Works best when
- Multiple financial institutions each operate their own permissioned ledger but require atomic cross-ledger settlement.
- Regulatory constraints prevent moving all participants onto a single shared chain.
Avoid when
- Use cases require fully open participation on public blockchains.
- Applications depend on composability with EVM or ZK ecosystems.
Post-quantum exposure
Risk · medium- Vector
- Sync protocols rely on classical signatures (ECDSA, EdDSA) for cross-domain attestations. HNDL risk on encrypted cross-domain payloads if stored long-term.
- Mitigation
- Migrate cross-domain signing to hash-based or lattice-based schemes; encrypt long-lived payloads with hybrid PQ-secure transport.
Visibility
| Actor | Sees |
|---|---|
| Counterparty |
|
| Chain | — |
| Regulator |
|
| Public | — |
Components
- Permissioned ledger domains, each with its own consensus, identity set, and privacy boundary.
- Synchronization protocol that coordinates commits across domains (two-phase or view-based atomic commit).
- Smart contract language with explicit participant visibility controls, so contract state is replicated only to actual stakeholders.
- Governance model for validator or participant node admission, rotation, and exit.
- Selective disclosure mechanism for supervisors and auditors to access relevant state without full replication.
Protocol
- operator Deploy applications or contracts on separate permissioned ledgers, one domain per participant group.
- contract Each ledger operates its own local consensus and privacy domain independently.
- operator A synchronization protocol links ledgers for cross-domain transactions, typically via relayers or a coordinator committee.
- user Parties agree off-chain on transaction terms (e.g., bond delivery versus cash payment).
- contract Each domain validates locally, then exchanges commitments or proofs with the counterparty domain.
- contract The sync protocol ensures atomic commit: either all domains finalize or all abort.
- regulator Supervisors access relevant state via scoped disclosure keys or attestations.
Guarantees & threat model
Guarantees:
- Atomicity: cross-ledger operations settle consistently or abort.
- Counterparty privacy: only transacting parties see payload state; other domains observe only commitment envelopes.
- Regulatory audit: scoped access for supervisory entities via dedicated disclosure paths.
Threat model:
- Honesty of the sync coordinator or relayer set. A malicious coordinator can stall commits but cannot unilaterally fabricate state.
- Each domain's local consensus. A compromised domain can produce inconsistent views to counterparties.
- Operator control over admission. Each ledger operator retains the ability to deny access, freeze assets, or refuse to process transactions within its domain.
- Cross-chain atomicity under partition is out of scope for simple two-phase commit; stronger protocols are needed when domains lose connectivity mid-commit.
Trade-offs
- Performance: synchronization adds latency versus single-ledger settlement, particularly under two-phase commit.
- Complexity: requires harmonization of governance, participant identity, and protocol versions across domains.
- Interoperability limits: not natively composable with public-chain DeFi or Ethereum L2 tooling.
- Failure modes: a stalled domain halts atomic settlement for any transaction touching it; timeouts and rollback paths must be specified.
- Operator censorship: each ledger operator controls participation within its domain; decentralized validator admission mitigates but does not eliminate this.
Example
- Bank A issues a bond on Ledger X (its domain).
- Investor B holds cash tokens on Ledger Y (its domain).
- Both ledgers participate in a shared synchronization protocol.
- Transaction: Investor B buys 10m euro of bonds, payment versus delivery.
- Ledger X transfers bond tokens and Ledger Y transfers cash tokens under a single atomic commit.
- Supervisors access the audit trail via scoped disclosure on both domains.