PRIVATE.ME · Technical White Paper

xTrade: Trade Finance Document Protection

Split-channel protection for letters of credit, bank guarantees, and trade finance documents. xFormat ensures interoperability across banks and counterparties. No single intermediary sees complete documents — threshold authorization gates every lifecycle stage.

v0.1.0 120+ tests passing 506 LOC core 3 test files SEC 17a-4 compliant $14.3B TAM

Section 01

Executive Summary

xTrade splits trade finance documents via XorIDA and routes shares through independent bank channels via xLink. No intermediary sees complete documents. Threshold authorization gates document release at each lifecycle stage. Cryptographic settlement proofs anchor every transition.

A letter of credit processed through xTrade travels through 5-7 intermediary banks — each receives one share, enough to verify their role in the transaction but not enough to reconstruct the full document. When the document moves from issuance to advising to negotiation, each bank must contribute its share to satisfy the threshold requirement before the next stage unlocks.

xFormat provides the universal binary envelope. Every bank can validate shares without seeing plaintext. HMAC-SHA256 integrity tags detect tampering during multi-bank transit. Settlement proofs provide cryptographic anchoring at lifecycle gates — when a letter of credit progresses from advising to negotiation, the advising bank generates a proof that anchors the document state. This creates a tamper-evident chain that proves the document's journey through the trade finance workflow.

Production-grade implementation: 506 lines of code for split/reconstruct operations, 120+ tests across 3 test files, per-share HMAC-SHA256 integrity verification. Meets SEC 17a-4 compliance requirements with 15-year retention and non-repudiation guarantees.

Section 02

The Problem

Trade finance documents transit through multiple banks and intermediaries, each of which sees the complete document. A single letter of credit may pass through 5-7 intermediary banks, each holding a complete copy.

$8.8 trillion in global trade flows through these documents annually. Digitization efforts have reduced paper but replicated the same centralized exposure in digital form. Each intermediary's database is a breach target containing high-value trade documents. Trade-based money laundering exploits this opacity.

Existing solutions focus on encryption at rest or encrypted channels — but every intermediary still decrypts and processes complete documents. The fundamental architecture requires complete document visibility at every hop.

The Old Way

CENTRALIZED EXPOSURE

Every intermediary bank processes complete documents. Each database is a high-value breach target. A single compromised bank exposes all trade documents it has processed.

Section 03

Real-World Use Cases

📜

Trade Finance

Letter of Credit

Split-channel LC processing where no intermediary bank sees the complete document. Threshold gates each lifecycle stage.

Multi-bank

🏦

Banking

Bank Guarantee

Threshold-controlled bank guarantee issuance and validation across multiple intermediaries.

Guarantee

🌍

Global Trade

Cross-Border Documents

Secure document transit across 5-7 intermediary banks per transaction without complete document exposure.

International

📋

Compliance

AML Compliance

Cryptographic audit trail for trade-based money laundering detection. Settlement proofs anchor each lifecycle transition.

Audit

🛡️

Financial

SEC 17a-4 Retention

15-year document retention with cryptographic non-repudiation. Settlement proofs provide tamper-evident chain.

Compliance

🔒

Enterprise

FINRA/SOX Compliance

Threshold-protected trade documents meet FINRA Rule 4511 and SOX internal control requirements.

Regulatory

Section 04

Solution Architecture

xTrade combines xFormat (binary envelope), XorIDA split-channel, xLink DID identity, and threshold authorization for end-to-end trade finance document protection.

The New Way

SPLIT-CHANNEL PROTECTION

Documents are XorIDA-split across intermediary banks. No single bank sees a complete document. xFormat enables universal share validation. Threshold authorization gates each lifecycle stage.

Processing Flow

Section 05

xFormat: Universal Binary Envelope

xFormat is the universal binary envelope for XorIDA shares. Every intermediary bank can validate shares without seeing plaintext. Ensures interoperability across banks and counterparties.

Trade finance documents are serialized in xFormat before XorIDA splitting. Each share includes a version header, share index, threshold parameters, and HMAC-SHA256 integrity tag. Banks validate shares using the HMAC tag — tampering during transit is immediately detected.

IDA5 magic bytes (0x49444135) prefix every xFormat envelope. This enables banks to identify XorIDA-protected documents without prior coordination. The envelope includes metadata fields for document type, lifecycle stage, and threshold configuration — all visible to intermediaries without decrypting the share.

xFormat envelope structure

// IDA5 magic (4 bytes) + version (1 byte)
0x49444135 + 0x01

// Threshold params: K-of-N
K: 2, N: 3

// Share index (1-based)
shareIndex: 1

// HMAC-SHA256 integrity tag (32 bytes)
hmac: <32-byte tag>

// Encrypted share payload
data: <encrypted bytes>

UNIVERSAL VALIDATION

Every bank can validate xFormat envelopes without seeing plaintext. HMAC verification happens before reconstruction. Share indices are validated (range check, type check) before processing.

Section 06

Lifecycle Gates & Threshold Authorization

Trade finance documents move through distinct lifecycle stages: issuance, advising, negotiation, acceptance, payment. Each stage is gated by threshold authorization — K banks must contribute shares before the document progresses.

When a letter of credit moves from advising to negotiation, the advising bank, confirming bank, and beneficiary must all contribute their shares. The threshold requirement (e.g., 2-of-3) ensures no single party can unilaterally advance the document. This creates cryptographic multi-party authorization at every lifecycle transition.

Lifecycle Stage	Threshold	Parties
Issuance	2-of-3	Issuing bank, applicant, beneficiary
Advising	2-of-3	Advising bank, confirming bank, beneficiary
Negotiation	2-of-3	Negotiating bank, beneficiary, confirming bank
Acceptance	2-of-3	Accepting bank, issuing bank, applicant
Payment	2-of-2	Paying bank, beneficiary

MULTI-PARTY AUTHORIZATION

Threshold gates prevent unilateral document advancement. Every lifecycle transition requires K parties to contribute shares. This maps directly to existing trade finance business rules — but enforced cryptographically.

Section 07

Settlement Proofs & Cryptographic Anchoring

Settlement proofs provide cryptographic anchoring at each lifecycle stage. When a letter of credit moves from issuance to advising to negotiation, each bank generates a proof that anchors the document state. This creates a tamper-evident chain that proves the document's journey through the trade finance workflow.

Each settlement proof includes: previous lifecycle stage hash, current lifecycle stage, threshold configuration, contributing party DIDs, and timestamp. The proof is signed by all K contributing parties using Ed25519 signatures. This creates a non-repudiable record of document progression.

Settlement proofs meet SEC 17a-4 compliance requirements: 15-year retention, WORM storage (write-once-read-many), and cryptographic non-repudiation. Regulators can verify document lineage without accessing plaintext trade data.

Settlement proof structure

interface SettlementProof {
  prevStageHash: Uint8Array;    // Previous lifecycle stage
  currentStage: 'issuance' | 'advising' | 'negotiation' | ...;
  threshold: { k: number; n: number };
  contributingParties: DID[];  // All K parties
  timestamp: number;
  signatures: Uint8Array[];    // Ed25519 sigs from all K
}

CRYPTOGRAPHIC ANCHORING

Settlement proofs create a tamper-evident chain. Each proof anchors the document state at a lifecycle transition. Regulators can verify document progression without accessing plaintext.

Section 08

Implementation Details

xTrade is built on a production-grade TypeScript implementation with comprehensive test coverage and cryptographic integrity guarantees.

Core Statistics

506

Lines of code

120+

Tests

Test files

The implementation includes split/reconstruct operations for trade finance documents with per-share HMAC-SHA256 integrity verification. Every share is cryptographically anchored to prevent tampering during multi-bank transit.

Security Features

Feature	Implementation	Purpose
HMAC-SHA256	Per-share integrity tags	Detect tampering in transit
Settlement proofs	Cryptographic anchoring	Non-repudiation at lifecycle gates
Test coverage	120+ tests across 3 files	Production reliability
XorIDA core	506 LOC split/reconstruct	Information-theoretic security

Section 09

Integration Patterns

Basic usage

import { TradeDoc } from '@private.me/tradesplit';

// Create LC document with threshold config
const doc = await TradeDoc.create({
  type: 'letter-of-credit',
  parties: [issuingBank, advisingBank, beneficiary],
  threshold: { k: 2, n: 3 }
});

// Issue LC with document data
await doc.issue(lcData);

// Advance to next lifecycle stage (requires K shares)
await doc.advise([share1, share2]);

// Generate settlement proof at lifecycle gate
const proof = await doc.generateSettlementProof();

TradeDoc.create(opts): Promise<Result<TradeDoc, TradeError>>

Creates a split-channel trade finance document with xFormat serialization, DID-authenticated parties, and threshold-gated lifecycle stages.

doc.issue(data): Promise<Result<void, TradeError>>

Issues the trade document (issuance lifecycle stage). XorIDA-splits data and distributes shares to configured parties.

doc.advise(shares): Promise<Result<void, TradeError>>

Advances document to advising stage. Requires K shares from configured parties. Verifies HMAC integrity before reconstruction.

doc.generateSettlementProof(): Promise<SettlementProof>

Generates cryptographic settlement proof at current lifecycle stage. Includes previous stage hash, threshold config, contributing party DIDs, and Ed25519 signatures.

Section 10

Security Properties

Property	Mechanism	Guarantee
Document split	XorIDA K-of-N	✓ No complete doc at any bank
Interoperability	xFormat envelope	✓ Universal share validation
Identity	DID per-party	✓ Ed25519 mutual auth
Lifecycle gates	Threshold authorization	✓ Multi-party approval
Non-repudiation	Settlement proofs	✓ Cryptographic anchoring
Integrity	HMAC-SHA256 per-share	✓ Tamper detection

INFORMATION-THEORETIC SECURITY

XorIDA provides information-theoretic security. An attacker who compromises any K-1 banks learns nothing about the plaintext — not computationally hard to break, but mathematically impossible.

Section 11

Compliance & Regulatory

xTrade meets SEC 17a-4, FINRA Rule 4511, and SOX internal control requirements for trade finance document retention and non-repudiation.

SEC 17a-4 Compliance

Settlement proofs provide 15-year retention with WORM storage (write-once-read-many). Each proof includes cryptographic signatures from all K contributing parties — meeting non-repudiation requirements. Regulators can verify document lineage without accessing plaintext trade data.

FINRA Rule 4511

xTrade generates tamper-evident audit trails for all trade finance transactions. Settlement proofs anchor each lifecycle transition — creating a cryptographic chain that proves document progression through advising, negotiation, acceptance, and payment stages.

SOX Internal Controls

Threshold authorization gates enforce separation of duties. No single bank can unilaterally advance a document through lifecycle stages. K parties must contribute shares before progression — mapping to SOX Section 404 internal control requirements.

Regulation	Requirement	xTrade Implementation
SEC 17a-4	15-year retention + non-repudiation	Settlement proofs with Ed25519 sigs
FINRA 4511	Tamper-evident audit trails	HMAC-chained settlement proofs
SOX 404	Internal controls + separation of duties	Threshold authorization gates
AML/KYC	Trade-based money laundering detection	Cryptographic document lineage

Section 12

Performance Benchmarks

xTrade processes trade finance documents in sub-millisecond times for typical payloads. Letter of credit documents (10-50KB) split in under 5ms.

<5ms

LC split (10KB)

<3ms

Reconstruction

<1ms

HMAC verify

~33ms

1MB document (2-of-2)

Settlement proof generation adds ~2ms per lifecycle transition. Ed25519 signature verification runs at ~0.5ms per party. Total overhead for a 3-party LC with 2-of-3 threshold: <10ms end-to-end.

Section 13

Honest Limitations

xTrade protects documents in transit and at rest across banks. It does not protect against insider threats within a single bank, nor does it prevent colluding banks from reconstructing documents.

What xTrade Does NOT Solve

Insider threats: A rogue employee at a bank with share access can still leak that share. xTrade splits documents across banks but cannot prevent leakage within a bank.
Collusion attacks: If K banks collude, they can reconstruct the complete document. Choose threshold K carefully based on trust assumptions.
Metadata leakage: Document type, lifecycle stage, and threshold configuration are visible in xFormat envelopes. xTrade does not hide metadata.
Network timing attacks: An observer who monitors all bank communication channels may infer document structure from message timing patterns.

THRESHOLD TRUST ASSUMPTIONS

xTrade assumes fewer than K banks collude. If K or more banks actively conspire, they can reconstruct complete documents. This is fundamental to threshold cryptography — choose K based on your trust model.

ADVANCED TOPICS

Implementation Details

In-depth technical specifications, full API surface, and codebase statistics for developers integrating xTrade.

Advanced 01

Full API Surface

TradeDoc.create(opts: TradeDocOpts): Promise<Result<TradeDoc, TradeError>>

Creates split-channel trade finance document. Options: document type (LC/BG/bill of lading), parties (DID array), threshold (K-of-N).

doc.issue(data: Uint8Array): Promise<Result<void, TradeError>>

Issues document (issuance stage). XorIDA-splits data, generates per-share HMAC tags, distributes shares to parties via xLink.

doc.advise(shares: Share[]): Promise<Result<void, TradeError>>

Advances to advising stage. Verifies HMAC integrity, validates share indices, reconstructs if threshold met.

doc.negotiate(shares: Share[]): Promise<Result<void, TradeError>>

Advances to negotiation stage. Threshold authorization required from negotiating bank, beneficiary, confirming bank.

doc.accept(shares: Share[]): Promise<Result<void, TradeError>>

Advances to acceptance stage. Threshold authorization from accepting bank, issuing bank, applicant.

doc.pay(shares: Share[]): Promise<Result<void, TradeError>>

Final payment stage. Requires 2-of-2 threshold (paying bank + beneficiary).

doc.generateSettlementProof(): Promise<SettlementProof>

Generates cryptographic settlement proof at current lifecycle stage. Includes previous stage hash, threshold config, contributing parties, Ed25519 signatures.

doc.verifySettlementProof(proof: SettlementProof): Result<boolean, TradeError>

Verifies settlement proof. Checks previous stage hash, validates Ed25519 signatures, confirms threshold requirements met.

Advanced 02

Codebase Statistics

506

LOC (core)

120+

Tests

Test files

API methods

Component	Lines	Purpose
split/reconstruct	~200	XorIDA threshold operations
xFormat	~120	Binary envelope serialization
Settlement proofs	~90	Cryptographic anchoring
Lifecycle gates	~96	Threshold authorization

VERIFIED BY XPROVE

Verifiable Data Protection

Every operation in this ACI produces a verifiable audit trail via xProve. HMAC-chained integrity proofs let auditors confirm that data was split, stored, and reconstructed correctly — without accessing the data itself.

XPROVE AUDIT TRAIL

Every XorIDA split generates HMAC-SHA256 integrity tags. xProve chains these into a tamper-evident audit trail that proves data was handled correctly at every step. Upgrade to zero-knowledge proofs when regulators or counterparties need public verification.

Read the xProve white paper →

GET STARTED

Ready to deploy xTrade?

Talk to Sol, our AI sales engineer, or book a live demo with our team.

Book a Demo

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

Zero infrastructure setup
Automatic updates
99.9% uptime SLA
Enterprise SLA available

View Pricing →

📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

npm install @private.me/xtrade
TypeScript/JavaScript SDK
Full source access
Enterprise support available

Get Started →

🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

Complete data sovereignty
Air-gap capable deployment
Custom SLA + dedicated support
Professional services included

Request Quote →

Enterprise On-Premise Deployment

While xTrade is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
Air-gapped environments — SCIF, classified networks, offline operations
Data residency requirements — EU GDPR, China data laws, government mandates
Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →