The Privacy Problem in Blockchain
On most blockchains, achieving transaction integrity requires global visibility. Every validator sees every transaction to verify no double-spends occur and all rules are followed. This creates an inherent tension:
Traditional blockchains make a choice: integrity over privacy. Everyone sees everything.
Why This Blocks Enterprise Adoption
For regulated industries, global visibility is a non-starter:- Position visibility: Competitors can see your trading strategies
- Front-running risk: Observers can exploit transaction information
- Regulatory compliance: Data may not be shared with unauthorized parties
- Confidential agreements: Business terms should remain between parties
Canton’s Approach: Sub-Transaction Privacy
Canton resolves the integrity-privacy tension through sub-transaction privacy: decomposing transactions into views where each party sees only what they need to verify their portion.How It Works
When a transaction involves multiple parties, Canton doesn’t send the full transaction to everyone. Instead:- Decomposition: Transaction is split into views based on stakeholder relationships
- Encryption: Each view is encrypted to its respective recipients
- Distribution: Synchronizer delivers only entitled views to each participant
- Validation: Each participant validates their view independently
- Confirmation: Participants confirm based on their view alone
What Each Party Sees
The synchronizer sees none of this - only encrypted messages and confirmation results.
Stakeholder Visibility Rules
Visibility in Canton follows two core principles:Principle 1: Parties See Actions They Have a Stake In
Principle 2: Parties Who See an Action See Its Consequences
If you see an action, you see the creates/archives it produces. This enables independent verification - you can confirm the action was executed correctly based on the outcomes you observe.Visibility Example
Privacy Guarantees
What Canton Guarantees
Transaction content is only visible to authorized parties (signatories, observers, controllers).
Synchronizer operators cannot read transaction data - they see only encrypted messages.
No metadata leakage about parties not entitled to see an action - other participants and parties are invisible.
Validators only store data for their hosted parties - no global state replication.
Privacy Patterns
Pattern 1: Bilateral Agreement
Only the two signatories see the contract. Maximum privacy for two-party agreements.partyA and partyB.
Pattern 2: Selective Disclosure via Observers
Add specific parties as observers when they need visibility but not control.issuer (signatory), owner and regulator (observers). Note that owner is also the controller for Transfer, so they can execute that choice unilaterally.
Pattern 3: Divulgence
When contracts are used in transactions, parties to that transaction may learn about them. This “divulgence” is automatic.Execute runs, Bob (as a party to the Trade) sees the Asset contract that Alice owns, even though he wasn’t originally an observer.
Use carefully: Divulgence can inadvertently reveal information. Design transactions with awareness of what gets divulged.
Privacy vs. Auditability
Canton enables privacy without sacrificing auditability. Common patterns:Auditor as Observer
Selective Audit Rights
Best Practices for Auditability
Common Privacy Mistakes
Mistake 1: Over-Sharing via Observers
allUsers sees this contract, even if they don’t need to.
Fix: Only add observers who genuinely need visibility.
Mistake 2: Ignoring Divulgence
Mistake 3: Timing Attacks
Problem: Even without seeing content, observers might infer information from:- When transactions occur
- Transaction sizes
- Patterns of activity
- Consider batching sensitive operations
- Add noise or randomization where appropriate
- Design workflows to minimize timing information leakage
Privacy Design Checklist
When designing Canton applications, ask:Next Steps
- The Global Synchronizer - Understand the public network infrastructure
- Developer Track Module 3: Daml Development - Apply privacy patterns in code
- Glossary - Terminology reference including privacy-related terms