The Canton Network: A Technical Primer

The aims of this article are two-fold. First, it’s to provide a not-too-technical overview of the Canton Network that can be understood by more business-focused readers. Second, it’s to give more technical readers a foundational understanding of Canton Network’s components, so that they have the necessary context for deeper dive discussions, for example around consensus, transaction handling and double spend protection.

You may have heard or read about “Canton Network”, “Global Synchronizer”, “Validators”, “Supervalidators”, “Global Synchronizer Foundation”, and “Canton Coin”. But what exactly are these, who runs them and how are they interrelated? How does Canton Network deliver the configurable privacy that is trusted by the world’s largest financial institutions and largest institutional crypto players? These are some of the questions this article will address.

The history - private Canton deployments

Let’s start with a history of the Canton Network. Although the vision was always for a public network with privacy, the Canton blockchain protocol first proved its value in private permissioned deployments. Understanding how these first Canton deployments looked is key to understanding the public network today, since such private deployments are now subnetworks that form part of the broader Canton Network. More on that later. For now, put aside thoughts of a public network and we’ll take a look at a private Canton deployment. In such a deployment, there are two significant components: validator nodes (often just referred to as validators) and a single Canton synchronizer. Each validator connects to the synchronizer, and a deployment looks as follows:

What do these components do?

• Validators are where the smart contract logic (written in the Daml smart contract language) and smart contract data lives. Validators expose an API which is the means by which users interact with the smart contracts.
• If one entity is providing an application, that entity, the operator (OP), also runs a validator. There is nothing special or different about their validator.
• The Canton synchronizer provides a routing and ordering service for messages passing between the validators. As its name suggests, it keeps the validators “in sync” by coordinating transactions across validators - but it is not responsible for validating transactions itself.

Filling in a little more detail:

• Unlike any other chain, the consensus mechanism Canton employs is “proof-of-stakeholder”. In each transaction, only the validators involved in the transaction (i.e. the stakeholders to that leg or part of a transaction) are able to, and are responsible for, validating it.
• Privacy is highly configurable at the smart contract level and then implemented faithfully by the protocol: 
  • Canton isn’t an “everyone gets a copy of everything” model. Instead, validators only get a copy of the data that is relevant to the users of that validator and nothing else. 
  • In this instance too, access and permissioning is controlled by the app operator
• Because each organization participating in transactions runs their own validator, a distributed ledger is created.
• The synchronizer doesn’t see any of the data passing between the validators. It just routes and orders encrypted packages, which it is not able to decrypt. It is a bit like a post office dealing with sealed envelopes which it cannot open.

Connecting independent deployments while preserving privacy

Having independent blockchain deployments is great for privacy, sovereignty and control, but alone, independent islands that cannot connect at the Layer 1, cannot deliver on the promise of blockchain - the opportunity to create a single source of truth, eliminate reconciliation, and perform atomic transactions across multiple applications.

Let’s illustrate the problem with an example. Say we had three private Canton deployments, each provided by different organizations:

• Asset tokenization:
  For example an app that allows organizations with connected validators to mint, transfer and exchange tokens representing real-world assets.
• Cash registry:
  allows organizations with connected validators to exchange tokenized cash, for example stablecoins, CBDC or bank deposit tokens.
• Trading facility:
  such as an exchange or OTC platform, with an app where connected validators can agree trades.

What we want is for a buyer and a seller to agree a trade and then for that trade to settle atomically, i.e. for a DvP where asset and cash tokens are exchanged and the trade record updated in one transaction.

The setup would look something like this:

Here the providers of each service are operating their own Canton deployment. They each operate a validator (shown as “OP” in the diagram) and a synchronizer. They allow other validators to connect. Our buyer and seller have connected to all three synchronizers so they can use all three services.

When the DvP occurs, whose smart contracts need to be updated? Well, the buyer’s and the seller’s, but also the three operators. The asset and cash provider need to be updated because they perform a registrar role. The trading app provider keeps track of all trades and needs to know that the trade is now settled.

But we have a problem. Our transaction needs to be coordinated through a synchronizer, but there is no one synchronizer that all five validators are connected to. So what are they going to do?

This is where it gets interesting. Because synchronizers are not responsible for signing transactions, or validation themselves, it means that applications and validators can dynamically choose different synchronizers, depending on the trust requirements of any given transaction and who is participating.

Our five validators have three options:

1. They could all agree to use one of the existing synchronizers and connect to that. They would need to trust the operator of that synchronizer.
2. They could create a new decentralized synchronizer and run it as a consortium.
3. Or they could make use of the Global Synchronizer, a highly resilient ‘trustless’ decentralized service that any validators can use to coordinate their transactions.

Adding in the Global Synchronizer, our diagram now looks as follows:

Now our buyer and seller can interact with the private synchronizers when interacting solely with their asset tokens and cash, and when agreeing the trade. But when it comes to the DvP they can switch to the Global Synchronizer and settle the trade. Privacy is preserved because no synchronizer (including the Global Synchronizer) gets to see the data - it just routes and orders encrypted messages.

At this point it is good to address four common questions:

1. Who operates the Global Synchronizer?
   The Global Synchronizer is operated as a fully decentralized service by supervalidators. These are known organizations, including household names in financial services and fintech (see sync.global).
   
   
2. Who governs the Global Synchronizer?
   The Global Synchronizer Foundation (GSF), with governance facilitated by the Linux Foundation. The Foundation’s website lists the current members. The GSF also runs a supervalidator to represent the interests of its members.
   
   
3. How do validators pay to use the Global Synchronizer?
   Like most public networks, the Global Synchronizer charges a fee for its use. However, unlike most others, the fee is fixed at a certain amount of USD per Mb of traffic. This transparent pricing allows users to predict and manage costs. Although fees are quoted in USD they are paid using the network’s native utility coin: Canton Coin. The details of the tokenomics are beyond the scope of this article (see the The Tie’s good overview, but some salient points are:
    
   • Every Canton Coin in circulation was earned by participants providing utility to the network. There was no pre-sale, ICO, team reward scheme or similar.
   • Application providers and validators can earn Canton Coin, as well as infrastructure providers.
   • There is a mechanism by which you can use the Global Synchronizer without holding or interacting with Canton Coin, if such activity is problematic for your organization.
   • The tokenomics is based on a model that includes a “mint-burn equilibrium” mechanism, which aligns activity on the network to Canton Coin’s USD on-chain conversion rate. The mechanism aims to reduce volatility in the USD-Canton Coin conversion rate, and in the long run to align this conversion rate with the utility value of the network.
4. Is anything else needed to connect to the Global Synchronizer?
   

   The easiest way to connect is via a validator node, as described above. This includes the Validator app, which manages Canton Coin to pay network usage fees and earn and mint rewards. Today validator requests are managed through the GSF and over time this will evolve into permissionless access for new entrants.

   We’re now in a position to define what we mean by the Canton Network, which is simply the collection of all Canton deployments which have the ability to interoperate through shared synchronizers - be that the Global Synchronizer or any other synchronizer.

Start Simple

Many new applications today use the Global Synchronizer to start with, without the need for private synchronizers. Digital Asset’s modular asset tokenization suite (Unifi) works in this way, enabling a simple and fast way to bring highly composable tokenization applications to Canton Network.

Taking this approach brings benefits of running less infrastructure, having pre-existing users connected to the same synchronizer, and being able to earn Canton Coin. It is an approach taken by many participants as a first step, as it enables participation in the Canton Network through the deployment of a validator, and then the ability to deliver fee generating applications - for example it is possible to very quickly bring tokenized asset natively to Canton or get a complete tokenization platform up and running for your customers fast.

Summary

The Canton Network should be thought about as a network of networks, with true atomic and privacy-preserving interoperability within and across its subnets. Each application uses  synchronizer(s) to which one or more validator nodes are connected, and applications and validator nodes can use multiple synchronizers without trading off privacy, control or interoperability.

The Global Synchronizer is a publicly available synchronizer which validators use to compose atomic transactions across multiple applications. Validators can also connect to the Global Synchronizer without connecting to any other synchronizers to bring utility to the network and start earning rewards, and then start to make use of available applications and utilities to either participate in assets and apps, or to get applications up and running very quickly.

If you would like to talk about running a validator, a super-validator, or joining the Global Synchronizer Foundation, complete the form, or reach out to a member of the ecosystem.