Tourbillon: Payer Anonymity in CBDCs. Finally!! (Part III)

Welcome to Part III of my in-depth analysis on the remarkable BIS Project Tourbillon report. I'm immensely grateful to the BIS for bringing this innovative, privacy-focused concept to the forefront.

While the BIS has achieved commendable results, I believe they missed a chance to deliver even more impressive results, had they been able to look beyond the 1990s achievements of David Chaum. They missed an opportunity to do privacy an even bigger favour.

In Part I of this series, I provided a summary of the Project Tourbillon report, followed by raising several critical questions in Part II.

Here in Part III, I will present my insights on what I consider the cutting-edge of the blind signature model, comparing EC1/EC2 and GNU Taler. Despite the Project Tourbillon report's somewhat limited detail in describing protocols and features, I will endeavor to offer a comprehensive comparison.

EC1 versus GNU Taler

EC1 is a basic form of GNU Taler, lacking its advanced features. In contrast, GNU Taler boasts:

  • Superior performance, exceeding 10 times the benchmarks, with a notable achievement of 28,500 transactions per second in an early 2022 test.
  • Cryptographic safety nets for blind signatures. If RSA falters, fast and secure Clause Schnorr signatures are a viable alternative.
  • An efficient change-giving protocol, maintaining both income transparency and privacy.
  • Diverse peer-to-peer payment options, including QR, NFC, email, and text.
  • Quick refund processes that preserve privacy.
  • Resolutions to practical engineering challenges, such as using a public key as the coin identifier — a feature originally introduced by Dold/Taler and later copied in Chaum’s eCash2 paper without due reference.
  • Enhanced security measures for exchange deployment.
  • A real-time auditing system to promptly detect and respond to various compromises.
  • Emergency procedures and robust post-compromise security measures.
  • Open-source/FLOSS availability, under the GNU License, with a commercial license and a model akin to Red Hat Linux, making it a prime option for central banks really prioritizing sovereignty.
  • Advanced features like zero-knowledge age restrictions, and privacy-centric donation receipts and recurring subscriptions, both in development.
  • Inexpensive, easy to use solution for (offline) merchants to verify that a buyer correctly completed a payment even when the point of sale is offline.

EC2 versus GNU Taler

In addition to the points made above, EC2 presents several additional drawbacks:

  • Inadequate privacy, with blind signatures almost serving as a facade. Whoever has access to both the logs of the public "unspent coin database" and the exchange that blindly signs, can trivially deanonymize spenders by timing correlation for example.
  • Even lower performance, especially when blockchain is involved in the "unspent coin database".
  • Unclear threat models and mitigation strategies. An inside attacker could also insert coins in the "unspent coin database" or prevent removal of spent coins from the database. How is an insertion into this public, distributed database authenticated? Via a digital signature? What if the key for that is compromised?

The only clear advantage of EC2 over EC1 and GNU Taler is the public visibility of every issued coin, simplifying the monitoring of digital cash issuance. However, GNU Taler can closely match this by linking token issuance to incoming financial flows, offering the same insights while fully automating digital cash generation and retirement, without affecting monetary policies.

Notably, the GNU Taler solution is theoretically compatible with Chaum's EC2 approach of writing issued coin public keys to a blockchain via a mixnet, but prioritizes speed and privacy, hence choosing to avoid the slower, privacy-compromising blockchain approach.

Additionally, for future-proofing against quantum threats, GNU Taler is working with TU Eindhoven, led by Professors T. Lange and D.J. Bernstein, on post-quantum blind signatures within the NGI Taler project.

As for the current state of affairs, both EC1 and EC2 remain prototypes. The BIS's direction in this regard is still to be defined. Meanwhile, GNU Taler is poised for gradual deployment in Basel in Q1, as the digital version of the local Netzbon currency, followed by implementations as a private eCHF in Switzerland, a German bank backed eEUR in the Eurozone, and a Hungarian bank backed eHUF in Hungary, with all projects underway and funded.


It's essential for the BIS, particularly as a prospective user of Netzbons in their Basel backyard in the coming weeks, to consider not duplicating existing free and open solutions like GNU Taler in the future, but rather maximizing (their value and advancing efficient, scalable, and privacy-centric CBDC options for central banks around the globe as much as possible.

Stay tuned for more, or feel free to reach out!

PS: If you are interested in integrating GNU Taler as a cost-effective and privacy preserving payment option for your business (for real use in 2024/25 with Netzbon, CHF, EUR or HUF), look over here for possibly some FREE MONEY to do so.