Brussels unveils plans for a digital euro promising complete privacy (opens in new tab)

Call me cynical but I don’t see why the EU would push this apart from attempts to snoop and control peoples expenses.

> What mechanisms would be in place to allow me to transfer money from my KYC bank account to an anonymous wallet without it being tracked?

I really doubt that they intend do use it, but zero-knowledge cryptography indeed can accomplish this, so there is no technical limitation afaik.

> If the max is €3000 but it's entirely private, how could they possibly know I don't have a higher balance or multiple wallets?

This gets trickier. Let's say we limit to 3000 per account (and use whatever else to limit accounts/person). This would be possible, but would also reveal the amount on the account: try to send decreasing amounts, first one that succeeds reveals previous balance. There's probably an entity that can simulate sending too.

> What tech is even being used to allow fully private, offline transactions in the first place? How does the receiver verify that the digital cash is legit? And how does the network ensure that the money wasn't double spent while offline?

Yeah, this one is impossible.

I doubt there will be any privacy at all. Perhaps some rules over who can access the data but they conveniently exempt the government.

Still, the EU banks already have SEPA instant payments so the infrastructure for this is not hard to imagine.

And despite those drawbacks, it's still better than the VISA/MC duopoly on online payments

Regarding offline payments perhaps what they mean here is that you as the wallet holder don't need network connectivity but the merchant does?

>Of course people will argue against this as the government would have full control over people’s money. But I think that’s the case anyway.

To an extent, but (speaking for the US primarily) there is significant added friction from the current distributed nature of the legacy banking system. If it were as easy as typing a person's ID number into a form and the system would take care of the rest, it would certainly be used more freely (freezing the accounts of thousands of people attending a protest with today's system would be a monumental task, even with full judicial endorsement).

Fully agree. But instead of having "the government have full control over people's money", I think, setting this up as a federated cheap-to-run payment system would be even better. This would allow multiple existing banks to offer the service to their existing customers. This could reduce the risk of a fully decentralized solution a little bit.

Similar thing used to exist in the Netherlands. Think it's been gone for a decade now?

> Having this will be an awesome replacement to the limitations of the visa/mastercard monopoly

Yes, they are a 2-3% leech on the economy in the US. In Europe, the regulators there have kept it a bit lower, which is reflected in EU credit cards having few benefits and high fees.

> I wonder how they will implement the infrastructure.

That's also what I wonder. A description of the cryptography and system would be interesting.

If this is only as anonymous as cash (i.e. unique serial numbers on every bill), then this would still be a step backwards, as it would be trivial to track individual e-bills around.

I am also surprised that they allow up to €3,000. This would make smuggling far easier/denser than physical €500/CHF1,000/USD100 notes. It could even allow a relay-attack smuggling, where the wallet is located far away from where the funds are used.

It's not impossible: techniques like those monero uses can allow for good on-chain privacy, and the limited amount and central administration of cash going in and out makes money-laundering worries a much smaller concern. The offline transactions are interesting though, I suppose again the central administration means that double-spending is not going to be quite as exploitable.

This legislation comes from the same source as the GDPR.

Chaum designed and tried to commercialize an anonymous + offline payment system in the 90s already.

Basically he used (and invented) blind signatures to allow the bank to sign a 'coin' without knowing what they signed. The customer takes the blindly signed coins from the bank, pays at a merchant and later the merchant deposits the coins at the bank again, where the signature is checked.

In this context offline just means that the merchant can verify the authenticity of the coin without immediately needing a connection to the bank. At some point in the future, however, the merchant will have to connect to the bank to get their money. Check out his original paper for details[1].

Offline systems have drawbacks, though. E.g the GNU Taler people made the pragmatic decision to have an online system. See chapter 1.2.1 'Offline vs Online' of Florian Dold's Phd thesis for a discussion on why[2].

[1]: https://chaum.com/wp-content/uploads/2022/01/Chaum-1990-Chap... [2]: https://taler.net/papers/thesis-dold-phd-2019.pdf

> How can they make it work offline while protecting the money from being duplicated?

It's not actually possible to prevent this entirely. It's not even possible with physical currency. You can always look at a bank note and make an exact-enough duplicate, then spend it twice.

> they're planning to make it so that you have to go online every set period of time and then they verify the money.

That's not a hard requirement, but yes. The central bank is the final authority on what currency is counterfeit or not.

-----

For current technology, I think it's probably sufficient to have a smart card issued by the central bank, with an embedded certificate chained to the central bank. For offline transactions, the two cards can establish an encrypted stream, mutually verify that they were attested by the central bank, and then mark notes as transferred to the other party in TXN#X, run the transfer, then delete the notes entirely.

Interrupting the process might leave the notes in a partial state (marked for transfer to a particular smart card), but the connection can be reestablished to try again, so long as the TXN# isn't incremented by another transaction.

Now you have to hack a smart card processor to double spend (and only offline, and still detectable), which is of similar difficulty and risk to making counterfeit banknotes.

Maybe North Korea will sell you an infinite money card, but it will only get you free coffee when hiking in the Alps, and only until that card's certificate is added to the revocation list and people update their transfer boxes.

It's private for the user. Transactions are only between you and the merchant. Credit card networks, PayPal, etc are all third parties with insight into all Payments going through them globally.

It's offline. Neither you nor the merchant have to have a connection to the bank for the transaction to happen.

i suppose they can't demonetize you without a legal reason and the fees will be set by the governemnet , not shareholders

hopefully significantly less moralising on the use of the funds and random unaccountable freezing of accounts.

It ultimately comes down to being able to go to a physical location and get coins/paper or not.

I just don't see what the value is of having my account denominated in a way that getting coins/paper is gone. Even if we went to all digital money tomorrow we would probably quickly get a bank that denominates in gold and gives you back paper slips for proof of deposit. Or doesn't even bother with gold and gives paper slips of electronic currency deposits.

We can't even get rid of useless pennies in the US.