Privacy: Even stronger protections with Daml 2.0
Privacy has been a core tenet of Digital Asset and is the foundation of Daml, the leading platform for building and running multi-party applications. With the launch of Daml 2.0—the next generation of our core technology with industry-leading privacy and interoperability—we’re taking privacy even further. Daml 2.0 includes Canton, our privacy-enabled distributed ledger that provides secure synchronization between multiple parties. With it, we extend privacy to new arenas to help companies realize the total value of more interconnected systems and markets through the Global Economic Network.
A brief look back
The early days of public blockchain focused on creating a platform that could synchronize a set of tasks without any central operator. Blockchains achieved this synchronization by giving everyone visibility into data and transactions, but without the ability to associate them to real-world identities. With applications such as Bitcoin, which ran on its own network, pseudonymity was arguably sufficient. However, as new blockchains emerged and operators sought to tackle more complex tasks, the challenge of privacy became more apparent. With the state of the ledger and the data found in one place, the ability for all parties to see it means that eventually, someone can figure out how to tie the data to its real-world equivalent. And indeed, there are companies built precisely to de-anonymize and de-obfuscate blockchain data. Herein lies the blockchain privacy problem: For everyone to stay synchronized, blockchain users broadcast all data for everyone to see.
Public blockchains are trying to solve this by layering solutions, such as retrofitting the chain to shard data into different levels of visibility and limiting who can access what. However, while necessary, this is insufficient—particularly in complex financial transactions or payments with multiple parties.
What makes Daml’s privacy different?
With Daml, we took an entirely different approach. From the start, we designed and built Daml to specify who precisely can see what data. Data privacy is at the core: Developers start from the data and create smart contracts that define what data is visible to what parties and how these parties can use the data. As a result, only a subset of people shares any piece of data on a need-to-know basis.
While data minimization resolves the privacy issue, it becomes more challenging to maintain accurate, synchronized data. A traditional blockchain remains accurate because everyone can see and validate all of the data. However, if different parties see only the transactions they are entitled to view, how do you validate and maintain an accurate ledger? Canton solves this using a ledger computation model that always ensures every party on the network can see and validate their subset of the global ledger, and only that. This ledger model keeps each party’s shard (slice) of the ledger consistent with the global ledger and independently verifiable, which, in turn, assures its accuracy.
Canton further improves on other blockchains in that it provides for privacy by way of visibility restrictions even within transactions, with multiple parties who require different levels of visibility. Daml is the only platform that offers an infrastructure for writing applications in which developers specify who is permissioned to see what data on a need-to-know basis. Furthermore, permissions apply across the board, making privacy intrinsic to the code rather than being added as another layer at the end. This specification of data entitlements embeds privacy throughout and radically simplifies application development. Developers can focus on business logic without having to rewrite the permissions constantly.
Users of Daml commonly deploy Daml applications on other blockchains. Previous iterations of Daml ensured privacy in the application context, but different blockchains have different privacy properties. For example, while VMware blockchain can support Daml’s full privacy model, others like Hyperledger Fabric and Besu cannot. Daml 2.0 creates and assures the next level of privacy with Canton, which can be deployed on complimentary blockchains, enabling Daml’s complete sub-transaction privacy on all blockchains without trading off consistency or visibility into data lineage. This consistency in enforcing privacy controls opens the doors to more seamlessly interconnected networks and faster innovation, as with previous versions of Daml.
Canton creates the ability to ship data around to different nodes, sending only necessary data that is encrypted. The data sits across various ledger providers, allowing for data distribution while protecting and enforcing privacy rules regardless of those ledgers' individual privacy properties profiles. At a high level, here’s how it works:
The node submitting a transaction breaks up the transaction into views that contain only the information for the involved counter-participants and encrypts each view.
The submitter sends the encrypted views to the underlying ledger provider for ordering and data distribution.
Each participant to the transaction decrypts the received view, validates it, and confirms or rejects the transaction. Confirmations and rejections are collected by a central commit coordinator running on the underlying ledger provider.
Based on the confirmations and rejections, the commit coordinator informs all participants whether the transaction should be committed or rolled back. Finally, each participant updates the local ledger state to keep the ledger in sync.
With Canton, the entirety of the ledger state lives only with the participants, without any central ledger that holds all data. Putting the participants in the center is the key to creating the future of interconnected networks across ledger providers. With privacy managed at a sub-transaction level, only parties in the transaction can see all the steps. Since a node sees only its part of the transaction, it only needs to validate this part of the transaction. From a workflow composition perspective, conventional blockchains show the entire transaction to all participants, even though some nodes involved in the workflow only know how to make sense of certain subtransactions. Thus, the developer of the validation logic must be careful not to make assumptions about the transaction structure as a whole, as this would hinder the composition of small transactions into larger transactions.
With Daml 2.0 and Canton, since every node sees only a subset of the smart contracts on the ledger, each node sees only part of the transaction when a transaction changes the state of multiple smart contracts. For example, when Party A and Party B agree on a stock transfer, both parties can see all steps and validate the data. However, their banks and custodians can only see the movement of funds and movement of stock, respectively—not the entire transaction. As a result, all participants can independently validate their part of the transaction, keeping the ledger accurate and in sync while minimizing data access.
So, what has changed? With Daml 2.0 and Canton, this example can expand to virtually any size and shape. Daml and Canton work in tandem to keep it all glued together, regardless of how complicated or big workflows get, without sacrificing privacy or degrading the ledger's integrity. Beyond the clear value of safeguarding privacy, this offers other significant benefits:
Simplification for developers. When creating new applications, they can rely on what’s already there. As they define new workflows, they also establish who can see what for each part of that workflow with reduced visibility of the ledger provider.
New frontiers of extensibility. Canton allows multiple participant nodes to connect to form a business network and for those networks to connect to each other. Each network retains its own rules, but workflows can span the networks. This allows, for example, a payments network and healthcare network to connect for more efficient billing, claims verification and processing, and payment—saving time and money while reducing operational complexity and risk.
Unlimited network capacity. Since Canton was designed for data minimization and every node need only validate a subset of the global ledger, each application on the ledger can use separate resources without limiting the ability to compose these applications into larger workflows and applications. As a result, Canton can scale without limit as resources are added to the network.
Daml 2.0 with Canton provides the secure and private data foundation to power innovation. You decide who can access your application or plug into your network and set the inviolable roles, rules, and permissions. Those authorized institutions can build on top of your infrastructure with the guarantee that the ledger’s integrity will be uncompromised. Daml 2.0 with Canton lets you improve your workflows and processes while creating the conditions for increased connectivity.