Canton Network White Paper

CantonNetwork: ANetworkofNetworksforSmartContractApplications DigitalAsset updatedJanuary2024 Abstract Currentsmartcontractnetworkssuffertwoconstraintsthatsignificantlylimit meaningfuladoptionbytraditionalfinancialinstitutionsandotherenterprises. First,theyrequireeveryapplicationtoinheritthegovernancepropertiesandthe fullytransparentprivacymodeloftheunderlyingnetwork.Second,applications competefortransactionthroughput.Inthiswhitepaper,wepresenttheCanton Network,asmartcontractnetworkofnetworksthatovercomestheselimitations andenableseachapplicationprovidertodefinetheirapplication’sprivacy, scaling,permissions,andgovernancewhilebeingpartofabroaderdecentralized publicpermissionednetwork. Introduction Motivation Severalsmartcontractblockchainnetworksexist,buttheyallimposeproblematicconstraintson assetsandapplicationsbuiltontopofthem.Specifically,onthesenetworks,(1)allassetsand applicationssharealldatapermanentlyandpubliclywithallusers,(2)interactionwithassets andapplicationsisall-or-nothing;applicationoperatorscannoteasilycontrolhowdifferentusers interactwiththeirapplications,(3)applicationscompeteforglobalnetworkresources; applicationoperatorscannotindependentlyscaleorchooseonwhichinfrastructuretodeploy. Furthermore,feesareinterconnectedandunpredictable,withincreasedusageinone applicationraisingcostsforallusers. Incontrast,mostoftheworld’sassetsareheterogeneous,andaregovernedbyuniquerulesfor howusersandbusinessestransactwiththem.Operatorsofapplicationsthatinteractwiththese assetsneedcontrolovertheprivacy,scale,serviceavailability,andinfrastructurecostoftheir applications.Assuch,thelimitationsofexistingblockchainnetworkspreventtheonboardingof thebulkoftheworld’sassetsandprocessesintoaninterconnectednetwork,reducingpublic blockchains’abilitytobuildsubstantialnetworkeffectsoutsideofcrypto-nativeassets. Forillustrationpurposes,wecontrastexistingpublicblockchainnetworkswiththemost successfulpublicnetwork,theInternet.TheInternetisaheterogeneousnetworkhosting independentlyoperatedapplications;e.g.,Wikipediaisfullypublicandcoexistswithgated bankingportalsonthesamepublicInternet.High-volume,low-valueservicesco-existonthe samenetworkaslow-volume,high-valueservices.Eachapplicationproviderhasthe sovereigntytocontrolitsapplication’suniquepermissions,fees,scale,servicelevels,andmore. 1 CantonNetwork:ANetworkofNetworksforSmartContractApplications TheInternethasunlimitedhorizontalscalabilityandgrowswitheachapplicationcontributedto thenetwork.Asaservice’strafficincreases,theapplicationprovideraddsresources;thegrowth ofoneservicedoesnotreducetheresourcesavailabletoothers.Theheterogeneityofthe applicationsfoundontheInternethelpeditreachbillionsofusers.Someuserswanttogoto Wikipedia,andsomewanttoaccesstheirbankingportal;bothgotothesameplace-thesame Internet. Thelackofsupportforapplicationheterogeneityinpublicblockchainshasledtotwosignificant negativeoutcomes.First,duetothesenetworks’privacylimitations,onlyassetsanddatawhich canbepartofthepermanentpublicrecordarebroughtintopublicblockchains;wesee experimentationwithcryptocurrenciesandnon-fungibletokens(NFTs),butwedon’tsee enterprisesandgovernmentsbringtraditionalassetsandrecordstopublicblockchains.Second, toovercomethecontentiononsharedglobalresources,thebulkofapplicationlogicfor blockchainapplicationsisbuilt‘off-chain’underthecontrolofcentralizedapplicationproviders, meaningkeyfunctionalityisoperatedoffthesharednetwork,negatingtheindependent verifiabilityusersexpectofpublicblockchains. Limitationsofexistingblockchainnetworks Concretely,inEthereum,andsimilarsmart-contractnetworks,(1)dataisfullytransparentto anyonewhocanconnecttotheledger,(2)therearestrict,verticallimitsontransactioncapacity onlayer1,(3)layer2s,rollups,andsimilarscalingchannelslacktransactionalcomposability(4) issuersofassetsforfeitcontrolofthatassettoapoolofpseudonymousvalidators.Froma regulatoryperspective,thedatatransparencyandlossofcontroloverassetsmakethese networksunsuitableforusebyfinancialinstitutions. Whensmartcontractapplicationshittransactionthroughputlimits,theresultsarecatastrophic forthenetworkandprovidersofsmartcontractapplicationsonthenetwork.Forexample,in 2017,AxiomZenlaunchedthewildlysuccessfulapplicationCryptoKittiesontheEthereum network,exceeding12%ofallnetworktransactionsandcausingmassivenetworkcongestion 1 . Asaresult,otherapplicationsonEthereumatthistimeexperiencedveryhighfeesand latencies.Followingthis,thecompanybehindAxiomZenbuiltandcommercializedanew blockchain 2 ,movingawayfromthenetworkuponwhichitbuiltitssuccess,andfragmentingthe market. Thescalinglimitationsofexistingblockchainsarenotinherenttothesynchronizationof applicationdataandstate;weproposeadesignthatavoidstheselimitations.Existingpublic blockchainsforceallapplicationsthroughasingleorderingservice,evenwherethisisn’t necessary.Butthisbottleneckisnotrequired;forexample,theorderoftextmessagesinone messagingapplicationshouldbeindependentoftheorderofasocialnetworkfeedofanother application.Thesetwoapplicationsshouldhaveindependentorderingmechanismsfortheir state.Likewise,anetworkofsmart-contractapplicationsshouldallowforasimilarlocalizationof 2 CryptoKittiesscratchEthereum,findnewlifeonFlowblockchain-Decrypt 1 CryptoKittiesiscausingethereumnetworkcongestion-Quartz 2 CantonNetwork:ANetworkofNetworksforSmartContractApplications transactionordering.However,orderingacrosstheseapplicationsmustalsobepossible,as necessary,tobeaninteroperablesmartcontractnetwork 3 .Thatrequiresasharedprotocolto synchronizetransactionscomposedacrossmultipleapplications.Currentattemptstoallow independentscalingwithsynchronizationacrossapplications,typicallyknownaslayer2 protocols,rollups,andcross-chainbridges,addsignificantcomplexityandsecurityproblems 4 , asevidencedbynumerousrecenthacks 5 .Incontrast,theCantonNetworkenablesapplications acrossmultiplesubnetstonativelyinteroperatebetweenthemwithoutrequiringalayer2 protocolorassetbridge. OurContributions Inthispaper,weintroducetheCantonNetwork,anetworkofnetworksforsmartcontract applicationswithheterogeneityandscalabilitypropertiessimilartotheInternet,giving applicationproviderscontrolovertheirapplications. Likeexistingblockchainnetworks,theCantonNetworkprovidesreal-timesynchronizationof sensitivedataacrossparticipants.Ithastheprivacyofaprivateblockchainonapublicnetwork; applicationsontheCantonNetworkseeasinglepublicledger.TheCantonNetworkhasan expressivesmartcontractlanguagecalledDaml,whichhasprogrammableprivacybuiltinto everyassetorpieceofdata.TheCantonprotocolallowseachapplicationtoscale independently,increasingavailabilityandkeepingfeeslow. Thus,theCantonNetworkfillsamajorgapinthepublicledgerspace:ithassmartcontractson asinglevirtualledger,similartoEthereum,Solana,Tezos,andmanymore,andithasbuilt-in privacywithselectivetransparency,similartothebitcoinlightningnetworkandZcash.Asof early2023,financialinstitutionstransactover$50billiondailyonlimited-accesssubnetsofthe CantonNetwork. Overview Intherestofthispaper,wedescribetheimplementationdetailsoftheCantonNetworkatahigh level.First,wedescribetheunderlyingtechnologies:Daml’sdatamodel,theDaml smart-contractlanguage,andtheCantonprotocol.WethendescribetheCantonNetwork,a publicnetworkofpermissionedsubnetsbuiltusingDamlandCanton. Daml Damlisanopen-source 6 smart-contractlanguageandframeworkdesignedtomakeiteasyto develop,operate,andmaintainmulti-partyapplicationsinawaythatpreservesprivacyanddata consistency.Moreconcretely: 6 https://github.com/digital-asset/daml 5 E.g.,Ronin($615m),Binance($570m),Wormhole($320m),Nomad($200m) 4 EthereumFoundationResearchTeamAMA-Pt7:07January,2022 3 Thisisknownas ”partialordering”-anorderingthatdoesn'tspecifytheexactorderofeverypairof events,butonlydefinestheorderbetweencertainitemsthatdependoneachother 3 CantonNetwork:ANetworkofNetworksforSmartContractApplications 1.Damlprovidesconceptstocapturerulesthatgovernreal-worldbusinesstransactions. Thishelpsprogrammersfocusonbusinesslogiconlywhileavoidingcommonsecurity pitfalls. 7 2.Damlallowstospecifyaccessandauthorizationpolicieswithinthesmartcontractcode, makingiteasytokeeptheminsync.Dataisconfidentialbydefault,andaccesspolicies areeasilydefinedsothatthesmartcontractprogrammercanunderstandandmaintain themeffortlessly. 3.Damlsupportsapplicationinteroperabilitybyenablingthecompositionofworkflowsinto morecomplexones,includingwhentheworkflowsarealreadydeployedacrossdifferent applicationsondifferentnetworks.Apartycanunilaterallyextendfunctionalityby composingexistingworkflowsintomorecomplexones.Thisabilityforanypartyto extendfunctionalityfostersorganicgrowthofledgerusageandhelpsmanage complexity.Damlenablesthecompositionofworkflowsacrossanetworkofapplications whilemaintainingtheconfidentialityandauthorizationrequirementsofeachapplication. 4.Damlsupportsinteroperabilitywithothersystemsthroughintegrationtooling,including auto-generationofbindingsforcommonprogramminglanguages,bridgestoother blockchains,andcommonstandardanddomain-specificlibraries. Contracts Damldefinesacontractasacodifiedagreementonaworkflowbetweenmultiplepartiesonthe network;thesepartiesarecalledcontractsignatories.Inaddition,otherpartiesmayobservethe contract;thesearecalledcontractobservers.Apartycanbeanindividualentitysigningwitha privatekeyoraconsortiumsigningwithaflexiblemulti-signatureconfirmationpolicy;assuch, assetscanbeissued,andcontractscanbesignedbycentralparties,orconsortiums. Transactions Acontractiscreatedaspartofatransaction,makingthecontractactive.Asubsequent transactionmayarchivethecontract,renderingitarchived 8 .Toensureconsistencyamong networkparticipantswhilemaintainingeachcontract’sprivacy,weneedtransactionstoexhibit twoproperties.First,weneedamechanismbywhichthedifferentpartiesagreeontheorderof transactionstoavoiddivergingviews.Second,variouspartiesmaybeentitledtoseedistinct partsofthetransactionbasedontheprivacydefinitionsofthespecificcontracts;wecallthis sub-transactionprivacy.Transactionsmustenablepartiestohaveapartialviewofthe transaction,whichtheycanverify,alsoknownasasub-transaction. ThestateofactivecontractsisknownastheActiveContractSet(ACS) 9 andisderivedfroma transactiongraph.Everytransactioninthegraphmayarchiveandcreatecontracts 10 , referencingallcontractsuponwhichitdepends.Newtransactionsareatomicchanges appendedtotheendofthetransactiongraph.Thetransactionmayconsistofmultiple 10 Transactionsmayincludeactionsotherthancreateandarchive,omittedhereforclarity.Foracomplete listofactionsseeDamlSDKdocumentation-ActionsandTransactions 9 TheACSisequivalenttobitcoin’sUTXOset 8 ThisisknownastheUnspentTransactionOutput(UTXO)model 7 E.g.,ReentrancybugsinEthereum’ssmart-contractlanguage,Solidity 4 CantonNetwork:ANetworkofNetworksforSmartContractApplications sub-transactions,withdifferentpartiesaccessingdifferentsub-transactions.Assuch,different partiesobserveadifferentsubsetoftheglobalACS. ThismodelissimilartotheUTXOtransactionmodelusedinbitcoinandotherpublic blockchains,withtwonotabledifferences: 1.Nopartyseesthefulltransactiongraphoftheentirenetwork;instead,eachpartyseesa subsetofthegraph,alsoknownasthatparty’sview.Thispartitioningoftheglobal transactiongraphcontraststootherUTXOblockchainssuchasbitcoinandCardano,in whicheverypartycanseetheentiregraph. 2.Atransactiondoesnotalwaysarchivereferencedcontracts.Whetheratransaction archivesaninputUTXOornotdependsontheapplicationlogic,andisdefinedinDaml usingthekeywords consuming and nonconsuming .Thisoptiontokeepareferenced contractactiveisincontrasttobitcoinandothers,inwhichreferencingaUTXOalways archivesit. Transactionsarestructuredastrees;thisenablesworkflowstocompose:thetreesofexisting workflowsbecomethesubtreesofcombinedworkflows.Eachpartycanvalidateitssubtreeand ignoretherestofthetransaction. Figure1:Exampletransactiongraphwithsub-transactionprivacy.AliceandBobeachhaveonlya partialviewofthefulltransactiongraph.Initiallytherearethreeactivecontracts,eachpartysees onlytwoofthem.Transactions1and2,submittedbyAliceandBobrespectively,evolvetheActive ContractSet(ACS),archivingtwooftheinitialcontracts,creatingtwonewactivecontracts,and 5 CantonNetwork:ANetworkofNetworksforSmartContractApplications creating-and-archivingtwotransitorycontracts.Followingthetwotransactions,therearethree activecontracts,denotedinpurple.Eachpartyhasaccesstoonlytwoofthethree. Saidanotherway,themaindifferencebetweenCanton’sledgermodel 11 andthatofother blockchainsisthat,inCanton,eachpartyseesonlyasubsetoftheACSandasubgraphofthe globaltransactiongraph,alsoknownastheparty’sview.Thisparty-specificviewisalwaysa validledger 12 thatcanbeverifiedlocallybytheparty’snode;apartyneednottrustanyother partyforverification.Uponreceivingatransactionorsub-transaction,aparty’snodewillverify threethings:thatthetransactionisconsistentwiththeparty’sview,thatthetransaction conformswiththelogicwritteninthesmartcontracts,andthatthetransactionisproperly authorized. Beyondgoverningaccesscontrol,wefurtherutilizethispartitioningoftheledgerforparallel processing.Sincetransactionsexplicitlydeclaretheirdependencies,separateinfrastructures canprocessindependenttransactionsinparallel;thisallowstheCantonNetworktoscale horizontallybyaddingcapacityasnetworkdemandfluctuates. Thismodelposestwochallenges: 1.Wemustensurethatdifferentparties’viewsoftheglobalACSareconsistent;inother words,foreverycontract,thevariouspartieswhoseeitmustalwaysagreeonwhetherit isactiveorarchived.Wewillshow,intheConsensussection,howtheCantonprotocol achievesthis. 2.Weneedanapplicationdevelopmentmodelthatmakesiteasytoworkwiththese restrictiveprivacycontrols.WewillshowhowtheDamlSDKachievesthis. Smart-contractlanguage Damlisamodernfunctionallanguagefeaturingastatictypesystemthatcanruleoutmany undesiredbehaviorsandcorrectnesserrorsatcompilationtime. Developersdefinethedataschema,workflowsemantics,andtransactionexecutionincontract templates.Theseareequivalenttoobject-orientedprogramminglanguageclassdefinitionsand SQLdatabaseschemas.Atemplatedefines: 1.Arguments-datathecontractstores 2.Choices-actionsthatpartiescantakeonthecontract.Choicesareequivalentto methodsinobject-orientedprogrammingclassesorstoredproceduresindatabases. 3.Authorization-signatoriesarepartieswhomustauthorizecreatingorarchivingthe contract;observersareotherpartieswhocanviewthecontract;controllersareparties whocantakespecificactionsonthecontractbyexercisingcontractchoices.Apartycan delegateitsauthoritytoanotherpartytomakeparticularchoices.Apartythatdelegates itsauthorityseeswheneveratransactionusesitsauthority. 4.Constraints-predicatesthatmustholdforeverycontractofthetemplate,denotedbythe ensure keyword. 12 Foraformaldefinitionofvalidledgers,seeDamlSDKdocumentation-ValidLedgers 11 Formoredetailsontheledgermodel,seeDamlSDKdocumentation-LedgerStructure 6 CantonNetwork:ANetworkofNetworksforSmartContractApplications Example: templateIou with issuer:Party owner:Party currency:Text amount:Decimal where ensureamount>0.0 signatoryissuer,owner choiceTransfer:ContractIdIou withnewOwner:Party controllerowner,newOwner do createthiswithowner=newOwner Bydefault,exercisingachoicearchivesthecontract.Inthecaseofthe Transfer choice above,italsocreatesanewcontractwithanewowner.Asanimprovementonbitcoin’sUTXO modelandCardano’seUTXOmodel,thedevelopercanspecifyachoiceas nonconsuming . Non-consumingchoicesdonotarchivetheUTXO,thusreducingcontention 13 . Daml’smodelofexplicitlydefiningauthorizationenablesmanualinterventionbyacontract’s stakeholderstorectifyunexpectedsituations.Templatesmakeitexplicitwhere,how,andby whominterventioncanhappenduringtheexecution,withoutrequiringaprioriknowledgeofthe exacttypeofinterventionandwithoutrelaxinganysecurityguarantees.Signatoriescanjointly agreetoarchive,upgrade,orcreatenewcontractinstancesaslongasthereisunanimous consent.Ifanyofthesignatorypartiesareconsortiums,theirconsentisgovernedbythe underlyingconsensusprotocolofthatparty/consortiumandmay,forexample,requirea⅔ supermajorityinsteadofunanimousconsent.Observersarepartiesentitledtobenotifiedof, andcanindependentlyvalidate,anysuchchangesbutwhoseauthorizationisnotrequired.All actionsoncontracts-theircreation,archival,andcallstochoices-areeventsintransaction treesandformacompleteandnon-repudiableauditlogofallchanges.Thisabilitytochange contractsposthoc,withtheappropriateauthorizations,enablesapplicationproviderstoupgrade data,processes,andoperatingprocedures,duetounforeseenevents.Forexample,todeal withregulatoryorjudicialdecisionswhichrequireretroactivechangestobusinesstransactions. Damlorganizestemplatesinmodulesandpackages.Packagescandependonotherpackages, includingacrossapplicationswhichmaybedeployedtomultiplenetworks.Thisabilityto dependonpackagesacrossapplicationsondifferentCantonsubnetsenablesanopen architecture,wherepartiescancombineworkflowswithotherpartieslikebuildingblocks. 13 Theabilitytoreferenceacontractwithoutarchivingitisusefulwhenreferencingrelativelystaticdata suchas,forexample,dailyinterestrates,ortheexistenceofatradingagreementbetweencounterparties 7 CantonNetwork:ANetworkofNetworksforSmartContractApplications Foranin-depthreviewofDaml’sdesign,seeDaml’swhitepaper 14 .ForanoverviewofDaml tooling,seehttps://docs.daml.com. Ledgermodel Damlenablespartiestoexchangevalue(intheformofsmartcontracts)inawaythatisunique amongcurrentlyavailabletechnologies.Asmartcontractupdateisnothingmorethanan authorizedandvalidatedupdatetoentriesonaledger.Thefundamentalchallengewhentrying toaccomplishthisupdatewithoutatrusted,centralintermediaryisensuringthattheledger entriesreflectingthesmartcontractsareaccurateandcanbeproventoathirdparty.Acommon approachtoaddressthischallengeistodecentralizetheledgeramongthepartiesonthe networkbyrequiringeverypartytoholdandupdateacopyoftheledgerfortheentirenetwork. Aconsensusmechanismisusedtoensureaccuratereplicationoftheledgertoallparties.But thisleadstonetworksdevoidofprivacywithhardcapsonscalability. AsdiscussedintheTransactionssection,Daml’sledgerdatamodeltakesadifferentapproach toaddresstheseprivacyandscalabilitychallenges.InDaml’sledgermodel,theledgerisnot fullyreplicatedamongtheparties;itissegmentedaccordingtoprivacyrules,andeachparty storesonlyitsview,orshard,oftheledger.Asaresult,thereisnoledgerviewcommontoall partiesinthenetwork.Instead,thereisaledgerforeachpartythatincludesonlythecontracts ofthatparty.Asaresult,insteadofoneledgerthatallofthepartiesinthenetworkmust replicate,eachpartytoatransactionupdatesitsledgertoreflectthattransaction.However,this createsaproblem:iftherecordofsmartcontractsisspreadacrossmanyledgers,eachvisible toacertainparty,thenitwouldbedifficultforanypartyonthenetworktoknowwhethertheir smartcontractisaccurate. Damlsolvesthisproblembyensuringthateachparty’sviewisasubsetofasingleglobal,virtual ledger.Inotherwords,conceptually,allpartiesofDamlledgersperceiveasingleledgerwhile eachpartyhasread-accessonlytoasubsetofthisledger’sstate.Thisgloballedgerisvirtualin thesensethatitdoesnotexistinanyonedatastore.Since,conceptually,allusersarereading fromthesameledger,allusershaveaconsistentviewofanyapplicationstatetheyshare,for example,ownershipofassets.TheCantonprotocol,describedbelow,isthemechanismthat ensuresthattheviewsofallproperlyfunctioningnodesinthenetworkareconsistentsubsetsof asinglevalid,global,virtualledger.Allofthisisdonewhileensuringthatnopartyseesorstores informationtowhichitisnotaparty.Asaresult,partiescantransferdigitalassetswiththe confidencethatthepartytransferringthedigitalassetactuallyownsthatassetwhilealsobeing certainthatnootherpartyonthenetworkwillknowofthetransferunlesssuchpartyisexplicitly permittedtodoso. Daml’sfullydecentralizedandparty-centricledgermodelenablesdecentralizationinone additionalway–ratherthanbeingstructuredasasinglenetwork,Damlenablesuserstocreate 14 AlexanderBernaueretal.,“Daml:ASmartContractLanguageforSecurelyAutomatingReal-World Multi-PartyBusinessWorkflows”(arXiv,March7,2023),https://doi.org/10.48550/arXiv.2303.03749. 8 CantonNetwork:ANetworkofNetworksforSmartContractApplications theirownsubnets.Apartycanconnecttoasingleormultiplesubnets.Andifapartyis connectedtomultiplesubnets,theCantonprotocolcansynchronizedigitalassettransactions acrossthem.Thus,theDamlLedgerModelenablesanetworkofnetworks.Thisdesign ultimatelyenablesprivacy,performance,andscalabilityinadecentralizedenvironment. Figure2:Canton’sledgermodel.Eachpartyhasitsownvalidledger,whichiskeptconsistentby theCantonprotocolwiththegloballedger.Thegloballedgerisvirtual,i.e.,itisnotstoredinits entiretybyanysingleparty.Inthisexample,theActiveContractSet(ACS)consistsofsixcontracts, buteachpartyonlyhasaccesstoasubsetof2-4contracts,denotedinblue. Foranin-depthreviewofDaml’sLedgerModel,seeDamlSDKdocumentation-DamlLedger Model Canton Cantonisanopen-source 15 privacy-enabledblockchainprotocol. CantonimplementsDaml’sledgermodelasdescribedabove.Cantoncurrentlysupportsthe Damllanguage,thoughitcansupportanylanguagewithasimilarhierarchicalsub-transaction privacymodel. Networktopology NodesintheCantonNetworkarecalledparticipantnodes.Auserorcompany,representedin Damlasa Party ,deploysoneormoreparticipantnodes;theseparticipantnodesactonbehalf ofthat Party .Totransportdatabetweennodesanddeterminetheorderofmessages,each 15 https://github.com/digital-asset/canton 9 CantonNetwork:ANetworkofNetworksforSmartContractApplications participantnodeconnectstooneormoreprivateorpublicCantonServiceProviders(CSP) whichoperateaCantoncomponentcalledasynchronizationdomain(“syncdomain”).Thus, connectingtosyncdomainsallowsa Party totransactwithallotherpartieswhoseparticipant nodesareconnectedtoacommonsyncdomain.AnyonecanbecomeaCSPanddeploysync domainsatwill;reasonstodeploynewsyncdomainsmayincludeincreasingthroughput, reducinglatency,requiringdatatransportonlythroughcertainjurisdictionsorcertainblockchain networks,orotheroperationalconcerns.Topromoteprivacyandnetneutrality 16 ,dataintransit oversyncdomainsisencrypted,preventingCSPsfromaccessingmessagecontents.Sync domainscanbethoughtofashighlyavailable,fault-tolerantmessagingqueuesbetween participantnodesthatsequence,timestamp,andserveencryptedmessagestoparticipant nodes.CSPscanbesingleentitiesor“virtualCSPs”inwhichaconsortiumofpartiesrunsa distributedsyncdomain 17 .Atlaunch,theCantonNetworkwillhaveatleastoneopenvirtual CSP(vCSP)thatisrunbyaconsortiumandacceptsconnectionrequestsfromanyparticipant node.ApplicationproviderscanchoosetousethisopenvCSPoranyotherCSP.Assuch, CantoncreatesameshnetworkofcomposableDamlapplicationsinwhicheachapplication maymakedifferenttradeoffsbetweentrust,accesscontrol,andoperationalcomplexity. Figure3:CantonNetworktopology.ParticipantsconnecttoeachotherviaCantonService Providers(CSPs)orconsortiumvCSPs.Partiescantransactiftheirparticipantnodesare connectedtoacommonCSPorvCSP.Nosinglenodeprocessesallnetworktransactions. Whilesinglenodeshaveprocessingandstoragelimitations,theCantonNetworkhasno intrinsicscalingbottlenecks:aparticipantnodeprocessesonlyitsdataandworkflows,which differentsyncdomainssynchronizeinparallel.Partiesconnecttoanysyncdomainsthey chooseaslongastheCSPoperatingthesyncdomainacceptsthem.Opensyncdomains 17 FormoreinformationondistributedDomains,seeProof-of-Stakeholder:Consensuswithprivacy 16 https://en.wikipedia.org/wiki/Net_neutrality 10 CantonNetwork:ANetworkofNetworksforSmartContractApplications acceptanywell-formedrequeststojoin.Cantonenablesapublicpermissionednetwork,inthat anyonecandeployaCantonsyncdomain,thusbecomingaCSP,foranyreason.Syncdomains arenotsilos:partieswhoshareoneormorecommonsyncdomainscancomposehigher-order workflows,includingatomictransactionsacrossmultipleapplications,processedviaasync domainselectedbytheapplications.Contractsignatoriesandobserverscontrolwhichsync domainwillsynchronizetheircontractsandcanchoosetoreassignwhichsyncdomain sequencesagivencontract,avoidingsyncdomainlock-inorcensorship 18 .Thediagrambelow illustratesthesequenceofeventsinvolvedinreassigningsynchronizationresponsibilityfora contractfromsyncdomain1tosyncdomain2: Figure4:Reassigningofsyncdomain-sequencediagram.Contractsignatoriescanjointlyagreeto reassigntheroleofsynchronizingacontractfromonesyncdomain(andCSP)toanother. TheCantonNetworkhasnosinglecentralizedgovernanceorpoliciesforaccessandusage; eachconstituentnodeorsubnetsetsitsownpolicies. 18 Thediagramillustratesaregulardomainreassignment.Iftheoriginsyncdomainisunresponsive,a differentprotocolisused.SeetheCantondocumentationformoredetails. 11 CantonNetwork:ANetworkofNetworksforSmartContractApplications Datapruning Cantonprovideshistory-pruningandredactioncapabilitiesforitslog.Participantandsync domainoperatorscanconfiguretheirnodestostoreorprunehistoricalcryptographicdata, allowingthemtotrade-offbetweenauditabilityandtheabilitytodeletearchivedcontractsto complywithright-to-forgetregulationssuchastheEuropeanUnion’sGeneralDataProtection Regulation 19 (GDPR).Historicaldatacanbemovedtoofflinestoragetoretainfulland immutableauditlogswhilereducingdatastoragecostsandincreasingsustainabilityof productionenvironments.Cantonnodescontinuouslyexchangecryptographiccommitmentto theirsharedstate,sopartiesremainsecureagainstattemptedrepudiationbymaliciousor malfunctioningcounterpartiesevenwhenconfiguredtoprunehistoricaldata.Thus,individual nodeoperatorsmaytradeoffmaintainingfullandimmutablehistoricauditabilityversusother operationalandregulatorycompliancerequirements 20 . Proof-of-Stakeholder:Consensuswithprivacy Canton’sprimarygoalistoprovideconsistentdataacrossparties.Inotherwords,Cantonaims toachieveconsensusamongstpartiesontheactivecontractsonwhichtheyarejoint stakeholders,andonthevalidityofthetransactionsthatledtothisstate.Thestandard approachtoconsensusisstatemachinereplication,whereallparticipantsreplicatethesame globalstate.However,replicatingtheentireglobalstateisnotacceptableforprivacyand scalabilityreasons.Instead,Canton’sproof-of-stakeholderconsensusprotocolissplitintotwo layersofconsensus.Toachieveconsistencyalongwithprivacy,thefirstconsensuslayerisa two-phasecommitprotocolthatreplicateseachcontracttothecontract’sstakeholders 21 while concurrentlyenablingeachstakeholdertovalidatethetransaction.Conceptually,thiscanbe thoughtofashavingareplicatedstatemachineforeverysubsetofparties 22 .Forthisfirstlayer tocommittransactionsconsistently,nodesmustagreeontheorderinwhichconflicting transactionrequestsareappliedtotheledger.Therefore,thesecondconsensuslayerisa sequencingprotocolthatreceivesencryptedtransactionsanddeterminesatimestamp 23 for eachtransaction.ThissequencinglayercanberunonacentralCSPor,whenconnectedtoa virtualCSP’sdistributedsyncdomain,thissequencingprotocolrunsasareplicatedstate machinesecuredbyaByzantineFaultTolerant(BFT)consensusalgorithm.Thus,thevirtual CSPdeterminesatotalorderontransactionrequestswithinasyncdomain,andtransaction processingisdeterministic. 23 Thisisavectorclock,notareal-worldclocktime 22 Intechnicalterms,everysubsetofpartiesdefinesaprojectionofthegloballedger.Anyprojectionofthe globalledgerisitselfavalidledger 21 Thisissimilartotheatomiccommitprotocolsofshardeddatabases 20 SeeCantonProtocolwhitepaper. 19 https://gdpr.eu/right-to-be-forgotten/ 12 CantonNetwork:ANetworkofNetworksforSmartContractApplications Figure5:Atomicassetswaptransaction.Theassetswapwillsucceedonlyifthesignatoriesagree tobothsub-transactions.Otherwise,theassetswapisrejectedandtheassetsarenottransferred. AliceandBobseetheentiretransaction,whileIssuers1and2areeachentitledtoviewonlyparts ofthetransaction. Letusconsidertheexampletransactionshowninthefigureabove.Beforethistransactionis appliedtotheledger,threecontractsareactive:(AssetType1)Aliceownsanassetissuedby Issuer1,(AssetType2)BobownsanassetissuedbyIssuer2,and(SwapOffer)Alicehas proposedanoffertoBobtoswaptheirassets.Byacceptingtheswapoffer,Bobwillcauseall threecontractstobearchived,andtwonewcontractswillbecreated 24 :(AssetType1)Bobwill ownanassetissuedbyIssuer1,and(AssetType2)AlicewillownanassetissuedbyIssuer2. 24 InUTXOblockchainterms,thetransactionconsumesthreeUTXOsandcreatestwoUTXOs 13 CantonNetwork:ANetworkofNetworksforSmartContractApplications Somerulesencodedinthecontractsareomittedforbrevity;forexample,assetamountsmust bepreservedthroughoutthetransaction. Inthistransaction,Bobexecutesthe“Swap”choice[1],whicharchivestheSwapOffer[2].Each choicedefineswhoseauthorityisrequiredtocallit(denotedinparenthesesinthediagram above).AlicecreatedtheoffersuchthatonlyBob’sauthorityisrequiredtoexercisethe“Swap” choice.SinceAliceisasignatorytotheSwapOffer,theSwapchoicecanuseherauthority alongsideBob’stocallthe“Transfer”choiceonbothassets[3],whichsubsequentlyarchives theseassetcontracts[4]andcreatestwonewassetcontractswiththeownersswapped[5]. Sincetheissuersweresignatoriesofthetwoassets,theirauthoritycanbeusedtocallthe “Transfer”choicesonthoseassets. Notallpartiesinvolvedinthetransactioncandetermineifitisvalid,buteverypartycan determinethatthesub-transactiontheyareallowedtoseeisvalid.Forexample,Issuer2isonly entitledtoseeassetsthatithasissuedandnotassetsissuedbyIssuer1orthebilateral SwapAgreementbetweenAliceandBob.And,Issuer1shouldonlyacceptthetransactionifitis surethatAliceauthorizedthetransfer.Toensureresilienceagainstmaliciousparticipants, Cantonachievesconsensusbyprocessingtransactionsintwosteps.First,thesubmittersends aconfirmationrequesttoeveryothersignatory,attachingonlythepartofthetransactionthe othersignatoryshouldsee,encrypted.Eachsignatorydecryptstheirsub-transaction,checks whethertherequestisvalid,andrespondswithasignedconfirmationresponse.Theirchecks ensuretwothings:First,theyensurethattheDamlauthorizationmodelisrespectedandthat thecorrectpartiesarenotifiedofthetransaction,thwartinganymaliciousbehaviorbythe submitter.Second,theypreventdouble-spending.Attemptstodoublespendarenotnecessarily asignofamalicioussubmitter;theycanoccurunderconflictingconcurrentworkflows.Thesync domain’stotalorderingandDaml’sdeterminismalloweveryonetoresolveconflictsinthesame way.Thisway,thetransactionisappliedatomicallyacrossallsignatoriesorrejected;whileeach partyhasadifferentviewoftheledger,consensusismaintained. Applicationcomposability InCanton,twoormoreapplicationscancomposeandrelyonatomictransactions 25 evenifthey aresynchronizedviadifferentsyncdomains.Thus,forexample,twocentralbanksmayeach synchronizelocalcurrencytransactionsusingcountry-localCSPs,whileownersofthese currenciescanstillatomicallyswaptheminacross-Domaintransaction 26 . Globalcomposabilitycouldbeachieved,similartootherblockchains,byhavingasingleglobal Cantonsynchronizationsyncdomainthatallowsatomiccompositionofarbitraryworkflows. However,havingmultiplesyncdomainsisbeneficialformultiplereasons.Forexample, companiesandindividualsmaywantmorecontrolovertheirnetworkresources.Asingleglobal syncdomainwouldimposeahighcommunicationlatencyforsomeorallparticipants.Multiple syncdomainscanhelpincreasethroughput:requestsfromdifferentsyncdomainscanbe 26 See“MultipleDomainsandglobalcomposability”sectionintheCantonprotocolwhitepaper 25 https://en.wikipedia.org/wiki/Atomicity_(database_systems) 14 CantonNetwork:ANetworkofNetworksforSmartContractApplications processedcompletelyinparallel.Theremightalsobeoperationalconcerns;forexample,for criticalworkflows,anewsyncdomainwithrestrictedaccesscanbeused.Finally,differentsync domainoperatorsmaychargedifferentlyfortheirservices.Intheexampleabove,transactions ineachlocalcurrencywouldbeprocessedcompletelywithinthejurisdictionofthecentral bank’scountry. However,havingmultiplesyncdomainsopensupanewchallengeofhowtocompose workflowsacrosssyncdomains.InDaml,composingworkflowsspecificallymeansthat contractssynchronizedviadifferentsyncdomainscanbeusedwithinasingletransaction. Withoutsuchanability,wewouldnottrulysolvethecomposabilityproblem:thiswouldcreate multiplesiloednetworkswithasinglesyncdomaineach,insteadofmultiplesubnetsofasingle interoperablenetwork. Cantonguaranteestheatomicityofcross-subnettransactions.Sincedifferentsyncdomains havenocommonnotionoforderingbetweenthedifferentsub-transactionsthateachsync domainprocesses,reconcilingatomicitywithresiliencecanbecomeimpossible.Toovercome this,Cantonallowscross-subnettransactionsonlywheneverthereexistsatleastonesync domaintowhichalltransactionparticipantsareconnected.Contractchangesrequiredbythe cross-subnettransactionaresynchronizedviathiscommonsyncdomain.Furthermore,Canton makesitpossibletochangewhichsyncdomainprovidesthesynchronizationservicefora contract.Thissynchronizationreassignmentmarksadifferentsyncdomainasthenewauthority fororderingactionsonthegivencontract. Figure6:Examplenetworktopology.Participantsconnectedtomorethanonesyncdomaincan composeatomiccross-subnettransactions,enablingParticipantstobuildtransactionalworkflows acrossmultipleapplicationsandnetworks. Foranin-depthreviewoftheCantonprotocol’sdesign,seetheCantonProtocolWhitePaper. 15 CantonNetwork:ANetworkofNetworksforSmartContractApplications CantonNetwork TheCantonNetworkisthenetworkofnetworksspannedbyallsyncdomainsandtheir connectedparticipantnodes.Itisaglobalsystemofinterconnectedparticipantnodes,sync domainnodesandtheprivate,semi-private,andpublicsmart-contractapplicationsdeployedto thesenodes. CantonNetworkusersactinthreemainroles: 1.ApplicationProviders-applicationprovidersbuildandmaintainsmart-contract applications.Theyoperateoneormultipleparticipantnodes,applicationbackend infrastructure,andfrontendwebinterfacesforthoseapplications.Applicationproviders optionallyactasCSPsfortheirapplicationsortheycanusetheserviceofotherCSPs. 2.ApplicationUsers-mostusersinteractwithapplicationsviaapplicationprogrammable interfaces(APIs)andwebuserinterfaces(UIs).Usersmusthaveaparticipantnodeand canchoosetooperatetheirownparticipantnodesorusehostednodesmanagedby others 27 . 3.CantonServiceProviders(CSPs)-infrastructureproviders,whoaretypicallyalso applicationproviders,connectparticipantnodesbyoperatingaCantonsyncdomain. TheCantonNetworkconsistsofmultiplesubnets.ACantonsubnetisanyoneormore participantnodesthatcantransactwithotherparticipantnodesviaoneormoresyncdomain nodes. Thenetworkwillbecomepubliclyavailablewiththelaunchofapublicsyncdomainoperatedby avCSPthatwillacceptallincomingconnectionrequestsfromparticipantnodes.Agroupof independentcompaniescalledtheSuperValidatorCollective(SVC)willrunthispublicsync domain. TheSVCwillchargeafeefornetworkbandwidthconsumption.Feesarefixedperunitof bandwidthanddenominatedinUnitedStatesdollars;thus,networkusershavepredictable networkusagecosts.TheSVCmayrevisethesefeesoccasionally.UseoftheSVCpublicsync domainisoptional;anynetworkparticipantmaychoosetolaunchadditionalpublicorprivate syncdomainswithdifferentpaymentmechanismsandfeestructures. 27 UserscanruntheirownparticipantnodeswhileinteractingwithapplicationsviauntrustedUIsserved byapplicationoperators.Participantnodesincludeanapplicationpermissionsmanager,whichallowsthe usertograntlimitedpermissionstoapplicationproviderstocallsmartcontractchoicesontheuser’s behalf.Thus,Cantonenablesdistributingcontroloverdataandassetstousers’nodeswithoutrequiring applicationproviderstodistributeallinfrastructure. 16 CantonNetwork:ANetworkofNetworksforSmartContractApplications Conclusion Inthispaper,weintroducedtheCantonNetwork,anovelsmart-contractnetworkofnetworks. Westartedfromtheconstraintsofexistingpublicblockchains,namelythelackofprivacyand scalinglimitationsintroducedbythegloballyreplicatedstate,anddemonstratedhowCanton createsaglobalnetworkwithouttheselimitations.Wefurtherdiscussedtheupcomingopening oftheCantonNetworktopublicusewiththelaunchofavirtualCantonServiceProvider(vCSP) operatedbyaSuperValidatorCollective(SVC).PermissionedCantonnetworkscurrentlyin productionwillbesubnetsofthepublicCantonNetwork,makingtheCantonNetworkthefirst publicpermissionedblockchainforinstitutionalassets. 17