China Prepares for CBDC With Cryptography Law on Encryption Standards

Published at: Jan. 10, 2020

On Jan. 1, China’s law governing cryptographic password management came into power. Essentially, the act aims to set standards for the application of cryptography and the management of passwords, and, therefore, ultimately reduces China’s cyber vulnerabilities on a nationwide scale. 

Some local media outlets rumor that the law is paving the way for the long-awaited release of China’s central bank digital currency, although it does not make any explicit references in that regard. Meanwhile, the private sector is worried about the anonymity of its data.

The law outlines three separate kinds of encryption but provides little information beyond that

The initial draft of China’s Cryptography Law was released in April 2017, months before the local government rolled out the blanket ban on cryptocurrencies. Nevertheless, the law has nothing to do with digital assets, and it never even mentioned Bitcoin (BTC) or any other cryptocurrencies. Instead, it focuses on cryptography: items and technologies that are used to encrypt or certify data. 

More specifically, the act divides passwords into three separate categories — core passwords, common passwords and commercial passwords. Under the new law, core and common encryption are required for systems that transmit and store state secrets, while the commercial encryption is intended for business and private use. 

Furthermore, it stipulates that the development, sale and use of cryptographic systems “must not harm the state security and public interests.” Moreover, all such systems must be examined and authenticated by the government before they’re used. The bill was passed by the Standing Committee of the 13th National People's Congress in China on Oct. 26.

There is little information on the Cryptography Law beyond the above-mentioned encryption classifications and general conditions, says Sale Lilly, China Policy Analyst and Professor of Blockchain Technologies at the Rand Corporation, a nonprofit global policy think tank. As Lilly explained to Cointelegraph, the ambiguity comes from the fact that the act defines core and common encryption techniques as a state secret:

“The passwords are to adhere to a particular cryptographic standard, for example the U.S.’s NSA intelligence organization commonly cites SHA 256 as strong hash function, the PRC might adopt something similar based on the State Cryptographic Administration advice. Because the Cryptographic Law is ambiguous on the crypto standard (we don’t know if it's simply hash standards or something more comprehensive) I’d say that at a minimum it’s a reasonable guess that the terms ‘Core’ and ‘Common’ crypto refer to an undisclosed hash standard plus cyber hygiene requirements like periodicity of crypto rollover (monthly, weekly etc…).”

As for commercial encryption, private entities will continue to be allowed to operate under separate standards subject to audit by the State Cryptographic Administration, says Lilly. “As written, the law does not state that the Chinese government would hold private keys to commercial encryption tools,” he stresses, adding:

“There is a lot of language included in the latter third of the bill aimed at reassuring commercial vendors that these audits (even of foreign registered firms) will not require the firm to turn over source code, which seems a savvy move by the National People's Congress law authors.”

Nevertheless, some lawyers are worried that it could not be the case. For instance, Steve Dickinson of China Law Blog, a regional outlet curated by international law firm Harris Bricken, writes that “inviting foreign providers and users of cryptography is just a trap for the unwary,” as the new law allegedly allows foreign encryption systems to be sold in China, “provided that the systems have been approved and certified through a certification system that has not yet been described.” Thus, the blog’s author argues:

“Once data crosses the Chinese border on a network, 100% of that data will be 100% available to the Chinese government and the CCP. Cryptography may work well to prevent access by the public, but all this data will be an open book to the PRC government.”

Moreover, Dickinson argues that most firms encrypt their data with open-source software, like GNU Privacy Guard (GPG), whose essential purpose is to allow companies and individuals to keep their information away from state actors. The issue, therefore, is whether the government will allow the use of GPGs:

“If the answer is no, then the entire set of provisions for foreign encryption systems are completely meaningless. If the answer is yes, then the designation ‘commercial’ has no meaning.”

Similarly, other researchers opine that if firms start using a Chinese-owned software service, all of their data stored and managed by that service can be seized by the government under the new act.

Will the new law pave the way for CBDC?

China seems to be firm on its way to become the first country to issue a CBDC. The project has been in development for five years, but it reportedly accelerated last year when Facebook’s Libra was officially unveiled. 

The potential release of the digital yuan would fall in line with the general “blockchain-before-Bitcoin” attitude championed by the Chinese government — unlike a private, decentralized cryptocurrency, the CBDC will be controlled by the People's Bank of China and backed one-to-one by the country’s fiat reserves.

In December 2019, Chinese media reported that the central bank was planning to conduct the first real-world test of its CBDC, while earlier this week, the PBoC issued an official statement confirming that it is “progressing smoothly” with the government-backed currency.

Related: Five Countries Where Crypto Regulation Changed the Most in 2019

Lilly told Cointelegraph that the law “is highly complementary to many of the efforts and tasks required to roll out a CBDC,” and that it covers key Chinese players who participate in implementing the digital yuan, namely the PBoC, the State Administration for Foreign Exchange and the Ministry of Finance, all of which will be required to unify their encryption standards along with the rest of the Chinese government.

However, Lilly notes that the CBDC-related progress will depend on the stringency of the “Core” and “Common” encryption levels, which he compares to the United States military’s “Top Secret” and “Secret” concealment levels, respectively — and, hence, how CBDC private keys will be encrypted: 

“If China’s experience in trying to unify government cryptographic standards is anything like the U.S. Military’s experience, higher standards of encryption and trust scale users at a slower rate, so onboarding oracles and trusted agents for a private or permissioned access CBDC blockchain implies a natural trade-off between key security and speed of onboarding digital economy participants; banks, vendors, and a slew of Chinese government entities in tax and finance roles.”

Overall, China is continuing its blockchain-positive, anti-anonymity course with its new Cryptography Law. The country continues to use encryption technologies not only to hide its sensitive data but also to supervise what information private entities might be holding. This is similar to how its CBDC is expected to function — and is exactly what Zuckerberg was warning U.S. senators about back in October.

Tags
Blockchain
Regulation
China
Cbdc
Anonymity
Related Posts
Rolling up the sleeves: China’s tech giants drive digital yuan adoption
While key central bank figures in the West like Jerome Powell and Christine Lagarde appear to be procrastinating on the subject of central bank digital currencies, China continues to make significant progress. China’s digital currency electronic payment project, or DCEP, helmed by the country’s central bank, continues to draw significant private sector participation. From tech giants, to e-commerce conglomerates, many of the major private sector firms are playing pivotal roles in the quest to create the digital yuan. DCEP testing also continues to expand, with trial runs via lotteries taking place across several cities. Banks like the Agricultural Bank and …
Technology / May 1, 2021
Expert: China's Digital Yuan Will Target the Dollar, Not Bitcoin
Having learned what it needs from the cryptocurrency space and blockchain, China will aim to rival the U.S. dollar, not Bitcoin (BTC), with its highly-anticipated digital yuan. Matthew Graham, a veteran investment banker in China and the CEO of Beijing-based Sino Global Capital — analyzed what is known so far about the forthcoming digital currency and argued that the Chinese government sees new technologies as a “leapfrog opportunity” to chip away at the dollar’s hegemony. Speaking with Boxmining founder Michael Gu at the Unitize conference on July 6, Graham said that even though it’s extremely difficult for China to internationalize …
Technology / July 6, 2020
China and US Must Learn From One Another and Collaborate on CBDC
Today, the relationship between China and the United States is one of escalating competition. On Oct. 23, 2019, Facebook CEO Mark Zuckerberg testified before the U.S. House Financial Services Committee on Libra. Zuckerberg and members of Congress had much to disagree on. One consensus that did emerge, however, was concern regarding China’s digital currency project. Zuckerberg noted: “While we debate these issues, the rest of the world isn’t waiting. China is moving quickly to launch similar ideas in the coming months.” Building on this, the U.S. Senate Banking, Housing and Urban Affairs Subcommittee on Economic Policy recently discussed the need …
Blockchain / July 28, 2020
PBoC governor says digital yuan to be more privacy-enhanced than payment apps
During a virtual video session at the Bank of Finland Institute for Emerging Economies' 30th Anniversary Conference, People's Bank of China governor Gang Yi discussed recent developments regarding the country's central bank digital currency, or CBDC, known as the digital yuan (e-CNY). Gang specifically addressed the issue of privacy surrounding the Digital Yuan in the following statement, as translated by Cointelegraph: We are taking a high degree of focus on issues surrounding the security of personal information and the digital yuan and have made relevant regulatory and technological adjustments to meet this objective. We have adopted a principle of anonymity …
Adoption / Nov. 9, 2021
Web3 will be key to the future of China's internet, says security regulator
The director of the Science and Technology Supervision Bureau of China’s Securities Regulatory Commission Yao Qian has called for a special focus on Web3, deeming it to be the future of the internet. Yao published an article titled "Web 3.0: A New Generation of Internet that is Approaching," talking about the significance of the evolving tech and how the world is at a crucial transition from Web2 to Web3. The article talked about the significance of forward-looking research and strategic infrastructure development. Yao predicted that Web3 will reconstruct the organizational form and business model of the Internet economy and is …
Blockchain / March 17, 2022