CBDC: Securing the Immutable Ledger
Photo by Jason Dent on Unsplash

CBDC: Securing the Immutable Ledger


There are two things at odds in developing a secure, immutable ledger of transactions for a Central Bank Digital Currency (CBDC).  You want the immutability and security of decentralized cryptocurrencies, but you also want the centralized control of a permissioned distributed ledger; which creates some contention in the design.  

You will continue to see most CBDC designs and a lot of distributed ledger platforms stating that they are NOT blockchain.  I would point you back to my CBDC nonsense article that kicked off this series for a refresher.  Essentially, when a CBDC like China’s digital Yuan states that this is not blockchain - they are trying to tell you the same thing R3 was trying to say to you when they noted that Corda was not blockchain.  ‘Not Blockchain’ is telling you that it is not decentralized,  but it is still a distributed ledger design and it still uses the hashing techniques of blockchain to make the ledger an immutable chain of events.  It does not, however, behave or operate like Bitcoin. For most solutions in the CBDC space, this is good enough for the ledger but maybe not for operations.

A central bank offering a digital currency is potentially taking on a single ledger’s operation for an entire economy.  If you want to go with ‘a single ledger to rule the world of money’ in your country, you have a lot to consider in scaling that solution to all participants of your economy.  It won’t matter if you are trying to centralize the ownership of a tokenized currency or an account-based model. While an account-based offering is potentially 87 times more complicated, you still need to scale and process transactions efficiently and effectively with immutability that participants can trust.  With the centralized model, the keys to the kingdom are the administrative IDs that control the nodes.  The number of nodes, the location of the nodes and the ability to keep all the nodes in sync to effectively serve millions of people 24x7x365 will be difficult for just about any central bank.  None of the world’s current central banks have taken on a technology delivery of that scale - ever.   A centralized model means that a compromise of any credentials in the infrastructure not only disrupts the operation of the currency but can also erode trust in the currency itself.  Centralized infrastructures would be under almost constant attack - no central bank is equipped to deal with that level of scrutiny or liability.

Multi-ledger solutions at least spread the liability around. They also allow you to create mechanisms to bolster the security and immutability in one ledger by leveraging the other.  Let’s start with a two ledger model using everyone’s favourite arbitrary split between retail and wholesale money operations.  The central bank would operate a ledger that manages the creation/destruction of wealth.  The central bank would operate that ledger with a dispersion of nodes amongst the participant banks.  While this ledger provides all the liquidity for the banking system, the banks would create a retail banking ledger that would allow them to dispense and utilize that liquidity with all the people and businesses in the economy.

Now the scaling has changed significantly.  The central bank’s wholesale ledger doesn’t need to be a massive infrastructure project,. The liability is somewhat shared between the central bank and the direct banks to whom the central bank lends liquidity.  There is some extra security for the central ledger with the distribution of nodes, but control of the nodes becomes a new concern.  Strict limits and controls need to be in place on the nodes that participant banks operate.  In the same way that a decentralized cryptocurrency is concerned about 51% of the nodes overpowering the ledger, you could create scenarios where a compromised bank or a motivated group of banks could add or use their nodes to overpower the central ledger.  

I considered this in a few cryptocurrency designs that would work to block the 51% method of overpowering a network. A party creating any decentralized cryptocurrency operates a group of nodes and generally tries to maintain balance in the node population to ensure that no single group can control a majority of the nodes.  In our design, a cryptocurrency operator would also employ an independent 3rd party that utilizes a variety of cloud computing operators to run a group of nodes in the network. That operator could scale the number of nodes up or down in response to surges in the node population. This would ensure no party could ever reach 51% control within the network, making this style of attack cost-prohibitive.

Going back to our two ledger model, you now have a second ledger for the retail banking operations of the economy. ou are again splitting the cost and liability of the infrastructure to drive this ledger across a wider group of organizations that are already there.  Direct participant banks can also deploy and operate nodes with the smaller indirect banks and financial services companies that further spread the liability and builds the scale to accommodate the operations of a large economy.  The administrative keys to the operations of both ledgers still need to be carefully guarded.  Transactions between the wholesale and retail ledgers can also be utilized to increase the transactional records’ immutability on both ledgers.  You want to avoid scenarios where a two ledger solution operates independently of each other since having independent wholesale and retail ledgers would kill most of the benefits of splitting the ledgers in the first place.  Suppose you don’t have a direct correlation between the issued wholesale currency to the retail use of that liquidity within the economy. What was the point of creating a digital currency? Linking the liquidity assignments on the central bank token ledger to the dispersement of tokens in the target accounts on the retail banking ledgers means that those cross points become an added layer of transactional integrity for both ledgers.  

The most significant value of side-chain or inter-chain transactions is that both (or all) chains gain immutability and security within the ledgers.  You would need to wrest control of both ledgers to effect any level of change because the cross-ledger transactions could not change without changing the other ledger at the same time.  With intra-ledger transactions chained to inter-ledger transactions, you will likely only be able to change a minimal number of items within a given ledger.

If you take this concept to the Nth degree in the ‘independent ledger’ model where every wallet is its own independent ledger, you can see the value in creating a secure and trusted delivery model for large-scale economies.  The tokens are issued centrally, dispersed via banking and financial entities and operated by everyone in the ecosystem. Any person or business could operate one ledger or dozens - it wouldn’t really matter.  Those ledgers could be tied to a device or they could live in the cloud.  Millions of ledgers that are continually making interchain transactions are making the overall economic ecosystem more and more secure over time. This solution also means that the sizes of each ledger will be more manageable.  In decentralized cryptocurrencies, we are now starting to see some of the infrastructure cracks and challenges created by single ledger chains operating for decades with every transaction centralized.

Suppose you were looking to move away from the hashing chain model to a more cryptographic-reliant model,, which the Europeans are still promising a research paper on, then the mechanisms of highly dispersed independent ledger methods would merge into that type of solution nicely.  If each currency user operated a cryptographically secured independent ledger that was tied to their identity factors, then the ability to continually enhance the transactional integrity of that ledger as it transacts with other ledgers could be exponential.  I am interested to see what the European consortium tables on a purely cryptographic driven solution.  In five models that I have devised, two models are provably unsustainable over time, two models offer no real differentiated value over hashed Merkle Trees but potentially become a growing liability to the economy as time and technology may generate an ability to crack the cryptographic models.  The 5th model using independent ledgers is clearly more workable.  The difficulty with most purely cryptographic models on a single ledger or small set of ledgers, is that as the operational pool of uses of that cryptographic model persists, patterns start to appear, so as billions and trillions of examples within cryptographic model become available to analytics and we devise better technology to analyze that data, the patterns create the cracks and the whole ecosystem gets decimated.  

The independent ledger model offers a chance to create millions of uniquely seeded ledgers that can then generate unique cryptographic signatures at every point where they intersect and that has a better chance of being sustainable over decades of use.


Craig Borysowich
Craig Borysowich

Craig Borysowich has over 30 years of Technology Consulting experience with both public and private sector clients, including over ten years in Project Leadership roles. He is also an Author, thought leader and techno-futurist.


Central Bank Digital Currencies (CBDCs)
Central Bank Digital Currencies (CBDCs)

Exploring some of the detailed design factors and decisions that need to be made in the design and implementation of central bank driven digital currencies and how these decisions will impact money, payments and economies.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.