Corda Top Ten Facts #9: Unrivalled privacy
Myth: Corda’s privacy story relies on proprietary hardware technology
When we first whiteboarded the concept that became Corda, we were obsessed by privacy. We were driven by the almost visceral, intuitive belief that “if I do a deal with Bob then there needs to be a very good reason for Charlie and Dave also to hear about it.”
We knew we needed a system that allowed parties to shared ‘facts’ — deals, trades, contracts — to form and maintain consensus about them… to achieve the “What You See Is What I See — WYSIWIS” promise of blockchain… and we knew that to get adoption in the real world we couldn’t just promiscuously spray this information at everybody on the network.
So we made some design decisions that proved to be fateful — and decisive. From day one, we went with a data-centric design (modelled on and generalised from Bitcoin, and sometimes known as a UTXO model as a result) rather than a compute-centric design as used by Ethereum.
This may seem abstruse but it was critical. By making data — contracts, agreements, health records, etc — primary we brought the question of data distribution to the heart of the programming model: “who should have this data?” “when?” “under which circumstances?” “who should verify or sign off on changes to this data?” “what evidence must they be furnished to determine whether a proposed update is valid?”.
And by making these questions central we realised we needed something called the “flow framework”… a unique feature that takes care of moving data around the network just-in-time, on-demand, on a point-to-point basis.
This is why there is no global broadcast in Corda. It’s why it doesn’t need add-ons like ‘channels’ or ‘side databases’: Corda was designed from the start only to send data where it is needed.
However… we also knew that this is not enough. Look back a couple of paragraphs. That last sentence — “what evidence must be furnished” — is key. The whole point of a blockchain system is to ensure that parties to shared facts know for sure that they see the same thing, even when they don’t fully trust each other or anybody else.
So you can’t take stuff on trust… you need to be given evidence.
And sometimes that evidence is in the form of provenance: who issued this asset? Has it been correctly conveyed on its way to me?
And this necessarily results in you learning some information about the asset’s history.
And we were not satisfied by this.
So we planned up-front for multiple things. From a software perspective, we planned for confidential identities and chain snipping. From an architecture perspective, we designed our verification logic to be in the form of pure functions so they can be automatically converted to zero knowledge proofs when the technology fully matures.
Indeed, we already have implementations of range-proofs and other ZKP examples already done and third parties have working solutions. And we also planned to take advantage of hardware privacy-enhancing technologies such as Intel SGX, work we are well-advanced on.
Net-net: Corda’s out-of-the-box privacy is industry leading, we support zero knowledge proofs and SGX will be here next year!