Privacy Architecture

Canton provides sub-transaction privacy -- a model where each participant in a transaction sees only the parts of that transaction they are authorized to observe. This page explains how it works, why it matters for institutional lending, and how Dualis leverages it.

The Problem with Public Ledgers

On Ethereum, every transaction is visible to every node in the network. When a lending protocol processes a borrow, every validator sees the borrower's address, the collateral amount, the loan size, and the interest rate. For retail DeFi, this transparency is considered a feature. For institutional finance, it is a disqualifier.

Consider a scenario: a global investment bank wants to borrow $50 million against its tokenized Treasury holdings. On a public blockchain, every competitor, every counterparty, and every predatory trading algorithm would see this position in real time. The bank's trading strategy would be exposed. Its collateral portfolio would be public. If the position approached liquidation, front-runners would extract value before the bank could respond.

This is why DTCC, Goldman Sachs, Euroclear, and LSEG chose Canton. Not because it is faster or cheaper, but because it provides privacy guarantees that public blockchains cannot.

How Sub-Transaction Privacy Works

Canton's privacy model operates at the sub-transaction level. A single transaction may involve multiple contracts, multiple parties, and multiple state changes. Canton ensures that each participant receives only the views -- the specific sub-transactions -- that they are stakeholders in.

The mechanism is built on three concepts:

Signatories: Parties who must explicitly authorize a contract's creation. They always see the full contract. In a Dualis lending pool, the protocol operator is the signatory of the pool contract.
Observers: Parties who are granted visibility of a contract but do not need to authorize it. A supplier can observe the pool they deposited into, but not other suppliers' positions.
Stakeholders: The union of signatories and observers. Canton's synchronization protocol delivers transaction data only to stakeholders of the affected contracts.

When a borrower takes a loan on Dualis, the transaction touches the lending pool contract, the borrower's position contract, and the collateral contract. The borrower sees their own position and the pool update. The protocol operator sees the full transaction for operational and compliance purposes. Other suppliers and borrowers in the same pool see nothing -- they only see their own positions and the aggregate pool state when they interact with it.

Participant-Level Enforcement

Privacy in Canton is enforced at the participant node level. The synchronization protocol uses encrypted, authenticated messages between participants. A participant physically cannot access transaction data for contracts where it is not a stakeholder, because that data is never transmitted to it.

Ethereum vs Canton: Privacy Comparison

Property	Ethereum	Canton
Transaction visibility	All transactions visible to all nodes	Sub-transaction data visible only to stakeholders
Position data	Public -- any explorer can view	Private -- only the position owner and protocol operator
Collateral portfolio	Fully transparent on-chain	Visible only to the borrower and relevant counterparties
Liquidation information	Front-runnable by MEV bots	Processed by authorized liquidators only
Pool aggregates	Derived from public contract state	Published by the protocol; individual positions remain private
Regulatory audit	Auditors see everything (or nothing with ZK)	Auditors granted observer rights on specific contracts

Why Institutions Chose This Model

The institutions building on Canton did not choose it arbitrarily. Each had specific privacy requirements that public blockchains could not satisfy:

Goldman Sachs requires that its repo and lending positions remain confidential from competitors, while still being auditable by regulators.
DTCC processes settlement for virtually every U.S. equity trade. The details of clearing and netting must remain between the clearing members and DTCC, not broadcast to the world.
Euroclear handles cross-border bond settlement where multiple jurisdictions impose different data residency and confidentiality requirements. Canton's selective disclosure model satisfies all of them simultaneously.

Dualis Privacy Model

Dualis leverages Canton's privacy architecture through its DAML contract design. The Dualis.Privacy.Config module defines observer policies that control which parties can see which contract types. Key principles:

Position isolation: A supplier's position is visible only to that supplier and the protocol operator. No other user can see individual position details.
Pool aggregation: Pool-level metrics (total supply, total borrow, utilization rate) are published as aggregate data. Individual contributions are not disclosed.
Credit confidentiality: A borrower's credit tier and attestation are visible only to the borrower, the credit oracle, and the protocol. Other participants cannot determine a borrower's creditworthiness.
Selective regulatory access: The contract design supports adding regulators as observers on specific contract types, enabling compliance audits without exposing data to market participants.

Privacy Without Compromise

Canton's privacy model does not sacrifice composability or auditability. Contracts from different applications can still interact atomically across synchronization domains, and regulators can be granted precisely scoped observer rights. This is privacy engineered for regulated markets, not privacy as an afterthought.