Free Inner Circle Preview

Temporarily available exclusively for the Indian community

Subscribe to the Concordium Community Blog (it's free)

The Shielding Vision Part 3: From Partial Shielding to Full Transactional Privacy

To make sense of where Concordium stands and where it needs to go, it helps to introduce a framework. A three-level privacy framework that, as far as can be determined, has not been articulated elsewhere in quite this way. It is almost self-evident once laid out, an inherently logical progression, yet it does not appear to have been formalized or replicated in the existing literature.

Level 1 is identity privacy, where Concordium operates today. Every account is backed by a verified real-world identity, but that identity remains private by default. It can only be revealed through the anonymity revoker and identity provider under lawful process, such as a court order. This is the foundation. It is what separates Concordium from every other Layer 1.

Level 2 is partial shielding. At this level, amounts and balances are hidden. Sender and receiver remain visible on the ledger, but what they are transacting is encrypted. Concordium shipped this capability at genesis and retired it in October 2024. Its role in the framework is that of a bridge: a meaningful and demonstrable privacy capability that moves Concordium beyond identity-only privacy while the full architecture is developed.

Level 3 is full transactional privacy. Everything is hidden: amounts, sender, receiver, and metadata. Privacy is paired with lawful selective revocation under M-of-N revoker authority that does not depend on user cooperation. This is the destination. It is where the architecture was always meant to arrive.

The progression is deliberate. Each level adds privacy and strengthens the accountability mechanism. Level 1 proves that identity can be private yet revocable. Level 2 demonstrates that amounts and balances can be hidden with acceptable compliance. Level 3 establishes that full transactional privacy and full lawful accountability can coexist. Together, they form the most complete privacy-with-accountability stack in blockchain.

A note of caution is warranted. Concordium currently operates at Level 1. While the protocol's marketing positions privacy as a core differentiator, competitors like Zcash already deliver Level 2 and Level 3 privacy. Without advancement beyond Level 1, this positioning becomes increasingly difficult to defend.

Concordium shipped shielded transfers at genesis. The mechanism encrypted transaction amounts using ElGamal encryption, with Bulletproof range proofs validating that transfers were legitimate. The entire system operated at the protocol level as native transaction types, with zero smart contract involvement. This was production-grade privacy, implemented by a world-class cryptography team.

But what shipped was partial. Only amounts and balances were hidden. Sender and receiver addresses remained visible on the ledger. While the original White Paper design contemplated full end-to-end privacy, including hidden parties, the vision proved larger than the initial implementation.

The key technical insight is that hiding amounts and hiding transacting parties are fundamentally different problems. Hiding amounts is achievable with per-account encryption, where each account encrypts its own balance and zero-knowledge proofs verify that transfers are valid without revealing the amounts. This is what the original shielding implementation did.

Hiding sender and receiver is a harder problem. If a transaction updates Account A's encrypted balance, subtracting a given amount, and Account B's encrypted balance, adding the same amount, an observer can still see that A transacted with B, even if the amount itself is hidden. The transaction graph remains visible. To break this link, the architecture must move from per-account encrypted balances to a shared cryptographic commitment pool.

In such a pool, deposits are recorded as cryptographic commitments that enter a shared set, making them indistinguishable from those of all other participants. Spending proves, via zero-knowledge proof, that the spender owns a valid commitment, without revealing which one. All an on-chain observer sees is that one commitment was consumed and new commitments were created. The observer cannot link them to specific accounts.

This is the only known cryptographic approach that truly breaks the connection between transacting parties on a public ledger. Every chain that has achieved sender and receiver privacy, Zcash most prominently, has over time arrived at this architecture. Completing Concordium's original vision inevitably requires building a commitment-based privacy pool. This is not reinventing the wheel. It is finishing what was started, using the only cryptographic approach that can deliver what the founders originally conceived.

From the user's perspective, total transactional privacy is straightforward. The wallet shows two balances: a public balance and a private balance, exactly as it did when partial shielding was live. Moving funds into the private balance is a single action. Sending privately to another Concordium account works like any normal transfer: enter the recipient's address and the amount. The difference is invisible to the user but fundamental to the cryptography: the transaction is routed through the commitment pool, breaking the link between sender and receiver. Receiving private funds is equally simple. They arrive in the recipient's private balance. If the recipient has never used the private balance before, one is created automatically on first receipt. Exiting is the reverse: move funds from private back to public. This is visible on-chain, but the activity that occurred while funds were private remains hidden.

Inside the pool, transactions are encrypted to both the participants, via viewing keys, and to designated revoker authorities. Under court order, an M-of-N set of institutional revokers can decrypt the targeted wallet's activity within the pool. Only the targeted wallet is exposed. All other participants remain protected.

This is a structural improvement over the accountability model of partial shielding. With partial shielding, amount data was accessible either through identity revocation followed by legal compulsion of the identified individual, the routine path, or through identity revocation followed by M-of-N key recovery by anonymity revokers acting in concert with the identity provider, the heavier path. The pool's revocation mechanism is fully cryptographic: the protocol itself enables targeted disclosure without relying on the cooperation or even the existence of the individual.

The implication is structural. Without a commitment-based pool, Concordium cannot deliver Level 3. Without Level 3, its privacy-with-accountability proposition remains anchored to identity alone while competitors demonstrate transaction-level confidentiality. The question facing Concordium is therefore architectural, and the following installments in this series examine the competitive, regulatory, and strategic dimensions of that question.