Skip to main content

Privacy groups

Tessera supports operations related to Hyperledger Besu privacy groups (versions earlier than 25.1.0) and resident groups for GoQuorum multiple private states (MPS), such as managing privacy group data and handling transactions intended for a privacy group.

Behavior may differ depending on which mode Tessera is running on.

The types of privacy group are:

A unique privacyGroupId is used to identify individual privacy groups. For private transactions sent to a privacy group, the corresponding privacyGroupId is stored alongside the transaction.

note

Once created, you can't change the members of a privacy group. To add or remove members, you must create a new privacy group.

The following is an example of a privacy group and its related data:

{
"privacyGroupId": "jufzisK63xbXDciV0FW1uAi3vXFDNNJpf/M3lUhMiU0=",
"name": "groupA",
"description": "A description of this group",
"type": "PANTHEON",
"members": [
"98FhPni7u6YspDGcOLl/LgQQwwGPGY4ddm3hmogsqF8=",
"dzkrEhkHZ/IjHEaQ6teVTU/kMjiwXTI6Ooljcb56w1M="
]
}

Privacy group types

Legacy

Tessera automatically creates a legacy privacy group when a private transaction is sent to a list of recipient public keys using privateFor.

When returning private transaction data to a Besu client (as part of a /receive response), the legacy privacyGroupId is also returned.

The legacy privacyGroupId is generated by hashing the list of recipient keys. For a given set of recipients, there can be only one legacy privacy group.

note

Besu and Tessera generate the same legacy privacyGroupId from the same list of recipients.

Pantheon

Tessera supports API methods that enable the creation of pantheon privacy groups from a compatible blockchain client (for example, Besu).

Upon creation, the privacy group is distributed to all members ahead of transaction processing.

When a private transaction contains a privacyGroupId, the transaction payload is distributed to all the members of the privacy group.

The pantheon privacyGroupId is generated by hashing the list of recipient keys plus a random seed. This means that for a given set of recipients, there can be many pantheon privacy groups.

Resident

Resident privacy groups, or resident groups, are part of GoQuorum MPS and multi-tenancy. A resident group contains a list of member keys that are locally managed, and those members share the same private state.

Configure resident groups to use multi-tenancy.

Key differences between a resident group and other types of privacy group include:

  • A resident group can only contain local keys, not remote keys.
  • The name of the resident group is the group identifier.
  • Resident groups can be configured in the Tessera configuration file.

API versioning

A node running a version of Tessera that doesn't support privacy groups can't understand requests containing privacyGroupId. This can cause inconsistent persisting of data on different nodes.

In API version 3.0, Tessera includes the privacy group in the encoded payload in /push to only those recipients supporting a correct version, otherwise the transaction fails with PrivacyGroupNotSupportedException.

Privacy group APIs

Privacy group compatible blockchain clients (for example, Besu) can be used to create, delete, find, and retrieve privacy groups. Tessera's Q2T API adds support for these operations.