[Suit Up]

HOME / FOUNDATIONS / Settlement primitives / CH. V · PT 3
Settlement primitives

Privacy modes

Public chains are radically transparent. Every transaction is visible to every observer, and the entire industry has spent a decade building privacy layers on top of this default. Permissioned chains start from the opposite default, because banks have hard legal obligations not to disclose counterparty information, position sizes, or trading intent to anyone outside a defined need-to-know perimeter. The Markets in Financial Instruments Directive (MiFID), the General Data Protection Regulation (GDPR), banking secrecy regimes in Switzerland and Singapore, and the various market abuse rules all force this. Each major stack solves the problem differently, and the differences are architectural rather than cosmetic.

2.3 Privacy modes

Hyperledger Fabric channels

A Hyperledger Fabric channel is a private subnet within a Fabric network with its own ledger, its own membership, and its own state (Hyperledger Fabric). A bank can be a member of dozens of channels simultaneously, and a transaction on one channel is not visible to members of another. This is conceptually simple but operationally heavy. You end up running a lot of channels, the channel topology has to be administered by the consortium, and cross-channel atomicity is a non-trivial engineering problem because the ledgers do not share a global commit order. For trade-finance consortia and bank-internal builds where the membership graph is relatively static, channels are a fine answer. For a tokenisation network where new bilateral relationships form constantly, the channel-explosion problem starts to bite.

Canton domains and sub-transaction privacy

Canton Network uses domains. A domain is a trust circle that participants opt into, and transactions are visible only to the parties to that transaction within the relevant domain (Canton Network). Crucially, this is enforced at the participant node level, not by partitioning the network. A single Canton transaction can span multiple domains and the participants only see the bits that involve them. This is the architectural breakthrough that made Canton credible for institutional tokenisation, and it is why DAML, the smart-contract language underneath, has the concept of sub-transaction privacy baked in (Digital Asset).

Sub-transaction privacy means that within a single atomic transaction, different parties see different subsets of the data. A trade between bank A and bank B that involves a settlement agent C can be structured so that A sees the trade economics, B sees the trade economics, C sees only the settlement instruction, and the regulator with a subpoena sees the whole thing. No one sees fields they have no business seeing. This is not a privacy nice-to-have. It is the only way to do multi-party workflows without breaching disclosure rules under MiFID, GDPR, and the various banking-secrecy regimes that govern Asia-Pacific (APAC) institutional flows. The DTCC Smart NAV pilot on Canton is a worked example of why this matters for regulated market infrastructure publishing fund data on chain: the data publishers and the data consumers each see only the slices they are entitled to.

The integration cost of this model is real. DAML is a specialist language, the participant-node topology takes effort to operate, and the cross-domain commit protocol adds latency relative to a single-domain transaction. The payoff is that you can model a multi-party workflow once, in a contract language with formal semantics, and let the protocol enforce the disclosure boundaries automatically.

Quorum, Tessera, and Kinexys

Quorum and GoQuorum, the JPMorgan-derived stack now living inside the Kinexys platform, use encrypted state via the Tessera private transaction manager (Consensys Quorum, Kinexys Digital Payments). Public state hashes go on the shared chain, but the actual payload is exchanged off-chain encrypted between the parties to the transaction. The hash on chain proves the payload existed and links it to a specific transaction ordering. The payload itself never leaves the parties' nodes.

Older architecture, less elegant than Canton's domain model, but battle-tested and integrated into a working production system at scale. The Quorum lineage has run real institutional volume since 2019, and the design choices reflect that history: simpler primitives, narrower trust assumptions, and a tighter coupling between the chain and the bank's existing transaction infrastructure. For a single-operator chain or a tightly coupled consortium, this is a reasonable answer. For a more open multi-party network, the trust model starts to feel restrictive, which is why the more recent Kinexys roadmap has emphasised interoperability with Canton and other stacks.

Corda's notary model

R3 Corda uses a different approach again (R3 Corda). Transactions are point-to-point between counterparties, with notary nodes producing uniqueness consensus rather than a global ordered ledger. Each participant only ever sees transactions they are a party to. This is conceptually closest to how dealers and CSDs already think about messages, which is why Corda has held strong ground in capital markets even as Canton has taken the tokenisation seat. Privacy is the default, not a feature you compose on top.

What to take away

The point of cataloguing these is not to rank them. The point is that "privacy on a permissioned chain" is not one feature. It is four different architectural choices, each with different implications for atomicity, regulatory disclosure, integration cost, and the kinds of multi-party workflows the chain can model natively.

If your workflow is bilateral or has stable group membership, channels and Tessera-style encrypted payloads are perfectly serviceable. If you need to model multi-party transactions where each party sees a different slice within a single atomic commit, Canton's domain plus DAML's sub-transaction privacy is the more direct fit. If your workflow looks like the existing dealer-CSD message graph, Corda's point-to-point model is the cleanest map.

Pick the one that matches the disclosure rules you actually have, not the one that matches the privacy aesthetic of the public-chain world you are coming from. The wrong choice does not show up as a security failure. It shows up as a compliance review that adds six months to the rollout timeline.

The next part picks up consortium governance, the part that lives off-chain and almost entirely in legal documents, plus why permissioned chains matter now and the common confusions to clear up before walking into a client meeting.