# CBDC and Post-Quantum Cryptography Requirements

**Source**: https://quantumsequrity.com/blog/cbdc-pqc-requirements
**Category**: Industry & Use Cases

---

[← Back to Blog](../../blog.html) Industry & Use Cases

# CBDC and Post-Quantum Cryptography Requirements

12 min read

A Central Bank Digital Currency is a digital form of a country's official currency, issued and backed by the central bank itself. As of 2026, three of the world's major central banks have either launched or announced timelines for retail CBDCs: the People's Bank of China (e-CNY, in production rollout since 2020), the European Central Bank (digital euro, preparation phase 2023 to 2025, decision expected late 2025), and the Bank of England (digital pound, design phase ongoing). Several smaller economies (Bahamas, Jamaica, Nigeria, Eastern Caribbean) have launched live retail CBDCs.

Every CBDC design is fundamentally a cryptographic system. Tokens or accounts must be authenticated, transactions must be signed, and the central bank must be able to prove that any token in circulation was issued by the central bank itself. The choice of cryptographic algorithm determines whether a CBDC will survive into the post-quantum era. The Bank for International Settlements (BIS), through its Innovation Hub work, has been clear that any CBDC issued today must include post-quantum cryptography in its design, not as a future migration but as a Day One requirement.

## What Makes CBDC Cryptography Different

A CBDC is not just a faster ACH or Fedwire. The central bank issues digital tokens that represent a direct liability of the central bank. The cryptographic invariant is: a token is valid if and only if it carries a valid signature chain back to the central bank's issuance key, and has not been spent.

This is similar to a banknote in some ways. A banknote has a serial number, security features (watermark, security thread, hologram), and is issued under the central bank's authority. The "verification" is the human eye plus various physical checks. A CBDC token has a digital signature chain plus various ledger checks.

If the central bank's issuance key is broken (by a quantum computer running Shor's algorithm against a classical signature scheme), an attacker can forge tokens. Forged tokens that pass verification represent fake central bank money. This is potentially worse than counterfeit banknotes because forged digital tokens can be created and spent at machine speed, anywhere in the world.

This is why BIS, ECB, and PBoC have all named post-quantum cryptography as a hard requirement. Read more in [Why RSA-2048 Will Break](why-rsa-2048-will-break.html).

## BIS Innovation Hub Direction

The BIS Innovation Hub runs multiple CBDC research projects. The most relevant for cryptography are:

- **Project Tourbillon** (Switzerland Centre, completed 2023): explored privacy-preserving CBDC and explicitly tested PQC signatures for token issuance.
- **Project Polaris** (Nordic Centre, ongoing): focused on offline CBDC payments. The cryptographic challenge is signing tokens offline, where the device cannot reach the central bank to refresh keys. PQC is in scope.
- **Project Mariana** (Switzerland and Singapore, completed 2023): wholesale CBDC across borders. Tested DLT-based settlement with PQC-ready signature schemes.
- **Project Agorá** (announced 2024): tokenized commercial bank money plus wholesale CBDC. Includes explicit PQC as a baseline requirement.

The published BIS guidance is consistent: PQC is mandatory for any CBDC project entering production. The recommended algorithms are aligned with NIST FIPS 203 and FIPS 204.

## ECB Digital Euro Cryptography

The ECB's digital euro is the most-watched retail CBDC project among advanced economies. The preparation phase ran from November 2023 to October 2025, with a decision expected in late 2025. As of early 2026, public communications and the ECB's published "rulebook" for the digital euro confirm:

- Token-level cryptography uses both online and offline modes.
- The online mode uses zero-knowledge proofs for selective privacy.
- The offline mode uses local hardware (mobile phone secure element, dedicated chip card) with signature verification.
- All cryptographic algorithms must be quantum-safe at production launch.

The exact algorithm choice has not been publicly committed by the ECB but follows the European Union Agency for Cybersecurity (ENISA) guidance and CRYSTALS recommendations. ML-KEM-768 and ML-DSA-65 in hybrid with classical algorithms are the expected baseline.

The digital euro distribution model includes commercial banks as intermediaries. Banks issue digital euro wallets to consumers. The wallet's keys are protected by hybrid PQC schemes. Banks must upgrade their HSMs and PKI infrastructure to support PQC before the digital euro launches.

## China e-CNY

The PBoC's e-CNY has been in pilot since 2020 and in production rollout in major cities. Public technical disclosures from PBoC are limited, but academic papers and industry briefings indicate:

- The first generation of e-CNY uses classical SM2 (China's elliptic curve signature standard, similar to ECDSA) and SM4 (China's block cipher, similar to AES).
- China has its own PQC standardization track through the China Cryptographic Administration. Standards equivalent to ML-KEM and ML-DSA are progressing.
- Public statements from PBoC researchers indicate PQC migration is on the roadmap, with a specific focus on hybrid schemes that combine SM2 with the equivalent post-quantum signature.

China's e-CNY is therefore in the middle of its own PQC transition, somewhat parallel to the NIST track. Compatibility between the two ecosystems is a separate research question.

## Project Polaris and the Offline Problem

Offline CBDC is the hardest cryptographic problem in the CBDC design space. The user's device must be able to receive a payment when neither device can reach the central bank or the internet. The classic solutions involve hardware-backed signing keys with a strict double-spend prevention mechanism.

If the offline keys are RSA or ECDSA, the harvest-now-decrypt-later threat applies. An adversary with patience can collect offline transaction records and break them after Q-Day, recovering the original tokens.

PQC migration of offline CBDC is non-trivial because:

- ML-DSA signatures are larger than ECDSA (3 KB vs 64 bytes for ML-DSA-65 vs ECDSA P-256).
- Offline transactions often happen between devices with limited bandwidth (NFC, Bluetooth Low Energy).
- The cryptographic primitives must be implemented in constrained hardware (secure elements, smart cards).

BIS Innovation Hub Project Polaris is exploring exactly this design space. The current approach favors ML-DSA-44 (the smaller variant) for offline tokens, possibly with SLH-DSA (FIPS 205) as a backup. Read more in our [NIST FIPS guide](nist-fips-guide.html).

## Wholesale vs Retail CBDC

Wholesale CBDC is intended for use between financial institutions on the central bank's settlement system. Retail CBDC is intended for use by the general public. The cryptographic requirements differ:

- **Wholesale CBDC** generally uses central bank-managed PKI similar to RTGS systems like Fedwire or TARGET2. PQC migration follows the same path as those systems. Read more on [Fedwire here](fedwire-pqc.html).
- **Retail CBDC** has consumer-facing wallets, usually on mobile devices, with hardware-backed key storage. PQC migration requires updating mobile secure elements (Apple, Samsung), wallet apps, and the issuance infrastructure.

Most ongoing CBDC projects involve both layers and require coordinated PQC migration across the entire stack. Read more in [Hybrid Encryption](hybrid-encryption.html).

## Programmable Money and Smart Contract Considerations

Several CBDC research projects explore "programmable money," where conditional payments are encoded in scripts or smart contracts. The cryptographic implications include:

- Each program's signing context must use PQC-safe signatures.
- Verification logic embedded in token-holding wallets must support the new algorithms in resource-constrained environments.
- Threshold signature schemes (where multiple parties must co-sign) need PQC equivalents. Threshold ML-DSA is an active research area but not yet standardized.

The IMF's Working Paper series on CBDC interoperability has flagged these issues as design constraints that must be settled before mass deployment.

## International Interoperability

A central bank cannot deploy a CBDC in isolation. Cross-border CBDC payments require interoperability with at least the central banks of the major trading partners. BIS Project Mariana and Project Agorá explicitly study cross-border CBDC settlement.

PQC interoperability is harder than classical interoperability because algorithm choices have not converged globally. NIST has finalized FIPS 203, 204, 205, and is finalizing FIPS 206 (FN-DSA). China's algorithm track is parallel. The EU's preferences align mostly with NIST. India's standardization is progressing through the Bureau of Indian Standards. Each region's choices must produce compatible CBDC payments at borders.

The pragmatic approach in BIS projects is hybrid signatures that include both algorithm tracks, allowing a token signed under (say) NIST ML-DSA-65 to also include a signature under China's equivalent. Verification then requires checking the signature for the algorithm the verifier supports.

## Threat Models Specific to CBDC

CBDC threat models include:

1. **Forgery of tokens.** Direct attack on the central bank's issuance signing key. PQC migration to ML-DSA-65 or higher protects against quantum forgery.
2. **Counterfeit detection.** Verification of tokens at every checkpoint. Must be performant under PQC's larger signatures.
3. **Privacy preservation.** Many CBDC designs include zero-knowledge proofs of various privacy properties. The PQC variants of zero-knowledge proofs are an active research area; current ZK SNARKs and Bulletproofs are not directly quantum-safe.
4. **Resilience to harvest-now-decrypt-later.** Transaction records archived for AML/KYC compliance must be encrypted with quantum-safe schemes if their long-term confidentiality matters. Read more in [Harvest Now, Decrypt Later](harvest-now-decrypt-later.html).
5. **Sovereignty.** Many central banks consider CBDC a national infrastructure project. Algorithm choice and key management must be domestically controlled or compatible with national security requirements.

## Hardware Wallets and Secure Elements

For retail CBDC, the consumer-facing wallet usually relies on a secure element on the user's device. Apple's Secure Enclave, Samsung's Knox Vault, and Google's Titan M chip all hold cryptographic keys. None of these chips natively supports ML-KEM or ML-DSA as of 2026.

The migration path involves either updating the secure element firmware (possible on Apple's Secure Enclave through iOS updates), or using software-based PQC implementations that rely on the secure element only for storing classical keys plus PQC keys in encrypted form. Both approaches are workable but differ in performance and threat resistance.

CBDC projects that depend on hardware secure elements need a coordinated migration plan with the device vendors. This is one reason the digital euro launch is gated on factors beyond cryptography alone.

## Issuance Ceremony and Root Key Management

A CBDC root issuance key is the most consequential cryptographic asset in the entire system. If the root key is compromised, any forged token signed under it could pass verification anywhere in the network. Central banks therefore conduct issuance key ceremonies with the same level of formality as nuclear weapons key ceremonies, which historically informed banking key ceremony practice.

A CBDC issuance ceremony typically involves multiple Hardware Security Modules in geographically separated facilities, M-of-N key share custody where the root key is split among trustees, video documentation of the ceremony, and external auditor witnesses from independent firms. The Federal Reserve's experience with FedNow and the ECB's planning for the digital euro both incorporate these practices. PQC migration for the issuance ceremony adds new cryptographic primitives but does not change the ceremonial structure.

The HSM ecosystem supporting CBDC issuance is concentrated. Thales Luna, Utimaco CryptoServer CP5, IBM 4769, and Atos Trustway are the main candidates. Each must support hybrid PQC in firmware before a central bank can run a PQC-capable issuance ceremony. NIST CMVP validation of the firmware under FIPS 140-3 with PQC algorithm support is the gating criterion. As of early 2026 several vendors have CMVP-validated PQC firmware available, with more in the validation pipeline.

For long-term operations, the central bank also needs a key rotation strategy. Even with conservative assumptions, the issuance key may rotate every five years or in response to algorithm developments. The rotation process needs careful coordination across the wallet ecosystem so that legacy tokens signed under old keys remain verifiable after rotation.

## How QNSQY Fits

QNSQY is a post-quantum cryptography tool, not a CBDC platform. It does not issue tokens, run a ledger, or participate in CBDC settlement. But CBDC operators generate substantial volumes of supporting data: design documents, threat model artifacts, test vectors, audit logs, KYC/AML reports, and regulator-mandated archives. Many of these are sensitive and must be retained for years or decades.

QNSQY uses ML-KEM-512/768/1024 in hybrid with X25519 for key encapsulation, ML-DSA-44/65/87 in hybrid with Ed25519 for signatures, AES-256-GCM for content encryption, and Argon2id for password-based key derivation. The .qs polyglot file format is engineered for long-term durability. Central banks, commercial banks, and CBDC research teams can use QNSQY to encrypt their supporting data ecosystem.

QNSQY does not implement zero-knowledge proofs and is not a substitute for the cryptographic stack of a CBDC system. Read more in [Encrypt Before Cloud Upload](encrypt-before-cloud-upload.html).

## FAQ

**Has any CBDC project committed to specific PQC algorithms?**
The ECB and BIS have publicly aligned with NIST FIPS 203 and FIPS 204. The PBoC is on a parallel China-specific PQC track. Smaller central banks have not made detailed public commitments.

**Are existing live CBDCs already PQC-ready?**
The Bahamas Sand Dollar and Jamaica JAM-DEX are operational but do not appear to use PQC yet. China's e-CNY is in PQC migration. The ECB's digital euro is expected to launch with PQC support from Day One.

**What about stablecoins?**
Stablecoins are not CBDCs but face similar quantum threats. We cover stablecoins separately in [Stablecoins and PQC](stablecoins-pqc.html).

**Does PQC make CBDC slower or more expensive?**
PQC signatures and ciphertexts are larger than classical equivalents. This adds bandwidth and storage cost but the verification speeds are competitive with classical algorithms on modern CPUs. For consumer-facing wallets the difference is imperceptible.

**Can I encrypt CBDC test data with QNSQY?**
Yes. QNSQY is appropriate for encrypting test data, design documents, and supporting archives related to CBDC research and operations.

**How do offline CBDC tokens prevent double spending without a connection?**
Offline double-spend prevention typically relies on tamper-resistant hardware that increments a counter for each spent token and refuses to spend a token that has already been used. The hardware enforces single-use semantics locally. When the device next comes online, the central bank reconciles the counter against the network ledger. Quantum-resistant hardware-backed counters are an active design area in BIS Project Polaris and in the digital euro offline mode design.

**What does "quantum-safe at launch" actually mean for the digital euro?**
The ECB has stated that the digital euro must include post-quantum cryptography from launch, meaning that the issuance keys, wallet keys, and transaction signatures all use NIST-standardized PQC algorithms (likely ML-DSA in hybrid with Ed25519). The exact algorithm parameters and the hybrid composition are under specification. The intent is that no transaction record produced by the digital euro is vulnerable to retroactive quantum decryption, even decades after issuance.

## Sources

- BIS Innovation Hub, "Project Tourbillon final report" (2023) — https://www.bis.org/about/bisih/topics/cbdc/tourbillon.htm
- BIS Innovation Hub, "Project Polaris" — https://www.bis.org/about/bisih/topics/cbdc/polaris.htm
- ECB, "Digital euro" — https://www.ecb.europa.eu/paym/digital_euro/html/index.en.html
- BIS, "Annual Economic Report 2024 chapter on CBDC" — https://www.bis.org/publ/arpdf/ar2024e3.htm
- NIST FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA), August 2024 — https://csrc.nist.gov
- ECB, "Digital euro Rulebook Development Group reports" — https://www.ecb.europa.eu/paym/digital_euro/governance/html/rdg.en.html

## Related Articles

- [What Is Post-Quantum Cryptography](what-is-post-quantum-cryptography.html)
- [Why RSA-2048 Will Break](why-rsa-2048-will-break.html)
- [ML-KEM Explained](ml-kem-explained.html)
- [Hybrid Encryption](hybrid-encryption.html)
- [Harvest Now, Decrypt Later](harvest-now-decrypt-later.html)

---

### Protect Your Data Before Q-Day Arrives

QNSQY's NIST-standardized post-quantum encryption protects files against both current and quantum-era threats.

[Try QNSQY](../../pricing.html)