We all use public-key cryptography every day, but what actually is it, and why is it so important in our transition to a truly digital trade finance industry?

[Source: https://ccsearch.creativecommons.org/photos/06269eb5-5cfb-426e-9784-31cb3ee9dae2]

Why is this relevant?

The move towards digitisation in trade finance is an extremely popular discussion at the moment, and as we read, watch and listen to all of the various articles, webinars and podcasts on the topic, it’s easy to be blindsided by lots of technical terms that may arise. From blockchain to bitcoin and everything in between, one such term you might have heard is public key cryptography (also known as asymmetric cryptography), often referenced in trade when talking about solutions to validate that a digital instrument is the original rather than a copy, or to verify a sender’s identity.

Historically, there’s been a certain comfort that paper seems to give us, providing the ability to physically hold a document, see the wet ink signature, or mail it to its recipient. One might think that these attributes are not easy to replicate in an electronic format, or just simply rather not trust that the electronic version gives the same security as paper, but that’s where important technical concepts such as public key cryptography come into play.

What is Public Key Cryptography?

We’re all familiar with keys in the real world, but in digital format, a key is simply a long string of numbers – really long in fact, sometimes up to 4096 characters. The good news is you don’t need to task yourself with creating one, but rather the systems we use that utilise public key cryptography do this for us on the fly, often without us even being aware that this is happening in the background.

What’s interesting about public key cryptography, is it’s not just about locking and unlocking only, but there’s multiple uses for the system depending on what you are trying to achieve. Essentially, it all boils down to having two digital keys – one that’s public which you share with whoever you are communicating with, and one that’s private which you need to keep safe, secure and never provide to anyone else.

[Source: https://commons.wikimedia.org/wiki/File:Public_key_making.svg]

These keys are mathematically related in such a way that a message encrypted (locked) by the sender with the intended recipient’s public key can be decrypted (unlocked) with the recipient’s private key, and vice versa. By clever manipulation, we can use these keys in various different ways to either secure a message, add a digital signature, or verify that signature to check the sender is who they say they are. What’s important about the maths behind all of this – and whilst the detail of modular arithmetic and prime numbers is perhaps a touch too much for this article – is that it hinges around the fact that these are “one way functions”. With the output alone, it’s practically impossible to work backwards to get the original message – even with a supercomputer, it would take 1 billion billion years to crack by using brute force.

Encryption

One of the main uses for public key cryptography is encryption, to secure a message in a way that nobody except the intended recipient can view its contents. Let’s say we’ve got two people, Alice and Bob (as are often used in explanations of cryptography), who wish to share secret messages between themselves. Alice and Bob have spoken previously and shared their public keys with each other beforehand, and now Bob is preparing to send Alice his next message.

[Source: https://commons.wikimedia.org/wiki/File:Public_key_encryption.svg]

Bob encrypts his message for Alice with her public key, which is freely shared, meaning the only way to decrypt that message is to use Alice’s matching private key. Therefore, Bob has ensured that the only person that will be able to decrypt his message is Alice, (provided nobody else has managed to get hold of her private key of course) preventing unwanted attackers from being able to read its contents.

Verification

Another important application of public key cryptography is verification – how do we know a message has really come from who we think it has, rather than an attacker impersonating the sender? Using the Alice and Bob example once more, Alice is now going to use her private key to attach a digital signature to her message. When Bob receives this, he can use what he knows to be Alice’s public key to verify this signature, allowing him to know it was really Alice that sent the message.

[Source: https://commons.wikimedia.org/wiki/File:Illustration_of_digital_signature.svg]

An interesting point to call out, and as is the case in the diagram, is that a message does not have to be encrypted to be signed, or vice versa. Alice’s message of “Hello Bob!” was sent in plain text, meaning anyone that intercepted the exchange would have been able to read it, the signature was simply there to allow Bob to verify this had come from her. Just because a message is signed does not mean it is encrypted, nor does an encrypted message always bear a signature. Equally, both can be utilised simultaneously to send an encrypted, signed message – it all depends on what is required by both parties for that particular exchange.

How is this applicable to Trade Finance?

Let’s think about one particular use case with one aspect of public key cryptography – guarantees and the verification of digital signatures. If Alice and Bob were actually a bank and the beneficiary of a guarantee, we can start to put the pieces together as to how this would work in a real life scenario. When the bank issues a digital guarantee to the beneficiary, the bank would attach a digital signature which the beneficiary can verify, providing them with the comfort that they are in possession of a valid, operative instrument from the institution they believe it to be from.

This also works in reverse, if the beneficiary needs to send instructions to the bank during the life of the guarantee, whether that may be consenting to amendments or even cancellation – instead of sending a signed letter or returning the original paper copy as we often do at present, the beneficiary can simply send an electronic instruction to the bank with the appropriate digital signature. As the bank will have the correct public key for the beneficiary from the original issuance of the instrument, the signature can be easily verified and therefore the instruction acted upon accordingly.

Whilst for the purpose of explanation, it has been made to seem that adding a digital signature is a manual act that would be done by the bank and beneficiary, it would more realistically take place automatically within whatever platform is used to manage the transactions, with keys being generated, exchanged and used in the blink of an eye when the user clicks a button.

However, it is not just guarantees and digital signatures that are the only applications of this technology. There are a lot of efforts in the trade finance industry to work towards proper recognition of electronic instruments, addressing the issue from a number of angles, of which the technological capability is only one small part. ITFA’s Digital Negotiable Instruments initiative, focusing on the digitisation of Bills of Exchange and Promissory Notes, has given birth to the electronic Payment Undertaking (ePU), of which public key cryptography forms an integral part of its definition – “The underlying technology solution required for the ePU must […] be a cryptographically secured electronic document […] linked to a public key (one of a cryptographic key pair, the other being private)”.

[Source: ITFA – A Manual of Digital Negotiable Instruments: Issues and Implementation, April 2020]

Conclusion

Whether it’s the little padlock showing you’re on a secure site when you browse the internet, or WhatsApp’s end to end encryption, we all use public key cryptography every single day, just often without even knowing it. Whilst it’s not essential for the average trade finance professional to understand the nuts and bolts of all of the various technical concepts out there such as public key cryptography, having a general appreciation for these technologies and how they can be applied to the trade finance industry can only aid in faster adoption across the board.

It’s vital to recognise that not only are we just trying to find suitable digital equivalents to directly replace paper like for like, but rather that the digital solutions available go even further, offering enhanced security, efficiency and convenience. The utopia of a truly paperless trade finance industry will eventually happen, however one simple question remains: when?

Now launched! Summer Edition 2020

Trade Finance Global’s latest edition of Trade Finance Talks is now out!

This summer 2020 edition, entitled ‘Coronavirus & The Fourth Industrial Revolution’, is available for free online, covering the latest in trade, export credit insurance, receivables and supply chain, with special features on fintech and digitisation.