Skip to main content

Privacy-First Architecture

How Integra enables contract automation through public proof of private information, preserving privacy while enabling global coordination.

The Foundational Problem

Why Integra Exists

Integra was created to solve a fundamental privacy paradox in contract automation:

Two parties need to collaborate on a contract
  |
Content contains sensitive information (PII, terms, financials)
  |
Cloud SaaS platforms require uploading to shared space
  |
BLOCKED: Privacy and security policies prohibit sharing raw content
  |
Result: Manual processes, no automation possible

Real-world scenarios:

  • Healthcare providers cannot share patient records in collaboration tools
  • Law firms cannot upload privileged documents to cloud platforms
  • Financial institutions cannot share transaction details in shared systems
  • Government agencies cannot share classified content in third-party services

The Foundational Insight

Parties do not need to share the content --- they need to share a reference to the content.

Instead of:

Upload content to shared cloud -> Privacy breach

Use:

Register content hash on blockchain -> Shared immutable identifier
Each party keeps content locally -> Privacy preserved
Coordinate using blockchain identifier -> Automation enabled

The Core Philosophy: Public Proof of Private Information

Integra's entire architecture follows this pattern:

Private Information     -> Cryptographic Proof    -> Public Blockchain

Record content          -> Content hash           -> integraHash (on-chain)
User identity           -> Attestation            -> EAS attestation (on-chain)
Payment details         -> Encrypted payload      -> Payment signal (on-chain)

What is public: Proofs, hashes, encrypted references. What is private: Actual content, identities, payment details. What is enabled: Coordination, automation, verification.

Privacy Layers in Integra

Layer 1: Content Privacy

Content Hash (Content Proof)

// Private: Actual content
const content = readFile("purchase-agreement.pdf");
const contentBytes = content.bytes;

// Public: Cryptographic proof
const contentHash = keccak256(contentBytes);
// = 0xabc123... (proves content without revealing it)

// On-chain: Just the hash
integraExistenceV1.registerHash(
    contentHash  // Hash only, not content
);

What this achieves:

  • Proves the record exists and has specific content
  • Parties can verify they have the same content (compare hashes)
  • Cannot reverse-engineer content from hash
  • No sensitive data on the public blockchain

Encrypted Reference Field

// Private: Content location
const ipfsCID = "QmYwAPJzv5CZsnA..."; // Private IPFS
const encryptionKey = keccak256(sharedSecret);
const encryptedReference = encrypt(ipfsCID, encryptionKey);

// On-chain: Encrypted reference
integraRecordV1.registerRecord(
    contentHash,
    encryptedReference,  // Encrypted, not plaintext
    ...
);

What this achieves:

  • Content location stored on-chain (for authorized parties)
  • Encrypted (only parties with the key can access)
  • Prevents on-chain correlation (cannot link records)
  • Enables content retrieval without exposing location publicly

Randomized Record Identifier (integraHash)

// Not just a hash of content!
integraHash = keccak256(abi.encodePacked(
    contentHash,
    referenceHash,
    msg.sender,
    block.timestamp  // Randomness from timing
));

Why randomness matters:

Without randomness:
  - Same content -> same integraHash
  - Can correlate across registrations
  - Privacy leak

With randomness:
  - Same content -> different integraHash each time
  - Cannot correlate registrations
  - Privacy preserved

Layer 2: Identity Privacy

Ephemeral Wallets Per Record

Concept: Use a new wallet address for each record.

// User's primary wallet (known identity)
const primaryWallet = "0x123...";

// Generate ephemeral wallet for each record
const ephemeral1 = deriveEphemeralWallet(primaryWallet, recordIndex: 1);
const ephemeral2 = deriveEphemeralWallet(primaryWallet, recordIndex: 2);
const ephemeral3 = deriveEphemeralWallet(primaryWallet, recordIndex: 3);

// Use ephemeral for record operations
await integraRecordV1.registerRecord(..., { from: ephemeral1 });
await tokenizer.claimToken(..., { from: ephemeral2 });

Privacy achieved:

On-chain view:
  - Address 0xAAA... registered record
  - Address 0xBBB... claimed token
  - Address 0xCCC... received payment
  No visible link between addresses
  Cannot determine these are the same person
  Cannot build complete profile of user's activities

Off-chain (user chooses to prove):
  - All three addresses belong to Alice
  - Alice has 3 contracts
  - Selective disclosure when needed

Deterministic Ephemeral Wallets

For private correlation:

// Derive ephemeral wallet deterministically
function deriveEphemeralWallet(primaryWallet, recordIndex, secret) {
    const derivationPath = keccak256(
        abi.encode(primaryWallet, recordIndex, secret)
    );
    return ethereumWallet.fromPrivateKey(derivationPath);
}

// User can:
//   Regenerate same ephemeral for record access
//   Prove ownership of ephemeral (via signature)
//   Maintain private correlation (only user knows link)

// Public observers:
//   Cannot link ephemerals to primary
//   Cannot correlate user's activities
//   Cannot build comprehensive profile

Layer 3: Attestation Privacy (Off-Chain Identity, On-Chain Proof)

The EAS Pattern

// Private: User identity and capabilities
{
    userName: "Alice Johnson",
    email: "alice@example.com",
    capabilities: ["CLAIM", "TRANSFER"],
    recordId: "contract-123",
    role: "Buyer"
}

// Public: Cryptographic attestation
EAS Attestation:
  - schema: 0xSCHEMA...
  - recipient: 0xAAA... (ephemeral)
  - data: abi.encode(capabilityBitmask, integraHash)
  - issuer: 0xISSUER...

What is on-chain:

  • Attestation UID
  • Recipient address (ephemeral)
  • Capability bits (encoded)
  • Schema reference
  • Issuer address

What is NOT on-chain:

  • User's real name
  • User's email
  • User's primary wallet
  • Record contents
  • Specific role details

Attestation-Based Authorization

function claimToken(
    bytes32 integraHash,
    uint256 tokenId,
    bytes32 attestationUID  // Just a reference
) external {
    // Validates attestation exists and grants capability
    // Never reveals who issued it or why
    // Just proves: msg.sender is authorized
}

Layer 4: Payment Privacy

Encrypted Payment Signals

// Private: Payment details
{
    amount: "$2,500.00",
    dueDate: "2025-12-01",
    paymentMethod: "Wire to account #12345",
    memo: "Rent for December"
}

// Encrypt for requestor and payer
const encryptedForRequestor = encrypt(details, requestorPublicKey);
const encryptedForPayer = encrypt(details, payerPublicKey);

// Public: Payment signal on-chain
integraSignal.sendPaymentRequest(
    integraHash,
    requestorTokenId,
    payerTokenId,
    payerAddress,
    encryptedForPayer,      // Encrypted payload
    encryptedForRequestor,  // Encrypted payload
    attestationUID,
    invoiceRef,             // Reference hash
    displayAmount,          // Approximate (for UX)
    currency,
    processHash,
    timeoutDays
);

Privacy achieved:

On-chain:
  Payment request exists
  Links to record (integraHash)
  Links to payer/requestor tokens
  Amount hidden (encrypted)
  Payment instructions hidden (encrypted)
  Account details hidden (encrypted)

Off-chain:
  Requestor decrypts with their key
  Payer decrypts with their key
  No one else can read payment details

The Record-Centric Privacy Model

Records as Privacy Boundaries

Each record creates an isolated privacy context:

Record A (integraHash: 0xAAA...):
  - Parties: Alice (ephemeral: 0xA1), Bob (ephemeral: 0xB1)
  - Content hash: 0xDOC_A
  - Reference: encrypted_ref_A

Record B (integraHash: 0xBBB...):
  - Parties: Alice (ephemeral: 0xA2), Carol (ephemeral: 0xC1)
  - Content hash: 0xDOC_B
  - Reference: encrypted_ref_B

On-chain observer cannot determine:
  - Alice participated in both contracts
  - Records are related
  - What records contain
  - Where content is stored

Zero-Knowledge Coordination

Parties coordinate using shared identifiers without revealing content:

// Alice and Bob negotiate contract off-chain
// Each has the full content privately

// Alice: "I'll register our agreement"
const contentHash = keccak256(agreementPDF);
const integraHash = await integraRecordV1.registerRecord(
    contentHash,
    encryptedIPFSReference,
    ...
);

// Alice tells Bob off-chain: "integraHash is 0xAAA..."

// Bob verifies he has the same content
const bobsHash = keccak256(hisCopyOfAgreementPDF);
const onChainHash = await integraRecordV1.getContentHash(integraHash);

if (bobsHash === onChainHash) {
    // Confirmed: Same content
    // Both can now coordinate using integraHash
    // No content shared on-chain
}

// Bob claims his token
await tokenizer.claimToken(integraHash, bobTokenId, attestation, processHash);

Privacy-Preserving Workflows

Workflow 1: Confidential Business Agreement

Scenario: Two companies create joint venture agreement
Privacy requirements:
  - Terms must remain confidential
  - Counter-party relationship must be private
  - Each company has strict data governance policies

Integra solution:
  1. Each party keeps content in their own secure storage
  2. Compute content hash independently
  3. One party registers hash on-chain (integraHash created)
  4. Both verify hashes match
  5. Use integraHash to coordinate automation
  6. Use ephemeral wallets (no public link to corporations)
  7. Payment signals encrypted
Result:
  Record coordination enabled
  No content on-chain
  No public link to corporate identities
  Full automation possible
  Audit trail via processHash
Scenario: Patient authorizes provider access to medical records
Privacy requirements:
  - HIPAA compliance (no PHI on public blockchain)
  - Patient controls access
  - Provider needs verifiable authorization

Integra solution:
  1. Patient registers consent record hash
  2. Medical record stays in patient's encrypted storage
  3. Patient creates claim attestation for provider's ephemeral
  4. Provider claims token (proves authorization)
  5. Provider uses integraHash to request content off-chain
  6. Patient's system verifies provider has token
  7. Content shared privately, peer-to-peer

On-chain:
  Consent exists (integraHash)
  Provider authorized (has token)
  No medical records
  No patient identity
  No provider identity
  No correlation between patients

Workflow 3: Real Estate Transaction

Scenario: Property sale with title company
Privacy requirements:
  - Property details private
  - Purchase price confidential
  - Buyer/seller identities protected

Integra solution:
  1. Title company registers deed hash (not deed)
  2. Reference encrypted (only parties can access)
  3. Buyer and seller use ephemeral wallets
  4. Payment signal with encrypted amount
  5. Token transfer represents ownership transfer
On-chain:
  Property deed verified (hash)
  Ownership transferred
  Property address not visible
  Purchase price not visible
  Real identities not linked
  Cannot correlate to other properties

The "Shared Immutable Identifier" Pattern

Traditional Collaboration (Privacy Problem)

Option 1: Cloud collaboration (Dropbox, Google Drive)
  - Upload content to shared space
  - Both parties access same file
  - Problem: Content in third-party hands
  - Blocked: Security policies prohibit

Option 2: Email back and forth
  - Send content via email
  - Version confusion (which is current?)
  - Problem: No shared state
  - Result: Manual, error-prone

Integra's Solution (Privacy Preserved)

Blockchain as coordination layer:

Party A's Environment:
  - Content in secure storage (encrypted)
  - Generates: contentHash
  - Registers: integraHash on-chain

Party B's Environment:
  - Content in secure storage (encrypted)
  - Generates: contentHash (same!)
  - Verifies: Matches on-chain hash

Shared coordination:
  - Both use integraHash to coordinate
  - Automate workflows using identifier
  - Neither party shares actual content
  - Privacy policies satisfied

Privacy Techniques in Detail

1. Hash-Based Content Proof

bytes32 contentHash = keccak256(content);

Properties:

  • One-way: Cannot derive content from hash
  • Deterministic: Same content = same hash
  • Verifiable: Parties can verify independently
  • Collision-resistant: Different content = different hashes

Privacy guarantee: Content never touches the blockchain.

2. Encrypted Reference Field

Purpose: Enable content association without on-chain correlation.

// Private: IPFS CID or content URL
const reference = "QmYwAPJzv5CZsnA...";

// Encrypt with shared secret
const key = keccak256(abi.encode(contentHash, sharedSecret));
const encryptedReference = encrypt(reference, key);

// On-chain: Encrypted blob
integraRecordV1.registerRecord(
    contentHash,
    encryptedReference,  // Cannot be read publicly
    ...
);

Privacy achieved:

  • Parties with key can access content
  • Public observers cannot
  • Cannot correlate records by reference
  • Each record has a unique encrypted reference

3. Randomized Record Identifier (integraHash)

Non-deterministic generation:

integraHash = keccak256(abi.encodePacked(
    contentHash,
    referenceHash,
    msg.sender,
    block.timestamp  // Random element
));

Why this matters:

Deterministic approach (BAD):
  integraHash = keccak256(contentHash)
  Problem: Same content -> same integraHash
  Privacy leak: Can correlate registrations
  Example: "This is the 5th registration of this template"

Random approach (GOOD):
  integraHash = keccak256(contentHash + timestamp + ...)
  Benefit: Same content -> different integraHash each time
  Privacy win: Cannot correlate registrations

4. Ephemeral Wallet Architecture

One wallet per record:

// User's primary wallet (long-term identity)
const primaryWallet = "0x123...";

// Generate unique ephemeral for each record
const ephemeral1 = deriveWallet(primary, seed, index: 1);
const ephemeral2 = deriveWallet(primary, seed, index: 2);
const ephemeral3 = deriveWallet(primary, seed, index: 3);

// Use ephemeral for all record operations
await registerRecord({ from: ephemeral1 });
await claimToken({ from: ephemeral2 });
await sendPayment({ from: ephemeral3 });

Privacy achieved:

On-chain analysis:
  - Address 0xAAA... has 1 record
  - Address 0xBBB... has 1 record
  - Address 0xCCC... has 1 record
  Cannot determine these are same person
  Cannot build user's complete record history
  Cannot track user across contracts

User knows:
  All ephemerals are mine
  Can prove ownership when needed
  Can correlate privately (off-chain)

5. Off-Chain Identity, On-Chain Proof

Identity data stays off-chain:

// Private: User identity information
const userIdentity = {
    name: "Alice Johnson",
    email: "alice@example.com",
    accreditation: "Verified by SEC",
    kycProvider: "IdentityProvider Inc"
};

// Off-chain: KYC provider verifies

// On-chain: Just the attestation
const attestationUID = await eas.attest({
    schema: kycSchemaUID,
    data: {
        recipient: aliceEphemeralWallet,
        data: abi.encode(
            keccak256(abi.encode(userIdentity)),  // Hash only
            expirationDate,
            verificationType
        )
    }
});

What is on-chain:

  • Attestation exists
  • Recipient address
  • Hash of identity data
  • Expiration date

What is NOT on-chain:

  • Name
  • Email
  • SSN
  • KYC details

Verification process:

// Smart contract checks
function requireKYC(address user) internal view {
    // Just verifies attestation exists
    require(hasValidKYCAttestation(user), "KYC required");
    // Does not know WHO the user is
    // Just knows they are KYC verified
}

6. Encrypted Payment Details

Payment requests with privacy:

// Private: Full payment details
const paymentDetails = {
    amount: "$2,500.00 USD",
    bankAccount: "Account #123-456-789",
    routingNumber: "987654321",
    memo: "November rent payment",
    instructions: "Wire transfer by 1st of month"
};

// Encrypt for each party
const encryptedForRequestor = encrypt(details, requestorKey);
const encryptedForPayer = encrypt(details, payerKey);

// On-chain: Encrypted payloads only
integraSignal.sendPaymentRequest(
    integraHash,
    requestorTokenId,
    payerTokenId,
    payerAddress,
    encryptedForPayer,      // Only payer can decrypt
    encryptedForRequestor,  // Only requestor can decrypt
    attestationUID,
    keccak256("invoice-123"), // Reference hash
    2500,                   // Display amount (for UX)
    "USD",
    processHash,
    30  // 30 days to pay
);

Privacy achieved:

On-chain:
  Payment request exists
  Linked to record and parties
  Approximate amount (for UX)
  Exact amount hidden
  Account numbers hidden
  Payment instructions hidden

Only requestor and payer can:
  Decrypt full payment details
  See account information
  Read payment instructions

Selective Disclosure Architecture

User Controls Privacy Level

Level 1: Full Privacy (Default)

Public view:
  - Address 0xAAA... has attestation
  - Nothing else

User reveals: Nothing

Level 2: Selective Statistics

User reveals:
  - "I have 5 completed contracts"
  - "I have 3 rental agreements as tenant"

Proof: Show attestation count, not details

Level 3: Category Disclosure

User reveals:
  - "I completed rental at 123 Main St"
  - Proves: integraHash corresponds to property
  - Off-chain proof linking ephemeral to claim

Privacy preserved: Other contracts still private

Level 4: Full Disclosure

User reveals:
  - All content hashes
  - Links between ephemerals and primary
  - Complete contract history

Use case: Court order, audit, verification
Proof: Cryptographic proof of ownership

Comparison with Other Privacy Approaches

zkSNARKs/zkSTARKs (Full Zero-Knowledge)

Approach: Cryptographic proof of computation
Privacy: Maximum (prove without revealing anything)
Complexity: High (requires circuit design)
Gas cost: Very high (proof verification)

Integra: Selective approach
  - Use ZK where critical
  - Use encryption for most cases (simpler, cheaper)
  - Use hashing for content proofs (efficient)

Encrypted Blockchains (Secret Network, Oasis)

Approach: Entire blockchain state encrypted
Privacy: Strong (all data private)
Complexity: Different execution environment
Interoperability: Limited (not standard EVM)

Integra: Public blockchain with privacy layers
  - Standard EVM (works everywhere)
  - Selective encryption (only what needs privacy)
  - Interoperable (standard ERCs, standard attestations)

Permissioned Blockchains (Hyperledger, Corda)

Approach: Private blockchain network
Privacy: Strong (controlled participants)
Complexity: Infrastructure overhead
Decentralization: None (controlled network)

Integra: Public blockchain with privacy techniques
  - Fully decentralized
  - No infrastructure needed
  - Privacy via cryptography, not access control

Privacy Guarantees

What Integra Guarantees

Content Privacy:

  • Content never stored on-chain
  • Content location encrypted
  • Cannot correlate records by content
  • Each registration has a unique identifier

Identity Privacy:

  • Real identities off-chain
  • Ephemeral wallets per record
  • Cannot build comprehensive user profiles
  • Selective disclosure controlled by user

Transaction Privacy:

  • Payment amounts encrypted
  • Account details encrypted
  • Only parties can decrypt
  • No public transaction graph

Coordination Enabled:

  • Parties can verify content match
  • Automation possible via integraHash
  • Audit trails via processHash

What Is Intentionally Public

For verifiability:

  • Content hash (proves content)
  • integraHash (coordination identifier)
  • Attestation existence (proves authorization)
  • Token ownership (proves rights)
  • Transaction events (proves operations occurred)

This enables:

  • Third-party verification
  • Immutable audit trails
  • Decentralized trust
  • Dispute resolution

Privacy Best Practices

For Developers

1. Always use ephemeral wallets for records:

// Generate new ephemeral for each record
const ephemeral = deriveEphemeralWallet(primary, recordIndex);

2. Encrypt reference fields:

// Never store plaintext IPFS CIDs
const encrypted = encrypt(ipfsCID, sharedSecret);

3. Use processHash for correlation, not content details:

// Good
processHash = keccak256("workflow-12345");

// Bad
processHash = keccak256("patient-ssn-123-45-6789");  // PII!

4. Minimize on-chain data:

// Store only what is needed for coordination
// Keep everything else off-chain

For Users

1. Use different wallets per record (maximum privacy)

2. Control disclosure:

// Reveal only what is necessary
// Default: Reveal nothing

3. Encrypt payment details:

// Always use encrypted payment signals
// Never post account numbers publicly

Summary

Integra's privacy architecture:

  1. Born from privacy necessity --- Enables collaboration without content sharing
  2. Uses blockchain for coordination --- Not storage
  3. Public proofs of private information --- Hashes, not content
  4. Encrypted references --- Prevent on-chain correlation
  5. Ephemeral wallets --- Prevent identity tracking
  6. Off-chain identity --- On-chain authorization
  7. Encrypted payments --- Private financial details
  8. Selective disclosure --- User controls revelation

Core principle: The blockchain provides shared immutable identifiers for coordination while actual sensitive data remains in parties' secure environments.

This enables automation with privacy --- the foundational insight that makes Real World Contracts possible.

Learn More

On this page

The Foundational ProblemWhy Integra ExistsThe Foundational InsightThe Core Philosophy: Public Proof of Private InformationPrivacy Layers in IntegraLayer 1: Content PrivacyContent Hash (Content Proof)Encrypted Reference FieldRandomized Record Identifier (integraHash)Layer 2: Identity PrivacyEphemeral Wallets Per RecordDeterministic Ephemeral WalletsLayer 3: Attestation Privacy (Off-Chain Identity, On-Chain Proof)The EAS PatternAttestation-Based AuthorizationLayer 4: Payment PrivacyEncrypted Payment SignalsThe Record-Centric Privacy ModelRecords as Privacy BoundariesZero-Knowledge CoordinationPrivacy-Preserving WorkflowsWorkflow 1: Confidential Business AgreementWorkflow 2: Healthcare Record ConsentWorkflow 3: Real Estate TransactionThe "Shared Immutable Identifier" PatternTraditional Collaboration (Privacy Problem)Integra's Solution (Privacy Preserved)Privacy Techniques in Detail1. Hash-Based Content Proof2. Encrypted Reference Field3. Randomized Record Identifier (integraHash)4. Ephemeral Wallet Architecture5. Off-Chain Identity, On-Chain Proof6. Encrypted Payment DetailsSelective Disclosure ArchitectureUser Controls Privacy LevelComparison with Other Privacy ApproacheszkSNARKs/zkSTARKs (Full Zero-Knowledge)Encrypted Blockchains (Secret Network, Oasis)Permissioned Blockchains (Hyperledger, Corda)Privacy GuaranteesWhat Integra GuaranteesWhat Is Intentionally PublicPrivacy Best PracticesFor DevelopersFor UsersSummaryLearn More