Geoffrey Goodell

Geoffrey Goodell, Hazem Danny Al-Nakib, Tomaso Aste

Nations around the world are conducting research into the design of central bank digital currency (CBDC), a new, digital form of money that would be issued by central banks alongside cash and central bank reserves. Retail CBDC would be used by individuals and businesses as form of money suitable for routine commerce. An important motivating factor in the development of retail CBDC is the decline of the popularity of central bank money for retail purchases and the increasing use of digital money created by the private sector for such purposes. The debate about how retail CBDC would be designed and implemented has led to many proposals, which have sparked considerable debate about business models, regulatory frameworks, and the socio-technical role of money in general. Here, we present a critical analysis of the existing proposals. We examine their motivations and themes, as well as their underlying assumptions. We also offer a reflection of the opportunity that retail CBDC represents and suggest a way forward in furtherance of the public interest.

Alex Lynham, Geoffrey Goodell

In this paper, we make a case that endogenous tokens such as cryptoassets are not money. First, we define and classify tokens found on public, permissionless ledgers, contrasting them with privately issued stablecoins and proposed CBDC designs. We then discuss the work of Kahn et al in Money is Privacy on cash versus simplified credit, and we extend their analysis to the situation found on most public, permissionless ledgers. Many public, permissionless ledgers utilize an account-based abstraction for balances, resulting in a default state that maps onto the most harmful models of agent interaction enumerated in Money is Privacy. The conclusion is threefold: that most blockchain economies lack a cash-like primitive; that stablecoins do not intrinsically fulfil this role; and that the reliance of a network on an endogenous token for security exposes holders even of a privacy-preserving asset to the same risk, if that asset relies on the same global ledger state as the endogenous token.

Geoffrey Goodell

Many proposals for the design and implementation of digital wallets assume that the purpose of the wallet is to enable offline payments via custodial accounts, ignoring the real problems faced by individuals and businesses that engage in retail payments, such as the anticompetitive behaviour of payment platforms and the decline of cash. More importantly, the proposals ignore the raison d'être of digital currency as a kind of digital money that can be held independently of custodians. Finally, the proposals demonstrate a profound lack of imagination about the nature of digital money and the devices that could be used to hold, manage, and exchange it. From these presumptions flows a set of architectural requirements that stifle the promise of digital currency to deliver novel and efficient ways to exchange value in the digital economy. In this article, we critically assess the essential problems that digital currency solutions are being proposed to solve, particularly with respect to the future of payments and the future of cash. We assess the validity of common justifications for account-based payments and certified hardware in the context of alternative designs, limitations, and trade-offs. We conclude that the interests of consumers would be better served by design approaches to digital currency that anticipate that digital assets would be held outside accounts, stored offline, but transacted online, without requiring the use of trusted hardware.

Daniele Friolo, Geoffrey Goodell, Dann Toliver et al.

This article builds upon the protocol for digital transfers described by Goodell, Toliver, and Nakib, which combines privacy by design for consumers with strong compliance enforcement for recipients of payments and self-validating assets that carry their own verifiable provenance information. We extend the protocol to allow for the verification that reissued assets were created in accordance with rules prohibiting the creation of new assets by anyone but the issuer, without exposing information about the circumstances in which the assets were created that could be used to identify the payer. The modified protocol combines an audit log with zero-knowledge proofs, so that a consumer spending an asset can demonstrate that there exists a valid entry on the audit log that is associated with the asset, without specifying which entry it is. This property is important as a means to allow money to be reissued within the system without the involvement of system operators within the zone of control of the original issuer. Additionally, we identify a key property of privacy-respecting electronic payments, wherein the payer is not required to retain secrets arising from one transaction until the following transaction, and argue that this property is essential to framing security requirements for storage of digital assets and the risk of blackmail or coercion as a way to exfiltrate information about payment history. We claim that the design of our protocol strongly protects the anonymity of payers with respect to their payment transactions, while preventing the creation of assets by any party other than the original issuer without destroying assets of equal value.

Geoffrey Goodell

We describe a protocol for creating, updating, and transferring digital assets securely, with strong privacy and self-custody features for the initial owner based upon the earlier work of Goodell, Toliver, and Nakib. The architecture comprises three components: a mechanism to unlink counterparties in the transaction channel, a mechanism for oblivious transactions, and a mechanism to prevent service providers from equivocating. We present an approach for the implementation of these components.

Nick Pope, Geoffrey Goodell

This document considers the counteracting requirements of privacy and accountability applied to identity management. Based on the requirements of GDPR applied to identity attributes, two forms of identity, with differing balances between privacy and accountability, are suggested, termed "publicly-recognised identity" and "domain-specific identity". These forms of identity can be further refined using "pseudonymisation" and as described in GDPR. This leads to the different forms of identity on the spectrum of accountability vs privacy. It is recommended that the privacy and accountability requirements, and hence the appropriate form of identity, are considered in designing an identification scheme and in the adoption of a scheme by data processing systems. Also, users should be aware of the implications of the form of identity requested by a system, so that they can decide whether this is acceptable.

Geoffrey Goodell, Hazem Danny Al-Nakib, Paolo Tasca

In recent years, electronic retail payment mechanisms, especially e-commerce and card payments at the point of sale, have increasingly replaced cash in many developed countries. As a result, societies are losing a critical public retail payment option, and retail consumers are losing important rights associated with using cash. To address this concern, we propose an approach to digital currency that would allow people without banking relationships to transact electronically and privately, including both internet purchases and point-of-sale purchases that are required to be cashless. Our proposal introduces a government-backed, privately-operated digital currency infrastructure to ensure that every transaction is registered by a bank or money services business, and it relies upon non-custodial wallets backed by privacy-enhancing technology such as blind signatures or zero-knowledge proofs to ensure that transaction counterparties are not revealed. Our approach to digital currency can also facilitate more efficient and transparent clearing, settlement, and management of systemic risk. We argue that our system can restore and preserve the salient features of cash, including privacy, owner-custodianship, fungibility, and accessibility, while also preserving fractional reserve banking and the existing two-tiered banking system. We also show that it is possible to introduce regulation of digital currency transactions involving non-custodial wallets that unconditionally protect the privacy of end-users.

Oscar King, Geoffrey Goodell

Digitisation is often viewed as beneficial to a user. Whereas traditionally, people would physically have to identify to a service, pay for a ticket in cash, or go into a library to access a book, people can now achieve all of this through a click of a button. Such actions may seem functionally identical to their analogue counterparts, but in the digital case, a user's actions are automatically recorded. The recording of user's interactions presents a problem because once the information is collected, it is outside of the control of the person whom it concerns. This issue is only exacerbated by the centralisation of the authentication mechanisms underpinning the aforementioned services, permitting the aggregation and analysis of even more data. This work aims to motivate the need and establish the feasibility of the application of a privacy-enhancing digital token management service to public transit. A proof-of-concept implementation is developed, building upon a design proposed by Goodell and Aste. This implementation was optimised for the public transport use case. Its performance is tested in a local environment to better understand the technical challenges and assess the technical feasibility of the system in a production setting. It was observed that for loads between one and five requests per second the proof-of-concept performs comparably to other contactless payment systems, with a maximum median response time less than two seconds. Due to hardware bottlenecks, reliable throughput in our test environment was limited to five requests per second. The demonstrated throughput and latency indicate that the system can feasibly compete with solutions currently in use. Yet, further work is needed to demonstrate their performance characteristics in an environment similar to that experienced in production.

Geoffrey Goodell

We describe a simple approach to peer-to-peer electronic mail that would allow users of ordinary workstations and mobile devices to exchange messages without relying upon third-party mail server operators. Crucially, the system allows participants to establish and use multiple unlinked identities for communication with each other. The architecture leverages ordinary SMTP for message delivery and Tor for peer-to-peer communication. The design offers a robust, unintrusive method to use self-certifying Tor onion service names to bootstrap a web of trust based on public keys for end-to-end authentication and encryption, which in turn can be used to facilitate message delivery when the sender and recipient are not online simultaneously. We show how the system can interoperate with existing email systems and paradigms, allowing users to hold messages that others can retrieve via IMAP or to operate as a relay between system participants and external email users. Finally, we show how it is possible to use a broadcast protocol to implement mailing lists and how distributed ledger technology might be used to bootstrap consensus about shared knowledge among list members.