip on a credit card and, much the same as the secure computer chip on a credit card it can store the cryptographic keys need for (for example) Visa or MasterCard payments. If you cannot store these keys in the SE, then you have go to some lengths to protect them inside the memory of the phone itself.
Second, HCE. HCE-based payment solutions allow banks to build their own apps to compete with Apple Pay, but these apps would be at a fundamental disadvantage against Apple Pay, as they would be unable to hold the necessary secure data inside the SE. Which means that banks, and other organisations, can build retail payment applications on the standard card rails for Android phones, but not for iPhones.
Now, access to the SE important in the central bank digital currency (CBDC) context because, as Mr. Cipollone sets out in his letter, access to the SE is vital for mobile device-based offline digital euro payments. A CBDC that does not offer device-to-device offline payments cannot ever be a viable alternative to cash in the mass market. The ECB understands this, so it is planning two different digital euros for retail payments, with one of them exclusively for offline use.
International Views
The ECB is not alone in looking at offline transactions. I happened to be in Bangkok earlier this year when the Bank of Thailand had just published its report on its CBDC Pilot Program which concluded that, amongst other things, challenges around offline CBDC use “remain unsolved”. The Bank explored a solution designed to support consecutive offline payments, allowing transactions to be conducted without internet connectivity by locally connecting via Bluetooth LowEnergy (BLE) and NFC technology. The solution chosen demonstrated the capability to handle hundreds of transactions during periods of disconnection before requiring synchronisation with a hub. The challenges that the Bank identified included the need for ongoing development of security models because of potential future threats to balances kept in the offline device for a long period of time and they point toward mitigation through limiting offline use between hub connections.
The Reserve Bank of New Zealand (RBNZ) also recently announced that it is exploring the introduction of CBDC and according to Ian Woolford, the RBNZ’s director of money and cash, a CBDC would work offline so that people could make payments without connecting to internet. This would be useful, as noted, in remote locations with no mobile coverage, or in an emergency with internet access or when the power is out.
What is Offline?
Recent IT calamities around the world have served to reinforce the point that the ability to exchange digital currency between people without using a mobile network, the internet and with the power out is fundamental to an electronic cash alternative and since half of the ECB’s digital currency development budget is allocated to offline payments, it looks as if they agree with that view. But what exactly do they mean by offline payments? Some clarity is required here, so I think perhaps we should stop talking about online and offline in this context and instead find some better labels.
We should first look the issue of whether the payer and payee devices are local to each other or remote from one another. In local transactions, the counterparty devices connect directly (e.g., via Bluetooth) to effect a transaction. In remote transactions they connect via a network (e.g., the Internet). So far so good. Now, how does value flow from one of these devices to the other? Are the transactions unmediated or unmediated, centralised or decentralised transactions, or perhaps better still are they hub or “edge” transactions?
(If you think of a network as nodes connected by edges, then edge transactions are transactions between one node and another with no other nodes involved.)
In a hub system (e.g., M-Pesa in Kenya) the digital currency is not stored in the device. The wallet balances are maintained in a central hub and the device — actually in this case, the SIM in the device — merely stores the keys needed to authorise a transaction. All transactions between devices route via the hub (put to one side whether that hub is truly centralised or distributed or some combination, it’s not important).
In an edge system, the transactions route from device to device. There is no hub, and the wallet balances or coins are stored in the device itself. When Alice sends Bob five digital bucks, the five digital bucks move from her wallet directly into his wallet and no-one knows about this except for Bob and Alice.
Now that we have the definitions clear, let us return to what the ECB is planning. Last year, the ECB published its “stocktake”, the findings of the work the Eurosystem carried out during the digital euro investigation phase, which lasted from October 2021 until October 2023. In this, they talk about how a digital euro would be usable online and offline. In their words, the “offline” mode would be designed to maximise certain cash-like characteristics: that is, a bearer payment instrument "that is not dependent on an online connection, but is limited to proximity payments".
Off Line
So when the ECB says offline, they mean local edge transactions. But why should edge transactions be limited to local payments only though? It seems to me that if the system has the capability to implement device-to-device transfers (i.e., edge transactions) then transactions should always be device-to-device whether the devices are local or remote. In other words, if I go online to pay Netflix using a digital euro, the value should transfer from a device of mine to a device of theirs even if we are both online.
(Netflix might then be required to transfer it immediately from their device to a bank account, which is the current ECB proposal, but that’s a different issue.)
If all transactions are edge transactions then there are no scaling issues, no constraints impose by traffic through the hub and no bounds on the number of transactions that might complete simultaneously. These are, as you might have already spotted, characteristics of cash.
with kind permission of Helen Holmes (CC-BY-ND 4.0)
Security and Privacy
Well, you might think, that sounds good but what happens to national security if a substantial fraction of the nation’s money is flowing around from device to device. How could the integrity of the system be assured? What happens if well-funded and highly-motivated nation-state hackers find a way to get into a tamper-resistant chip and reset the balance to the maximum after each transaction, or replenish spent tokens in order to double spend?
That is a rational concern, but remember while the transactions might be entirely offline, auditing and accounting would not be. The chips used to store the digital currency would be part of an integrated risk management system.
The chips would have a transaction limit of say £10,000 and they might only be allowed a certain number of transactions before they have to interact with a financial institution in some way, to load money from a regulated digital currency provider or to deposit money into a a bank account. Chips would have their own transaction logs, serial numbers that could be traced and would have security algorithms that could be field upgraded. And so on.
(100 million wallets with a limit of ten grand Sterling in each? That’s around a hundred billon quid. Right now, UK M0 is about the same, so the numbers roughly work.)
And, of course, there’s always a “smash the glass” option of turning off device-to-device mode in the event of a catastrophic hardware breach so that, for example, consumers could only pay merchants until their chip is upgraded or whatever. There’s no need to go into it here, but suffice to say that it would be possible to build a system with integrity.
(Indeed such a system was built: Mondex, the world’s first digital fiat currency, launched in Swindon almost three decades ago.)
Hardening Attitudes
Ethereum founder Vitalik Buterin, in an essay lamenting the terrible state of internet security (and the hundreds of billions of dollars of cryptocurrency that are at risk of theft by anyone who can hack into users’ wallets) explores some ways to fundamentally shift the calculus and specifically highlights secure hardware as way forward. He points out in fact that a great many people already have access to chips in the form of the “secure elements” in their smart phones. These effectively create a much smaller high-security operating system inside the phone that can remain protected even if the rest of the phone gets hacked.
(Among many other use cases, as Vitalik points out, these chips are increasingly being explored as a way to make more secure crypto wallets.)
In a population-scale solution, if the architecture is going to allow any device-to-device transactions then it may as well make all transactions device-to-device. That way there is only one transaction type to be designed, tested, analysed, certified and monitored. There are no special cases: a transaction is a transaction is a transaction. Now the system can scale. Ten transactions per second or ten million transactions per second makes no difference, and when there’s no mobile network you can still buy a beer.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?
I disagree here Dave. Any implication that Apple needs to "open up" the SE are off base. As you know the SE is certified by Global Platform (read this pdf https://globalplatform.org/wp-content/uploads/2023/03/GP_EUDI_Wallet_White_Paper_v1.0_PublicRelease_signed.pdf)
The first stage of a CBDC in the SE is to create a card applet that can be certified. There are 2 mechanisms for deployment. One within the embedded SIM (controlled by the device manufacturer) and the section through the SIM/embedded SIM (eUICC). In the later, the GSMA has
issued a new requirement specification called Secured Applications for Mobile (SAM) that allows
third-party application providers to install and manage applets on the eUICC independently of the
mobile network operator profiles.
Before hitting Apple, Samsung or Google on SE "openness" and HCE. You first need to get the spec written for what you want (CBDC), get the applet certified, then discuss why you can't make it work within eUICC.
I don't want my iPhone security breached by the EU government's needs. Once that whole is made the entire world's governments will make the ask. Perhaps the best approach is for Apple to add an optional add on for a Titan M2 equiv for EU. One that runs seperate from iOS and its own TEE/secure enclave. You can then spin up the EU vision of TSMs again to manage all the keys and provisioning.. Good luck with that.