This document, the Enterprise Ethereum Alliance Client Specification, defines the implementation requirements for Enterprise Ethereum clients, including the interfaces to external-facing components of Enterprise Ethereum and how they are intended to be used. Its primary intended audience is developers of Enterprise Ethereum clients

The copyright in this document is owned by Enterprise Ethereum Alliance Inc. (“EEA” or “Enterprise Ethereum Alliance”).

This Specification is copyright © 2018-2022 Enterprise Ethereum Alliance Incorporated (EEA). It is made available under the terms of the Apache License version 2.0. [[Apache2]]

This is an editors' draft of the Enterprise Ethereum Alliance Client Specification version 7. Changes made since version 6 of this Specification, released in November 2020, have been reviewed by the Enterprise Ethereum Alliance (EEA) Technical Specification Working Group (TSWG), but not the EEA Board. The TSWG expects at time of writing that this revision of the Specification will be released around the middle of 2022, obsoleting version 6. The group is also expecting to hear about further implementation experience, that could potentially lead to proposed modifications. This particularly applies to sections marked experimental: * The object syntax for recording changes to maxCodeSize * Asynchronous methods for private transactions The Working Group **expects** to remove any requirements for Unrestricted Private Transactions before publishing this draft as an EEA specification, and requests feedback on that proposal before April 25 Please send any comments to the EEA Technical Steering Committee at [https://entethalliance.org/contact/](https://entethalliance.org/contact/).

Introduction

This document, the Enterprise Ethereum Alliance Client Specification, defines the implementation requirements for Enterprise Ethereum clients, including the interfaces to external-facing components of Enterprise Ethereum and how they are intended to be used. A partial list of use cases [[USECASES]] this specification attempts to address is available as a work in progress. A companion document, the Enterprise Ethereum Alliance Permissioned Blockchain specification [[EEA-chains]] defines requirements for Enterprise Ethereum blockchains to ensure that clients that conform to this specification can work interopably on blockchains that meet the requirements defined in that document.

Why Produce a Client Specification?

With a growing number of vendors developing Enterprise Ethereum clients, meeting the requirements outlined in this Client Specification ensures different clients can communicate with each other and interoperate reliably on a given Enterprise Ethereum blockchain. For ÐApp developers, for example, a Client Specification ensures clients provide a set of identical interfaces so that ÐApps will work on all conforming clients. This enables an ecosystem where users can change the software they use to interact with a running blockchain, instead of being forced to rely on a single vendor to provide support. From the beginning, this approach has underpinned the development of Ethereum and it meets a key need for blockchain use in many enterprise settings. Client diversity also provides a natural mechanism to help verify that the protocol specification is unambiguous because interoperability errors revealed in development highlight parts of the protocol that different engineering teams interpret in different ways. Finally, standards-based interoperability allows users to leverage the widespread knowledge of Ethereum in the blockchain development community to minimize the learning curve for working with Enterprise Ethereum. This reduces risk when deploying an Enterprise Ethereum blockchain.

Experimental Requirements

This Specification includes requirements and Application Programming Interfaces (APIs) that are described as experimental. Experimental means that a requirement or API is in early stages of development and might change as feedback is incorporated. Implementors are encouraged to implement these experimental requirements, with the knowledge that requirements in future versions of the Specification are not guaranteed to be compatible with the current version. Please send comments and feedback on experimental portions of this Specification to the EEA Technical Steering Committee at [https://entethalliance.org/contact/](https://entethalliance.org/contact/).

Requirement Categorization

All requirements in this Specification are categorized as either:

Security Considerations

Security of information systems is a major field of work. Enterprise Ethereum software development shares with all software development the need to consider security issues and the obligation to update implementations in line with new information and techniques to protect its users and the ecosystem in which it operates.

However, some aspects of Ethereum in general, and Enterprise Ethereum specifically, are especially important in an organizational environment.

Callback URL Sanitization

The asynchronous JSON-RPC methods `eea_sendTransactionAsync` and `eea_sendRawTransactionAsync` utilize a URL provided by the user at call time to inform the user of the completion of the asynchronous operation. Attackers can use these URLs to cause the node server to invoke resources present on the private network for the node that the attacker would not normally have access to or to cause the node to spam the callback URL. Enterprise Ethereum clients need to provide appropriate URL sanitization and restrictions, such as the use of allowlists and request rate control, to prevent such vulnerabilities from being exploited in the course of executing asynchronous operations.

Attacks on Enterprise Ethereum

Modeling attacks against a node helps identify and prioritize the necessary security countermeasures to implement. Some attack categories to consider include: - Attacks on unauthenticated [[JSON-RPC]] interfaces through malicious JavaScript in the browser using DNS rebinding. - Eclipse attacks (attacks targeting specific nodes in a decentralized network) that attempt to exhaust client network resources or fool its node-discovery protocol. - Targeted exploitation of consensus bugs in EVM implementations. - Malicious code contributions to open-source repositories. - All varieties of social engineering attacks.

Positive Security Design Patterns

Complex interfaces increase security risk by making user error more likely. For example, entering Ethereum addresses by hand is prone to errors. Therefore, implementations can reduce the risk by providing user-friendly interfaces, ensuring users correctly select an opaque identifier using tools, like a contact manager. Gas (defined in the [[Ethereum-Yellow-Paper]]) is a virtual pricing mechanism for transactions and smart contracts that is implemented by Ethereum to protect against Denial of Service attacks and resource-consumption attacks by compromised, malfunctioning, or malicious nodes. Enterprise Ethereum provides additional tools to reduce security risks, such as more granular permissions for actions in a network.

Permissioning plays some role in mitigating network-level attacks (like the 51% attack), but it is important to carefully consider which risks are of most concern to a client implementation versus those that are better mitigated by updates to the Ethereum consensus protocol design.

Handling of Sensitive Data

The implications of private data storage are also important to consider, and motivate several requirements in this Specification. The long-term persistence of encrypted data on any public platform (such as Ethereum) exposes it to eventual decryption by brute-force attack, accelerated by the inevitable periodic advances in cryptanalysis. A future shift to post-quantum cryptography is a current concern, but will not likely be the last advancement in the field. No encryption scheme endures for ever; protection needs to reasonably exceed the lifetime of the data's sensitivity. Data "at rest" is vulnerable, and it is therefore helpful to ensure it is encrypted. While clients can and do offer this functionality themselves, often a more efficient approach is to use a platform-wide encryption functionality. Besides user-generated data, a client is also responsible for managing and protecting private keys. Encrypting private keys with a passphrase or other authentication credential before storage helps protect them from disclosure. It is also important not to disclose sensitive data when recording events to a log file.

Security of Client Implementations

There are several specific functionality areas that are more prone to security issues arising from implementation bugs. The following areas deserve a greater focus during the design and the security assessment of an Enterprise Ethereum client: - Peer-to-peer protocol implementation - Object deserialization routines - Ethereum Virtual Machine (EVM) implementation - Key pair generation. The peer-to-peer protocol used for communication among nodes in Ethereum is a client's primary vector for exposure to untrusted input. In any software, the program logic that handles untrusted inputs is the primary focus area for implementing secure data handling. Object serialization and deserialization is commonly part of the underlying implementation of the P2P protocol, but also a source of complexity that, historically, is prone to security vulnerabilities across many implementations and many programming languages. Selecting a deserializer that offers strict control of data typing can help mitigate the risk. EVM implementation correctness is an especially important security consideration for clients. Unless EVMs behave identically for all possibilities of input, there is a serious risk of a hard fork caused by an input that elicits the differences in behavior across clients. EVM implementations are also exposed to denial-of-service attempts by maliciously constructed smart contracts, and the even more serious risk of an exploitable remote-code-execution vulnerability. A network upgrade (also known as a hard fork) is a permanent divergence from the previous version of a blockchain. Nodes using older network configuration cannot participate fully in the Enterprise Ethereum blockchain after the hard fork block. A hard fork block is the block from which a network upgrade occurred. The Ethereum specification defines many of the technical aspects of public/private key pair format and cryptographic algorithm choice, but a client implementation is still responsible for properly generating these keys using a well-reviewed cryptographic library. Specifically, a client implementation needs a properly seeded, cryptographically secure, pseudo-random number generator (PRNG) during the keypair generation step. An insecure PRNG is not generally apparent by merely observing its outputs, but enables attackers to break the encryption and reveal users' sensitive data.

Anti-spam

This section refers to mechanisms to prevent the Enterprise Ethereum blockchain being degraded with a flood of intentional or unintentional messages (either malicious, buggy, or uncontrolled). This might be realized through interfacing with an external security manager, as described in Section , or implemented by the client.

Enterprise Ethereum Architecture

For the purpose of this Specification: Enterprise Ethereum is an Enterprise Ethereum Permissioned Blockchain, That is, an Ethereum blockchain that implements extensions to the functionality of MainNet defined in [[EEA-chains]], along with the software used to interact with such a blockchain. A node is an instance of an Enterprise Ethereum client running on an Enterprise Ethereum blockchain. Multiple nodes can run on an individual device, including on a virtual device provided by a cloud service, or can be run on different devices connected across the internet. An Enterprise Ethereum client is software used to work with such a blockchain. Clients that implement the requirements described in this specification can function as administrator nodes for an Enterprise Ethereum Blockchain, that is nodes that can carry out adminsitrative functions such as - Participating in determination of Consensus - Managing changes to permissioning - Managing Private Transactions Other software can be used to interact with Enterprise Ethereum Blockchains even if it does not implement all the requirements of this specification. For example blockchain explorers do not need to implement the full specification in order to work on an Enterprise Ethereum Blockchain. An Enterprise Ethereum Client can be built from scratch, or based on a client that runs on Ethereum Mainnet. The following diagram provides an overview of the extensions Enterprise Ethereum clients implement in order to operate as an administrator.
Representative Enterprise Ethereum High-level Architecture
Conceptual architecture of an Enterprise Ethereum client
The following stack representation of Enterprise Ethereum architecture shows a conceptual set of interfaces that an Enterprise Ethereum client implements, including extensions to, or in some cases replacements for, interfaces in a client developed to run as a node on Ethereum mainnet.
Enterprise Ethereum Architecture Stack
Enterprise Ethereum Architecture Stack
The architecture stack for Enterprise Ethereum consists of five layers: - Application - Tooling - Enterprise 3 P's - Core Blockchain - Network. These layers are described in the following sections.

Application Layer

The Application layer exists, often fully or partially outside of a client, where higher-level services are provided. For example, Ethereum Name Service (ENS), node monitors, blockchain state visualizations and explorers, self-sovereign and other identity schemes, wallets, and any other applications of the ecosystem envisaged. Wallets are software applications used to store an individual’s credentials (cryptographic private keys), which are associated with the state of that user’s Ethereum account.

Wallets can interface with Enterprise Ethereum using the Extended RPC API, as shown in . A wallet can also interface directly with the enclave of a private transaction manager, or interface with public Ethereum.

A private transaction manager is a subsystem of an Enterprise Ethereum system for implementing privacy and permissioning.

ÐApps Sublayer

Decentralized Applications, or ÐApps, are software applications running on a decentralized peer-to-peer network, often a blockchain. A ÐApp might include a user interface running on another (centralized or decentralized) system. ÐApps run on top of Ethereum. ÐApps running on an Enterprise Ethereum blockchain can use the extensions to the Ethereum JSON-RPC API that are defined in this Specification. Also at the ÐApps sublayer are blockchain explorers, tools to monitor the blockchain, and other business intelligence tools.

Infrastructure Contracts and Standards Sublayer

Some important tools for managing a blockchain, are built at the Application layer. These components together make up the Infrastructure Contracts and Standards sublayer. Permissioning contracts determine whether nodes and accounts can access, or perform specific actions on, an Enterprise Ethereum blockchain, according to the needs of the blockchain. These permissioning contracts can implement Role-based access control (RBAC) [[WP-RBAC]] or Attribute-based access control (ABAC) [[WP-ABAC]], as well as simpler permissioning models, as described in the Permissioning Management Examples section of the Implementation Guide [[EEA-implementation-guide]]. Token standards provide common interfaces and methods along with best practices. These token standards include [[ERC-20]], [[ERC-223]], [[ERC-621]], [[ERC-721]], and [[ERC-827]]. The Ethereum Name Service (ENS) provides a secure and decentralized mapping from simple, human-readable names to Ethereum addresses for resources both on and off the blockchain.

Smart Contract Tools Sublayer

Enterprise Ethereum inherits the smart contract tools used by public Ethereum. These tools include smart contract languages and associated developer tools, such as parsers, compilers, and debuggers, as well as methods used for security analysis and formal verification of smart contracts.

Enterprise Ethereum implementations enable use of these tools and methods through implementation of the Execution sublayer, as described in Section .

[P] SMRT-030: Enterprise Ethereum clients MUST support smart contracts of at least 24,576 bytes in size.

[P] SMRT-040: Enterprise Ethereum clients MUST read and enforce a size limit for transactions that deploy smart contracts from the maxCodeSize parameter in the network configuration, specified as a number of kilobytes as defined in the section below.

[P] SMRT-060: Enterprise Ethereum clients MUST read and enforce a size limit for transactions that deploy smart contracts from the maxCodeSize parameter in the network configuration, specified as a javascript object as defined in the section below.

See also [[CONFIG-010]](chainspec.html#req-config-010) in the Enterprise Ethereum Alliance Permissioned Blockchain specification [[EEA-chains]].

The maxCodeSize parameter

This section is experimental The `maxCodeSize` parameter in the network configuration has a value that is either a positive integer or a Javascript object. If the value is an integer, it specifies the maximum size limit, in kilobytes, of a smart contract for deployment. It the value is a Javascript object, it is interpreted as a set of pairs of integers: - The first number in the pair specifies the maximum size limit, in kilobytes, of a smart contract for deployment. - The second number is the block height from which the associated size limit applies. Any transaction to deploy a smart contract larger than limit is an invalid transaction. A negative value of limit means the blockchain does not impose any limit. A missing or non-integer value of limit means the client imposes its implementation-dependent default limit, that MUST be **at least** 24 kilobytes (see [SMRT-030](#req-smrt-030)). A negative value for the block height is an error, and the client MUST NOT apply the associated limit. A missing value, or non-integer value, or value of block height that is less than or equal to the preceding value is an error, and the client MUST NOT apply the associated limit.

Tooling Layer

The Tooling layer contains the APIs used to communicate with clients. The Ethereum JSON-RPC API, implemented by public Ethereum, is the primary API to submit transactions for execution, deploy smart contracts, and to allow ÐApps and wallets to interact with the platform. The [[JSON-RPC]] remote procedure call protocol and format is used for the JSON-RPC API implementation. Other APIs are allowed, including those intended for inter-blockchain operations and to call external services, such as trusted oracles. Integration libraries, such as [[web3j]], [[web3.js]], and [[Nethereum]], are software libraries used to implement APIs with different language bindings (like the Ethereum JSON-RPC API) for interacting with Ethereum nodes. Enterprise Ethereum implementations can restrict operations based on permissioning and authentication schemes.

The Tooling layer also provides support for the compilation, and possibly formal verification, of smart contracts through the use of parsers and compilers for one or more smart contract languages.

Smart contract languages are the programming languages, such as [[Solidity]] and [[LLL]], used to create smart contracts. For each language, tools can perform tasks such as compiling to EVM bytecode, static security checking, or formal verification.

Formal verification is the mathematical verification of the logical correctness of a smart contract designed to run in the EVM.

Credential Management Sublayer

Credentials, in the context of Enterprise Ethereum blockchains, refer to an individual’s cryptographic private keys, which are associated with that user’s Ethereum account. Enterprise Ethereum clients can choose to offer local handling of user credentials, such as key management systems and wallets. Such facilities might also be implemented outside the scope of a client.

Integration and Deployment Tools Sublayer

Many software systems integrate with enterprise management systems using common APIs, libraries, and techniques, as shown in .
Management Interfaces
Management Interfaces
As well as deployment and configuration capabilities, Enterprise Ethereum clients can offer functionality such as software fault reporting, performance management, security management, integration with other enterprise software, and historical analysis tools. These are not requirements of this Specification, instead they are optional features to distinguish between different Enterprise Ethereum clients.

Client Interfaces and APIs Sublayer

As part of the Client Interfaces and APIs sublayer, [[JSON-RPC]] is a stateless, light-weight remote procedure call (RPC) protocol using [[JSON]] as its data format. The [[JSON-RPC]] specification defines several data structures and the rules around their processing.

An Ethereum JSON-RPC API is used to communicate between ÐApps and nodes.

Compatibility with the Core Ethereum JSON-RPC API

[P] JRPC-010: Enterprise Ethereum clients MUST provide support for the following Ethereum JSON-RPC API methods:

  • `net_version`
  • `net_peerCount`
  • `net_listening`
  • `eth_protocolVersion`
  • `eth_syncing`
  • `eth_coinbase`
  • `eth_hashrate`
  • `eth_gasPrice`
  • `eth_accounts`
  • `eth_blockNumber`
  • `eth_getBalance`
  • `eth_getStorageAt`
  • `eth_getTransactionCount`
  • `eth_getBlockTransactionCountByHash`
  • `eth_getBlockTransactionCountByNumber`
  • `eth_getCode`
  • `eth_sendRawTransaction`
  • `eth_call`
  • `eth_estimateGas`
  • `eth_getBlockByHash`
  • `eth_getBlockByNumber`
  • `eth_getTransactionByHash`
  • `eth_getTransactionByBlockHashAndIndex`
  • `eth_getTransactionByBlockNumberAndIndex`
  • `eth_getTransactionReceipt`
  • `eth_getUncleByBlockHashAndIndex`
  • `eth_getUncleByBlockNumberAndIndex`
  • `eth_getLogs`.

[P] JRPC-007: Enterprise Ethereum clients SHOULD implement [[JSON-RPC-API]] methods to be backward compatible with the definitions given in version e8e0771 of the Ethereum JSON-RPC API reference [[!JSON-RPC-API-5bdf414]], unless breaking changes were made and widely implemented for the health of the ecosystem. For example, to fix a major security or privacy problem.

[C] JRPC-015: Enterprise Ethereum clients MUST provide the capability to accept and respond to JSON-RPC method calls over a websocket interface.

[C] JRPC-040: Enterprise Ethereum clients MUST provide an implementation of the debug_traceTransaction method [[debug-traceTransaction]] from the Go Ethereum Management API.

[C] JRPC-050: Enterprise Ethereum clients MUST implement the [[!JSON-RPC-PUB-SUB]] API.

[P] JRPC-070: Enterprise Ethereum clients implementing additional nonstandard subscription types for the [[!JSON-RPC-PUB-SUB]] API MUST prefix their subscription type names with a namespace prefix other than eea_.

Extensions to the JSON-RPC API

[P] JRPC-080: Enterprise Ethereum clients must not use the prefix eea_ for the names of [[JSON-RPC]] methods that are not defined by this specification.

[P] JRPC-020: Enterprise Ethereum clients MUST implement at least one of the following extensions to create private transaction types defined in the Section :

[P] JRPC-025: Enterprise Ethereum clients MAY implement the following experimental extensions to create private transaction types defined in the Section :

[P] JRPC-030: The eea_sendTransactionAsync, eea_sendTransaction, eea_sendRawTransactionAsync, and eea_sendRawTransaction methods MUST respond with a [[JSON-RPC]] error response when an unimplemented private transaction type is requested. The error response MUST have the code -50100 and the message Unimplemented private transaction type.

**Example response** 
{
  "jsonrpc": "2.0",
  "id": 1,
  "error": {
    "code": -50100,
    "message": "Unimplemented private transaction type"
  }
}

[P] JRPC-035: If a restricted private transaction is requested with values for both the privateFor and privacyGroupId parameters, Enterprise Ethereum clients MUST return an error. The error response MUST have the code -50100 and the message Invalid private transaction parameters.

**Example response** ```js { "jsonrpc": "2.0", "id": 1, "error": { "code": -32602, "message": "Invalid private transaction parameters" } } ```
Synchronous Private Transaction Methods
eea_sendTransaction
A call to `eea_sendTransaction` creates a private transaction, signs it, generates the transaction hash and submits it to the transaction pool, and returns the transaction hash. **Parameters** The transaction object containing: - `from` DATA, 20 bytes – The address of the account sending the transaction. - `to` DATA, 20 bytes – Optional when creating a new contract. The address of the account receiving the transaction. - `gas` QUANTITY – Optional. The gas, as an integer, provided for the transaction. - `gasPrice` QUANTITY – Optional. The gas price, as an integer. - `value` QUANTITY – Optional. The value, as an integer, if present must be set to 0. - `data` DATA – Transaction data (compiled smart contract code or encoded method data). - `nonce` QUANTITY – Optional. A nonce value, as an integer. This allows you to overwrite your own pending transactions that use the same nonce. - `privateFrom` DATA, 32 bytes – Optional. The public key of the sender of this private transaction. If this parameter is not supplied, the node could supply a default for `privateFrom`. If this parameter is not supplied and the node is unable to supply a default, the transaction fails. - `privateFor` DATA – An array of the public keys of the intended recipients of this private transaction. Mutually exclusive with the `privacyGroupId` parameter. If both `privateFor` and `privacyGroupId` parameters are provided, an error response is generated. - `privacyGroupId` DATA, 32 bytes – The privacy group identifier for the group of intended recipients of this private transaction. If a client does not support this parameter, it should return a privacyGroupId not supported error response. The `privacyGroupId` and `privateFor` parameters are mutually exclusive. If both the `privacyGroupId` and `privateFor` parameters are provided, an error response is generated. - `restriction` STRING – If `restricted`, the transaction is a restricted private transaction. For more information, see Section . **Returns** DATA, 32 Bytes – The transaction hash. If creating a contract, use `eea_getPrivateTransactionReceipt` to retrieve the contract address after the transaction is finalized. **Request Format** ```js curl -X POST --data '{"jsonrpc":"2.0","method":"eea_sendTransaction","params": [{ "from": "0xb60e8dd61c5d32be8058bb8eb970870f07233155", "to": "0xd46e8dd67c5d32be8058bb8eb970870f072445675", "gas": "0x76c0", "gasPrice": "0x9184e72a000", "data": "0xd46e8dd67c5d32be8d46e8dd67c5d32be8058bb8eb970870f072445675058bb8eb970870f072445675", "privateFrom": "negmDcN2P4ODpqn/6WkJ02zT/0w0bjhGpkZ8UP6vARk=", "privateFor": ["g59BmTeJIn7HIcnq8VQWgyh/pDbvbt2eyP0Ii60aDDw="], "restriction": "restricted"}], "id":1}' Or alternatively, when a privacyGroupId is provided instead of privateFor: "privacyGroupId": "Vbj70zF+G2V/8XoyZzwqawfcQ+r9BkXoLQOqkQideys=", ``` **Response Format** ```js { "id":1, "jsonrpc": "2.0", "result": "0xe670ec64341771606e55d6b4ca35a1a6b75ee3d5145a99d05921026d1527331" } ```
eea_sendRawTransaction
A call to `eea_sendRawTransaction` creates a private transaction, which has already been signed, generates the transaction hash and submits it to the transaction pool, and returns the transaction hash. The signed transaction passed as an input parameter is expected to include the `privateFrom`, `privateFor`, `privacyGroupId`, and `restriction` fields, as specified in the Parameters section of . **Parameters** The transaction object containing: - `data` DATA – The signed transaction data. ```js params: ["0xd46e8dd67c5d32be8d46e8dd67c5d32be8058bb8eb970870f072445675058bb8eb970870f072445675"] ``` **Returns** DATA, 32 Bytes – The transaction hash. If creating a contract, use `eea_getPrivateTransactionReceipt` to retrieve the contract address after the transaction is finalized . **Request Format** ```js curl -X POST --data '{"jsonrpc":"2.0","method":"eea_sendRawTransaction","params": [{see above}], "id":1}' ``` **Response Format** ```js { "id":1, "jsonrpc": "2.0", "result": "0xe670ec64341771606e55d6b4ca35a1a6b75ee3d5145a99d05921026d1527331" } ```
Asynchronous Private Transaction Methods
This section is experimental.

At the time of publication, the asynchronous methods to create private transactions are only known to be implemented by the Quorum client. The Working Groups is seeking feedback from developers about these asynchronous methods:

  • Are they useful?
  • Is this the appropriate layer to be determining whether to make requests asynchronous?
  • Is the API comfortable to use, or should we consider changes such as using a parameter instead of a different method name?

Please provide feedback through the EEA Technical Steering Committee at https://entethalliance.org/contact/.

eea_sendTransactionAsync
A call to `eea_sendTransactionAsync` creates a private transaction, signs it, submits it to the transaction pool, and returns immediately. Using this method allows sending many transactions without waiting for recipient confirmation. **Parameters** The transaction object for this call contains: - `from` DATA, 20 bytes – The address of the account sending the transaction. - `to` DATA, 20 bytes – The address of the account receiving the transaction. - `gas` QUANTITY – Optional. The gas, as an integer, provided for the transaction. - `gasPrice` QUANTITY – Optional. The gas price, as an integer. - `value` QUANTITY – Optional. The value, as an integer, if present must be set to 0. - `data` DATA – Transaction data (compiled smart contract code or encoded method data). - `nonce` QUANTITY – Optional. A nonce value, as an integer. This allows you to overwrite your own pending transactions that use the same nonce. - `privateFrom` DATA, 32 bytes – Optional. The public key of the sender of this private transaction. If this parameter is not supplied, the node could supply a default for `privateFrom`. If this parameter is not supplied and the node is unable to supply a default, the transaction fails. - `privateFor` DATA – An array of the public keys of the intended recipients of this private transaction. Mutually exclusive with the `privacyGroupId` parameter. If both the `privateFor` and `privacyGroupId` parameters are provided, an error response is generated. - `privacyGroupId` DATA, 32 bytes – The privacy group identifier for the group of intended recipients of this private transaction. If a client does not support this parameter, it should return a privacyGroupId not supported error response. The `privacyGroupId` and `privateFor` parameters are mutually exclusive. If both the `privacyGroupId` and `privateFor` parameters are provided, an error response is generated. - `restriction` STRING – If `restricted`, the transaction is a restricted private transaction. For more information, see Section . - `callbackUrl` STRING – The URL to post the results of the transaction to. **Callback Body** The callback object for this call contains: - `txHash` DATA, 32 bytes – The transaction hash (if successful). - `txIndex` QUANTITY – The index position, as an integer, of the transaction in the block. - `blockHash` DATA, 32 Bytes – The hash of the block this transaction was in. - `blockNumber` QUANTITY – The number of the block, as an integer, this transaction was in. - `from` DATA, 20 Bytes – The public key of the sender of this private transaction. - `to` DATA, 20 Bytes – The account address of the receiver. `null` if a contract creation transaction. - `cumulativeGasUsed` QUANTITY – The total amount of gas used when this transaction was executed in the block. - `gasUsed` QUANTITY – The amount of gas used by this specific transaction. - `contractAddress` DATA, 20 Bytes – The contract address created, if a contract creation transaction, otherwise `null`. - `logs` Array – An array of log objects generated by this transaction. - `logsBloom` DATA, 256 Bytes – A bloom filter for light clients to quickly retrieve related logs. - `error` STRING – Optional. Includes an error message describing what went wrong. - `id` DATA – Optional. The ID of the request corresponding to this transaction, as provided in the initial [[JSON-RPC]] call. Also returned is either: - `root` DATA, 32 bytes – The post-transaction stateroot (pre-Byzantium). - `status` QUANTITY – The return status, either 1 (success) or 0 (failure). **Request Format** ```js curl -X POST --data '{"jsonrpc":"2.0","method":"eea_sendTransactionAsync","params":[{ "from": "0xb60e8dd61c5d32be8058bb8eb970870f07233155", "to": "0xd46e8dd67c5d32be8058bb8eb970870f072445675", "gas": "0x76c0", "gasPrice": "0x9184e72a000", "data":"0xd46e8dd67c5d32be8d46e8dd67c5d32be8058bb8eb970870f072445675058bb8eb970870f072445675", "privateFrom": "negmDcN2P4ODpqn/6WkJ02zT/0w0bjhGpkZ8UP6vARk=", "privateFor": ["g59BmTeJIn7HIcnq8VQWgyh/pDbvbt2eyP0Ii60aDDw="], "callbackUrl": "http://myserver/id=1", "restriction": "restricted"}], "id":1}' Or alternatively, when a privacyGroupId is provided instead of privateFor: "privacyGroupId": "Vbj70zF+G2V/8XoyZzwqawfcQ+r9BkXoLQOqkQideys=", ``` **Response Format** ```js { "id":1, "jsonrpc": "2.0" } ``` **Callback Format** ```js { "txHash": "0xe670ec64341771606e55d6b4ca35a1a6b75ee3d5145a99d05921026d1527331" "txIndex": "0x1", // 1 "blockNumber": "0xb", // 11 "blockHash": "0xc6ef2fc5426d6ad6fd9e2a26abeab0aa2411b7ab17f30a99d3cb96aed1d1055b", "cumulativeGasUsed": "0x33bc", // 13244 "gasUsed": "0x4dc", // 1244 "contractAddress": "0xb60e8dd61c5d32be8058bb8eb970870f07233155", // or null, if none was created "logs": "[{ // logs as returned by getFilterLogs, etc. }, ...]", "logsBloom": "0x00...0", // 256 byte bloom filter "status": "0x1" } ```
eea_sendRawTransactionAsync
A call to `eea_sendRawTransactionAsync` creates a private transaction that is already signed, submits it to the transaction pool, and returns immediately. Using this method allows sending many transactions without waiting for recipient confirmation. The signed transaction passed as an input parameter is expected to include the `privateFrom`, `privateFor`, `privacyGroupId`, and `restriction` fields, as specified in the Parameters section of . It is also expected to include the `callbackUrl` field. **Parameters** The transaction object containing: - `data` DATA – The signed transaction data. ```js params: ["0xd46e8dd67c5d32be8d46e8dd67c5d32be8058bb8eb970870f072445675058bb8eb970870f072445675"] ``` **Callback Body** The callback object for this call contains: - `txHash` DATA, 32 bytes – The transaction hash (if successful). - `txIndex` QUANTITY – The index position, as an integer, of the transaction in the block. - `blockHash` DATA, 32 Bytes – The hash of the block this transaction was in. - `blockNumber` QUANTITY – The number of the block, as an integer, this transaction was in. - `from` DATA, 20 Bytes – The public key of the sender of this private transaction. - `to` DATA, 20 Bytes – The address of the account receiving this transaction. `null` if a contract creation transaction. - `cumulativeGasUsed` QUANTITY – The total amount of gas used when this transaction was executed in the block. - `gasUsed` QUANTITY – The amount of gas used by this specific transaction. - `contractAddress` DATA, 20 Bytes – The contract address created, if a contract creation transaction, otherwise `null`. - `logs` Array – An array of log objects generated by this transaction. - `logsBloom` DATA, 256 Bytes – A bloom filter for light clients to quickly retrieve related logs. - `error` STRING – Optional. Includes an error message describing what went wrong. - `id` DATA – Optional. The ID of the request corresponding to this transaction, as provided in the initial [[JSON-RPC]] call. Also returned is either: - `root` DATA, 32 bytes – The post-transaction stateroot (pre-Byzantium). - `status` QUANTITY – The return status, either 1 (success) or 0 (failure). **Request Format** ```js curl -X POST --data '{"jsonrpc":"2.0","method":"eea_sendRawTransactionAsync","params": [{see above}], "id":1}' ``` **Response Format** ```js { "id":1, "jsonrpc": "2.0" } ``` **Callback Format** ```js { "txHash": "0xe670ec64341771606e55d6b4ca35a1a6b75ee3d5145a99d05921026d1527331" "txIndex": "0x1", // 1 "blockNumber": "0xb", // 11 "blockHash": "0xc6ef2fc5426d6ad6fd9e2a26abeab0aa2411b7ab17f30a99d3cb96aed1d1055b", "cumulativeGasUsed": "0x33bc", // 13244 "gasUsed": "0x4dc", // 1244 "contractAddress": "0xb60e8dd61c5d32be8058bb8eb970870f07233155", // or null, if none was created "logs": "[{ // logs as returned by getFilterLogs, etc. }, ...]", "logsBloom": "0x00...0", // 256 byte bloom filter "status": "0x1" } ```
eea_getPrivateTransactionReceipt
Returns the receipt of a private transaction by transaction hash.

The receipt is not available for pending transactions.

**Parameters** - `data` DATA, 32 bytes – hash of a transaction. ```js params: ["0xe670ec64341771606e55d6b4ca35a1a6b75ee3d5145a99d05921026d1527331"] ``` **Returns** Object – A transaction receipt object, or `null` when no receipt was found: - `blockHash` DATA, 32 Bytes - Hash of block containing this transaction. - `blockNumber` QUANTITY - Block number of block containing this transaction. - `contractAddress` DATA, 20 Bytes – The contract address created, if a contract creation transaction, otherwise `null`. - `from` DATA, 20 Bytes – The public key of the sender of this private transaction. - `logs` Array – An array of log objects generated by this transaction. - `to` DATA, 20 Bytes – The address of the account receiving this transaction. `null` if a contract creation transaction. - `transactionHash` DATA, 32 Bytes - Hash of the private transaction. - `transactionIndex` QUANTITY, Integer - Index position of transaction in the block. - `revertReason` String - ABI-encoded string that displays the reason for reverting the transaction. Only available if revert reason is enabled - `output` DATA - RLP-encoded return value of a contract call if a value returns, otherwise, `null`. - `commitmentHash` DATA, 32 Bytes - Hash of the privacy marker transaction. - `status` QUANTITY - Either 1 (success) or 0 (failure). - `privateFrom` DATA, 32 Bytes - Private tranaction manager public key of the sender. - `privateFor` OR `privacyGroupId` Array OR DATA, 32 Bytes - List of private transaction manager public keys OR Privacy group ID of the recipients. - `logsBloom` DATA, 256 Bytes - Bloom filter for light clients to quickly retrieve related logs. **Request Format** ```js curl -X POST --data '{"jsonrpc":"2.0","method":"eea_getPrivateTransactionReceipt","params": [{see above}], "id":1}' ``` **Response Format** ```js { "jsonrpc": "2.0", "id": 1, "result": { "blockHash": "0xe7212a92cfb9b06addc80dec2a0dfae9ea94fd344efeb157c41e12994fcad60a", "blockNumber": "0x50", "contractAddress": "0x493b76031593402e24e16faa81f677b58e2d53f3", "from": "0xfe3b557e8fb62b89f4916b721be55ceb828dbd73", "logs": [], "to": "0xf17f52151ebef6c7334fad080c5704d77216b732", "transactionHash": "0x36219e92b5f53d4150aa9ef7d2d793118cced523de6724100da5b534e3ceb4b8", "transactionIndex": "0x0", "output": "0x6080604052600436106049576000357c010000000000000000000000000000000000000000000 0000000000000900463ffffffff1680633fa4f24514604e57806355241077146076575b600080fd5b3480156059 57600080fd5b50606060a0565b6040518082815260200191505060405180910390f35b348015608157600080fd5b 50609e6004803603810190808035906020019092919050505060a6565b005b60005481565b8060008190555050560 0a165627a7a723058202bdbba2e694dba8fff33d9d0976df580f57bff0a40e25a46c398f8063b4c00360029", "commitmentHash": "0x79b9e6b0856db398ad7dc208f15b1d38c0c0b0c5f99e4a443a2c5a85510e96a5", "status": "0x1", "privateFrom": "negmDcN2P4ODpqn/6WkJ02zT/0w0bjhGpkZ8UP6vARk=", "privacyGroupId": "cD636RZlcqVSpoxT/ExbkWQfBO7kPAZO0QlWHErNSL8=", "logsBloom": "0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" } } ```

Permissioning Smart Contract

This section presents smart contract interfaces providing the necessary information for Enterprise Ethereum clients to enforce permissioning models in an interoperable manner. This includes both node-permissioning and account-permissioning interfaces.

It is based on a chain deployment architecture where permissioning is split into permissioning management, handled by one or more permissioning contracts on the Enterprise Ethereum blockchain, and permissioning enforcement, handled by the Enterprise Ethereum client based on information provided by the permissioning contract.

[P] PERM-300 permissioning contracts provided by an Enterprise Ethereum client SHOULD be certified as conforming to EthTrust Security Level 1, version 1 [[!EthTrust]].

[P] PERM-330 permissioning contracts provided by an Enterprise Ethereum client SHOULD be certified as conforming to EthTrust Security Level 3, version 1 [[!EthTrust]].

The EthTrust Security Levels specification [[!EthTrust]] defines a set of checks for audits of smart contract security. Testing to Level 1 typically requires an automated static analysis, for which a number tools are available. Level 3 implies testing that the contracts audited are fit their declared purpose and use exemplary coding practices in addition to a careful audit for complex security issues potentially beyond the reach of a static code analysis.
Permissioning Enforcement

Permissioning enforcement is performed to enforce the permissioning requirements of an Enterprise Ethereum blockchain. To obtain the information necessary to conduct enforcement, Enterprise Ethereum clients call specific functions in the permissioning contracts. These are common functions for all clients on the Enterprise Ethereum blockchain to use. The included functions are:

`connectionAllowed`
Determines whether to permit a connection with another node.
`transactionAllowed`
Determines whether to accept a transaction received from a given Ethereum account.
A client is not necessarily able to update the permissioning scheme, nor does it automatically have any knowledge of its implementation. The node-permissioning and account-permissioning interfaces emit `NodePermissionsUpdated` and `AccountPermissionsUpdated` events, respectively, when the underlying rules are changed. Clients register for these events that signal when to re-assess any permissions that were previously checked to ensure that results being used, or that were cached, are revalidated when necessary. The events contain the `addsRestrictions` and `addsPermissions` Boolean flags. If either flag is set to `true`, any previous connectionAllowed or transactionAllowed call could now result in a different outcome, because the previously checked permissions have changed. If `addsRestrictions` is `true`, then one or more `connectionAllowed` or `transactionAllowed` calls that previously returned `true` will now return `false`. Similarly, if `addsPermissions` is `true`, at least one `connectionAllowed` or `transactionAllowed` call that previously returned `false` will now return `true`.
Permissioning Management
The permissioning management smart contract functions provide the ability to configure and manage the permissioning model in use. These include the bulk of the constructs used to organize permissions, processes to adjust permissions, administration of the permissioning mechanism, and enforcing any regulatory requirements. The definition of these permissioning management functions depends on the permissioning model of the specific Enterprise Ethereum blockchain. It is outside the scope of this Specification, but crucial to the operation of the system. Enterprise Ethereum blockchain operators can choose any permissioning model that suits their needs. Implementations of the permissioning contracts (both enforcement and management functions) are provided on the Enterprise Ethereum blockchain by the blockchain operator. The implementation of permissioning enforcement functions, such as `connectionAllowed`, is part of the permissioning contract. When a management function is called that updates the permissioning model, the node or account smart contract interfaces emit `NodePermissionsUpdated` or `AccountPermissionsUpdated` events, respectively, based on the permissions change.
Node Permissioning

Node permissioning restricts the peer connections that can be established with other nodes in the Enterprise Ethereum blockchain. This helps to prevent interference and abuse by external parties and can establish a list of trusted nodes.

[P] PERM-200: Enterprise Ethereum clients MUST NOT allow an incoming connection from a node unless either:

This requirement allows a node to apply more restrictive rules about connections than those that cover the Enterprise Ethereum blockchain they are running. This means an organsation can run some nodes as validators allowing all authorised connections, and other nodes that only accept connections from nodes operated by that organisation.

The `connectionAllowed` function returns a `bytes32` type, which is interpreted as a bitmask with each bit representing a specific permission for the connection.

[P] PERM-210: When Enterprise ethereum clients call connectionAllowed, if the response is `false`, Enterprise Ethereum clients MUST reject the connection.

[P] PERM-220: On receipt of a NodePermissionsUpdated event containing an addsRestrictions property with the value true, Enterprise Ethereum clients MUST:

  • Purge or refresh cache as appropriate from previous calls to `connectionAllowed` where the result returned was `true`.
  • Close any network connections that are no longer permitted.
  • Impose newly added restrictions on any network connections that have had restrictions added.

[P] PERM-230: On receipt of a NodePermissionsUpdated event containing an addsPermissions property with the value true, Enterprise Ethereum clients MUST:

  • Purge or refresh cache as appropriate from previous calls to `connectionAllowed` where the result returned was `false`.
  • Check whether existing network connections have had their restrictions lifted and allow future actions that are now permitted.
Node Permissioning Functions
The node connection rules support IPv4 and IPv6 addresses, and domain names, defined as valid host strings [[!url]]. The `connectionAllowed` function is found at the address given by the `nodePermissionContract` parameter in the network configuration. It implements the following interface, including the `NodePermissionsUpdated` event: 
Interface
[
  {
    "name": "connectionAllowed",
    "stateMutability": "view",
    "type": "function",
    "inputs": [
      {
        "name": "sourceEnode",
        "type": "string"
      },
      {
        "name": "source",
        "type": "string"
      },
      {
        "name": "sourceEnodePort",
        "type": "uint16"
      }
    ],
    "outputs": [
      {
        "name": "result",
        "type": "bool"
      }
    ]
  },
  {
    "type": "event",
    "name": "NodePermissionsUpdated",
    "inputs": [
    {
      "name": "addsRestrictions",
      "type": "bool",
      "indexed": false
    },
    {
      "name": "addsPermissions",
      "type": "bool",
      "indexed": false
    },
    {
      "name": "enodeId",
      "type": "string",
      "indexed": false
    },
    {
      "name": "source",
      "type": "string",
      "indexed": false
    },
    {
      "name": "port",
      "type": "uint16",
      "indexed": false
    },
    {
      "name": "raftport",
      "type": "uint16",
      "indexed": false
    },
    {
      "name": "orgId",
      "type": "string",
      "indexed": false
    }
    ]
  }
]
**Arguments** - `sourceEnode`: The enode address of the node initiating the connection. - `source`: A DNS name of the node initiating the connection. - `sourceEnodePort`: The peer-to-peer listening port of the node initiating the connection. **Event parameters** - `addsRestrictions`: If the rules change that caused the NodePermissionsUpdated event to be emitted involves further restricting existing permissions, this will be `true`, otherwise `false`. - `addsPermissions`: If the rules change that caused the NodePermissionsUpdated event to be emitted involves granting new permissions, this will be `true`, otherwise `false`. - `enodeId`: The enode address of the node for which the permissions have changed. - `source`: The valid host string [[!url]] of the node whose permissions have changed. - `port`: The peer-to-peer listening port of the node for which the permissions have changed. - `raftport`: If using raft as consensus protocol, the raft port of the node for which the permissions have changed. - `orgId`: If using organizations, the relevant organization ID. **Returns** - `result`: A boolean value, where `true` represents granting permissions for a node to access the network.
Client Implementation
A client connecting to a chain that maintains a permissioning contract finds the address of the contract in the network configuration. When a peer connection request is received, or a new connection request initiated, the permissioning contract is queried to assess whether the connection is permitted. If permitted, the connection is established and when the node is queried for peer discovery, this connection can be advertised as an available peer. If not permitted, the connection is either refused or not attempted, and the peer excluded from any responses to peer discovery requests. During client startup and initialization the client begins at a bootnode and initially has a global state that is out of sync. Until the client reaches a trustworthy head it is unable to reach a current version of the node permissioning that correctly represents the current state of the blockchain.
Chain Initialization
At the genesis block an initial permissioning contract is normally included, configured so the initial nodes are able to establish connections to each other. The genesis block is the first block (block 0) of a blockchain.
Account Permissioning

Account permissioning controls which accounts are able to send transactions and the type of transactions permitted.

[P] PERM-240: Enterprise Ethereum clients MUST NOT accept a transaction unless either:

    • The client calls the transactionAllowed function, as specified in Section , for the transaction, with worldstate as at the block's parent, and
    • the function returns a value of true;
    or

[P] PERM-250: On receipt of an AccountPermissionsUpdated event containing an addsRestrictions property with the value true, Enterprise Ethereum clients MUST:

  • Purge all cached results from previous calls to `transactionAllowed` where the result returned was `true`.
  • Impose newly added restrictions on any accounts that have had restrictions added.

[P] PERM-260: On receipt of an AccountPermissionsUpdated event containing an addsPermissions property with the value true, Enterprise Ethereum clients MUST:

  • Purge all cached results from previous calls to `transactionAllowed` where the result returned was `false`.
  • Allow future transactions from accounts that are now permitted.
Account Permissioning Function
The `transactionAllowed` function is found at the address given by the `transactionPermissionContract` parameter in the network configuration. It implements the following interface, including the `AccountPermissionsUpdated` event: 
Interface
[
  {
    "name": "transactionAllowed",
    "stateMutability": "view",
    "type": "function",
    "inputs": [
      {
        "name": "sender",
        "type": "address"
      },
      {
        "name": "target",
        "type": "address"
      },
      {
        "name": "value",
        "type": "uint256"
      },
      {
        "name": "gasPrice",
        "type": "uint256"
      },
      {
        "name": "gasLimit",
        "type": "uint256"
      },
      {
        "name": "payload",
        "type": "bytes"
      }
    ],
    "outputs": [
      {
        "name": "result",
        "type": "bool"
      }
    ]
  },
  {
    "type": "event",
    "name": "AccountPermissionsUpdated",
    "inputs": [
    {
      "name": "addsRestrictions",
      "type": "bool",
      "indexed": false
    },
    {
      "name": "addsPermissions",
      "type": "bool",
      "indexed": false
    }
    ]
  }
]
**Arguments** - `sender`: The address of the account that created this transaction. - `target`: The address of the account or contract that this transaction is directed at. For a creation contract where there is no target, this should be zero filled to represent the `null` address. - `value`: The eth value being transferred in this transaction, specified in Wei (10-18 ETH). - `gasPrice`: The gas price included in this transaction, specified in Wei (10-18 ETH). - `gasLimit`: The gas limit in this transaction, specified in Wei (10-18 ETH). - `payload`: The payload in this transaction. Either empty if a simple value transaction, the calling payload if executing a contract, or the EVM code to be deployed for a contract creation. - `addsRestrictions`: If the rules change that caused the AccountPermissionsUpdated event to be emitted involves further restricting existing permissions, this will be `true`. - `addsPermissions`: If the rules change that caused the AccountPermissionsUpdated event to be emitted grants new permissions, this will be `true`. **Return value** - boolean `result`, where a value of `true` means the account submitting the transaction has permission to submit it, and `false` meaning the account does not.
Client Implementation
A client connecting to a chain that maintains a permissioning contract can find the address of the transactionAllowed function in the transactionPermissionContract parameter of the network configuration. When mining new blocks the node checks the validity of transactions using the appropriate permissioning contract with the state at the block's parent. If not permitted, the transaction is discarded. If permitted, the transaction is included in the new block and the block dispatched to other nodes. When receiving a block the node checks each included transaction using the permissioning contract with the state at the block's parent. If any transactions in the new block are not permitted, the block is considered invalid and discarded. If all transactions are permitted, the block passes the permissioning validation check and is then subject to any other validity assessments the client might usually perform. Depending on the use case of a client, the implementation can also check validity of transactions submitted through RPC methods or received through peer-to-peer communication. For such validation, it is expected that the contracts are used with the state represented at the current head. Reading of a contract is an unrestricted operation.
Contract Implementation
When a transaction is checked by the contract it can be assessed by any of the fields provided to restrict operations, such as transferring value between accounts, rate limiting spend or receipt of value, restricting the ability to execute code at an address, limiting gas expenditure or enforcing a minimum expenditure, or restricting the scope of a created contract. When checking the execution of code at an address, it can be useful to be aware of the `EXTCODEHASH` EVM operation, which allows for checking whether there is code present to be executed at the address that received the request. For restricting the scope of created contracts it might be necessary to do static code analysis of the EVM bytecode payload for properties that are not allowed. For example, restricting creation of contracts that employ the create contract opcode.
Chain Initialization
At the genesis block the permissioning contract function is included in block 0, configured so initial accounts can perform required value transactions, a predetermined set of accounts can invoke the contracts defined in the genesis file, and if desired, a predetermined set of accounts can create new contracts.

Inter-chain

With the rapid expansion in the number of different blockchains and ledgers, inter-chain mediators allow interaction between these blockchains. Like other solutions that provide privacy and scalability, inter-chain mediators can be built in Layer 2, such as using public Ethereum to anchor state as needed for tracking and checkpoints.

Enterprise 3 P's Layer

Privacy, performance, and permissioning are the "3 P's" of Enterprise Ethereum. This section describes the extensions in Enterprise Ethereum that support these requirements.

Privacy and performance solutions are broadly categorized into:

Privacy Sublayer

Many use cases for Enterprise Ethereum blockchains have to comply with regulations related to privacy. For example, banks in the European Union are required to comply with the European Union revised Payment Services Directive [[PSD2]] when providing payment services, and the General Data Protection Regulation [[GDPR]] when storing personal data regarding individuals.

Enterprise Ethereum clients support privacy with techniques such as private transactions and enabling an Enterprise Ethereum blockchain to permit anonymous participants. Clients can also support privacy-enhanced Off-chain trusted computing.

New privacy mechanisms are are also being explored as extensions to public Ethereum, including zero-knowledge proofs [[ZKP]], which is a cryptographic technique where one party (the prover) can prove to another party (the verifier) that the prover knows a value x, without conveying any information apart from the fact that the prover knows the value. [[ZK-STARKS]] is an example of a zero-knowledge proof method. A transaction is a request to execute operations on a blockchain that change the state of one or more accounts. Transactions are a core component of most blockchains, including public Ethereum and Enterprise Ethereum. Nodes processing transactions is the fundamental basis of adding blocks to the chain. A private transaction is a transaction where some information about the transaction, such as the payload data, or the sender or the recipient, is only available to the subset of parties privy to that transaction.

Enterprise Ethereum clients support at least one form of private transactions, as outlined in Section . Private transactions can be realized in various ways, controlling which nodes see which private transactions or transaction data.

Enterprise Ethereum implementations can also support off-chain trusted computing, enabling privacy during code execution.

On-chain Privacy

Various on-chain techniques can improve the security and privacy capabilities of Enterprise Ethereum blockchains.

Protecting data at rest

[P] PRIV-220: Enterprise Ethereum clients SHOULD enable encryption of all data stored by the client.
Since some users will prefer to use a system-wide functionality to do this, a good implementation will support that choice.

Off-chain Privacy (Trusted Computing)

Off-chain trusted computing uses a privacy-enhanced system to handle some of the computation requested by a transaction. Such systems can be hardware-based, software-based, or a hybrid, depending on the use case.

The EEA has developed Trusted Computing APIs for Ethereum-compatible trusted computing [[EEA-OC]].

Privacy Groups

A privacy group is a collection of participants privy to a private transaction. Each member of the group has the ability to decrypt and read a private transaction sent to the group. An Enterprise Ethereum client maintains the public world state for the blockchain and a private state for each privacy group. The private states contain data that is not shared in the globally replicated world state. A private transaction causes a state transition in the public state (that is, a private transaction was committed) and a state transition in the private state (that is, a smart contract state was changed or some information was exchanged in the private state). The `privateFrom` and `privateFor` parameters in the send transaction calls are the public keys of the participants intended to be able to decrypt the private transaction. The `privacyGroupId` parameter uniquely identifies a privacy group. Members of a privacy group are specified by their public keys. A client is expected to propagate a newly created or updated privacy group to the other members which are part of the privacy group.

Private Transactions

The `privateFrom` and `privateFor` parameters in the `eea_sendTransactionAsync` and `eea_sendTransaction` calls specify the public keys of the sender and the intended recipients, respectively, of a private transaction. The private transaction type is specified using the `restriction` parameter. The only type of private transaction defined as required is Restricted private transactions, where payload data is transmitted to and readable only by the parties to the transaction.

Note also that several storage requirements apply to private transactions.

[P] PRIV-010: Enterprise Ethereum clients MUST support restricted private transactions.

Transaction information consists of two parts:

[P] PRIV-005: Enterprise Ethereum clients MUST implement the method to return receipts for restricted private transactions.

[P] PRIV-011: Enterprise Ethereum clients MUST use the SHA3-512 algorithm [[!SHA3]] to calculate hashes of the payload in restricted private transactions.

[P] PRIV-020: Enterprise Ethereum clients MUST encrypt payload data when stored in restricted private transactions.

[P] PRIV-030: Enterprise Ethereum clients MUST encrypt payload data when in transit in restricted private transactions.

[P] PRIV-050: Enterprise Ethereum clients MAY encrypt metadata when in transit in restricted private transactions.

[P] PRIV-060: Nodes that relay a restricted private transaction, but are not party to that transaction, MUST NOT store the payload data.

[P] PRIV-070: Nodes that relay a restricted private transaction, but are not party to that transaction, SHOULD NOT store the metadata.

[P] PRIV-080: The implementation of the eea_sendTransactionAsync, eea_sendTransaction, eea_sendRawTransactionAsync, or eea_sendRawTransaction methods (see Section ) with the restriction parameter set to restricted, MUST result in a restricted private transaction.

[P] PRIV-180: Enterprise Ethereum clients SHOULD be able to extend the set of parties privy to a private transaction (or forward the private transaction in some way).

[P] PRIV-190: Enterprise Ethereum clients SHOULD provide the ability for nodes to achieve consensus on their mutually private transactions.

Performance Sublayer

Performance is an important requirement for Enterprise Ethereum clients because many use cases for Enterprise Ethereum blockchains imply a high volume of transactions, or computationally-heavy tasks. The overall performance of a blockchain is constrained by the slowest node.

There are many different aspects of performance, and instead of mandating specific requirements, this Specification notes the importance of performance, leaving Enterprise Ethereum client developers free to implement whatever strategies are appropriate for their software. This Specification does not constrain experimentation to improve the performance of Enterprise Ethereum clients. This is an active area of research and it is likely various techniques to improve performance will be developed over time, which cannot be exactly predicted.

This Specification does mandate or allow for several optimizations to improve performance. The most important techniques maximize the throughput of transactions.

On-chain (Layer 1 and Layer 2) Scaling

Techniques to improve performance through scaling are valuable for blockchains where processing is kept on the blockchain and have high transaction throughput requirements.

On-chain (layer 1) scaling techniques, like [[sharding]], are changes or extensions to the public Ethereum protocol to facilitate increased transaction speeds.

On-chain (layer 2) scaling techniques use smart contracts, and approaches like [[Plasma]], or [[state-channels]], to increase transaction speed without changing the underlying Ethereum protocol. For more information, see [[Layer2-Scaling-Solutions]].

Off-chain (Layer 2 Compute)

Off-chain computing can be used to increase transaction speeds by moving the processing of computationally-intensive tasks from nodes processing transactions to one or more trusted computing services. This reduces the resources needed by nodes, allowing them to produce blocks faster.

Permissioning Sublayer

Permissioning is the property of a system that ensures operations are executed by and accessible to designated parties. For Enterprise Ethereum, permissioning refers to the ability of a node to join an Enterprise Ethereum blockchain, and the ability of individual accounts or nodes to perform specific functions. For example, an Enterprise Ethereum blockchain might allow only certain nodes to act as validators, and only certain accounts to instantiate smart contracts.

Enterprise Ethereum provides a permissioned implementation of Ethereum supporting peer node connectivity permissioning, account permissioning, and transaction type permissioning.

Nodes

[C] NODE-010: Enterprise Ethereum implementations MUST provide the ability to specify at startup a list of static peer nodes to establish peer-to-peer connections with.

[C] NODE-020: Enterprise Ethereum clients MUST provide the ability to enable or disable peer-to-peer node discovery.

[P] NODE-090: Enterprise Ethereum clients SHOULD implement transaction ordering according to the "by Price and by Nonce" algorithm, sorting transactions by price while respecting the nonce ordering for each account.

[P] NODE-095: Enterprise Ethereum clients MUST specify explicitly and precisely in documentation any transaction ordering logic that is different from that recommended in NODE-090.

Ethereum Accounts

For the purpose of this Specification:

[P] PART-010: Enterprise Ethereum clients MUST provide the ability to specify a list of accounts that are permitted to transact with the blockchain.

[P] PART-015: Enterprise Ethereum clients MUST be able to verify that accounts are present on the list required by PART-010 when adding transactions from the account to a block, and when verifying a received block containing transactions created by that account.

Core Blockchain Layer

The Core Blockchain layer consists of the Storage and Ledger, Execution, and Consensus sublayers. The Storage and Ledger sublayer is provided to store the blockchain state, such as smart contracts for later execution. This sublayer follows blockchain security paradigms such as using cryptographically hashed tries, a UTXO model, or at-rest-encrypted key-value stores. The Execution sublayer implements the Ethereum Virtual Machine (EVM), which is a runtime computing environment for the execution of smart contracts. Each node operates an EVM. Ethereum-flavored WebAssembly [[eWASM]], which has its own instruction set and other computational capabilities, is also implemented at this layer. Smart contracts are computer programs that the EVM executes. Smart contracts can be written in higher-level programming languages and compiled to EVM bytecode. Smart contracts can implement a contract between parties, where the execution is guaranteed and auditable to the level of security provided by Ethereum itself. A precompiled contract is a smart contract compiled into EVM bytecode and stored by a node. Finally, the Consensus sublayer provides a mechanism to establish consensus between nodes. Consensus is the process of nodes on a blockchain reaching agreement about the current state of the blockchain. A consensus algorithm is the mechanism by which a blockchain achieves consensus. Different blockchains can use different consensus algorithms, but all nodes of a given blockchain need to use the same consensus algorithm. Different consensus algorithms are available for both public Ethereum and Enterprise Ethereum. Enterprise Ethereum clients can provide additional consensus algorithms for operations within their private consortium network (an Ethereum blockchain, either public Ethereum or Enterprise Ethereum, which is not part of the Ethereum MainNet).

Storage and Ledger Sublayer

To operate an Enterprise Ethereum client, and to support optional off-chain operations, local data storage is needed. For example, clients can locally cache the results from a trusted oracle or store information related to systems extensions that are beyond the scope of this Specification.

Private State is the state data that is not shared in the clear in the globally replicated state tree. This data can represent bilateral or multilateral arrangements between parties, for example in private transactions.

[P] STOR-040: Enterprise Ethereum clients SHOULD permit a smart contract operating on private state to access private state created by other smart contracts involving the same parties to the transaction.

[P] STOR-050: Enterprise Ethereum clients MUST NOT permit access to private state created by smart contracts except by parties to the transaction.

[P] STOR-070: Enterprise Ethereum clients SHOULD encrypt any private state held in persistent storage.

Execution Sublayer

[P] EXEC-010: Enterprise Ethereum clients MUST provide a smart contract execution environment implementing the public Ethereum EVM opcode set [[!EVM-Opcodes]] that are compatible with the London network upgrade [[!ef-London]].

[P] EXEC-020: Enterprise Ethereum clients that provide a smart contract execution environment extending the public Ethereum EVM opcode set [[!EVM-Opcodes]] MUST register the opcode and the name of the Enterprise Ethereum client in the [[!EEA-extended-opcode-registry]].

[P] EXEC-025: Enterprise Ethereum clients that provide a smart contract execution environment extending the public Ethereum EVM opcode set [[!EVM-Opcodes]] SHOULD register a description of the new functionality, and a URL for a complete specification and test suites in the [[!EEA-extended-opcode-registry]], and create an EIP describing the new opcode.

[P] EXEC-030: Enterprise Ethereum clients SHOULD support the ability to synchronize their public state with the public state held by other public Ethereum nodes.

Trusted computing ensures only authorized parties can execute smart contracts on an execution environment available to a given Enterprise Ethereum blockchain.

Multiple encryption techniques can be used to secure trusted computing and private state.

[C] EXEC-060: Enterprise Ethereum clients MAY support configurable alternative cryptographic curves as encryption options for Enterprise Ethereum blockchains.

Consensus Sublayer

At least one common consensus algorithm implemented by all clients is necessary to ensure interoperability between clients. [[Byzantine-Fault-Tolerant]] consensus algorithms ensure a certain proportion of malfunctioning nodes performing voting, block-making, or validation roles do not pose a critical risk to the blockchain. This makes them an excellent choice for many blockchains.

[P] CONS-092: Enterprise Ethereum clients MUST support the QBFT Byzantine Fault Tolerant consensus algorithm [[!QBFT]].

[P] CONS-093: Enterprise Ethereum clients MUST support the Clique, Proof of Authority consensus algorithm [[EIP-225]].

[P] CONS-110: Enterprise Ethereum clients MUST provide the ability to specify the consensus algorithms, through network configuration, to be used for each public blockchain and private blockchain in use.

Network Layer

The Network layer consists of a peer-to-peer networking protocol implementation allowing nodes to communicate with each other. For example, the DEVp2p protocol, which defines messaging between nodes to establish and maintain a communications channel for use by higher layer protocols.

Network Protocol Sublayer

Network protocols define how nodes communicate with each other.

[P] PROT-010: Nodes MUST be identified and advertised using the Ethereum [[!enode]] URL format.

[P] PROT-015: Enterprise Ethereum clients MUST implement the [[!DEVp2p-Node-Discovery]] protocol.

The [[Ethereum-Wire-Protocol]] defines higher layer protocols, known as capability protocols, for messaging between nodes to exchange status, including block and transaction information. [[Ethereum-Wire-Protocol]] messages are sent and received over an already established DEVp2p connection between nodes.

[P] PROT-020: Enterprise Ethereum clients MUST use the [[!DEVp2p-Wire-Protocol]] for messaging between nodes to establish and maintain a communications channel for use by capability protocols.

[P] PROT-050: Enterprise Ethereum clients MUST be capable of making direct connections to any number of nodes specified as participants in a private transaction.

[P] PROT-060: Enterprise Ethereum clients SHOULD implement the [[!Whisper-protocol]].

[P] PROT-070: Enterprise Ethereum clients MUST interpret the parameters defined in Section for network configuration when found in the genesis file.

Network configuration refers to the collection of settings defined for a blockchain as described in Section , such as the addresses of the permissioning contracts. It is a set of parameters included as JSON data in the genesis file (genesis.json).

Cross-client Compatibility

Cross-client compatibility refers to the ability to make an Enterprise Ethereum client based on a mainnet client. As far as possible, this specification maintains compatibility with mainnet, including following network upgrades (formerly known as hard forks).

[P] XCLI-001: Enterprise Ethereum clients MUST implement [[!EIP-155]] (included in the Spurious Dragon hard fork) to introduce `chain_id` into transaction signing.

[P] XCLI-002: Enterprise Ethereum clients MUST implement [[!EIP-658]] (included in the Byzantium hard fork) to embed the transaction status code in receipts.

[P] XCLI-004: Enterprise Ethereum clients MUST implement the Typed Transaction Envelope defined in [[!EIP-2718]].

[P] XCLI-006: Enterprise Ethereum clients MUST implement the Access List transaction type defined in [[!EIP-2930]].

[P] XCLI-006: Enterprise Ethereum clients MUST reject contracts whose first byte has the hexadecimal value `EF`, as specified in [[!EIP-3541]].

Future versions of this Specification are expected to align with newer versions of public Ethereum as they are deployed.

This Specification extends the capabilities and interfaces of public Ethereum. The requirements relating to supporting and extending the public Ethereum opcode set are outlined in Section .

[P] XCLI-020: Enterprise Ethereum clients MAY extend the public Ethereum APIs. To maintain compatibility, Enterprise Ethereum clients SHOULD ensure these new features are a superset of the public Ethereum APIs.

[P] XCLI-030: Enterprise Ethereum clients MUST implement the gas mechanism specified in the [[!Ethereum-Yellow-Paper]].

[P] XCLI-035: Enterprise Ethereum clients MUST implement the same gas cost per opcode used in the main net's London hard fork. [[!ef-London]].

[P] XCLI-040: Enterprise Ethereum clients MUST function correctly when the Gas price is set to zero.

[P] XCLI-050: Enterprise Ethereum clients MUST implement the eight precompiled contracts defined in Appendix E of the [[!Ethereum-Yellow-Paper]]:

Cross-client compatibility extends to the different message encoding formats used by clients.

[P] XCLI-051: Enterprise Ethereum clients MUST implement the precompiled contract for [[!RFC7693]] Blake 2b F compression defined in [[!EIP-152]]

[P] XCLI-055: Enterprise Ethereum clients MUST register precompiled contracts following the mechanisms defined by [[!EIP-1352]].

[P] XCLI-060: Enterprise Ethereum clients MUST support the Contract Application Binary Interface ([[!ABI]]) for interacting with smart contracts.

[P] XCLI-070: Enterprise Ethereum clients MUST support Recursive Length Prefix ([[!RLP]]) encoding for binary data.

Ethereum Toolchain Compatibility

Making Enterprise Ethereum clients compatible with tools commonly used on mainnet means that participants have a broad range of tools to work with, and helps take advantage of the widespread knowledge of developing for Ethereum.

[C] MTRC-010: Enterprise Ethereum clients MUST implement [[!EIP-2159]].

EIP 2159 mandates that certain metrics information is available in a commonly-used format: - `ethereum_blockchain_height` - `ethereum_best_known_block_number` - `ethereum_peer_count` - `ethereum_peer_limit`

Cross-chain Interoperability

Cross-chain interoperability broadly refers to the ability to consume data from another chain (read) and to cause an update or another transaction on a distinct chain (write).

Cross-chain interoperability can take two forms: - Ethereum to Ethereum (for example, two or more logically distinct EVM-based chains) - Ethereum to another blockchain architecture. Cross-chain interoperability is seen as a valuable feature by both the Enterprise Ethereum community and outside. Users of blockchain and blockchain-inspired platforms want to make use of data and functionality on heterogenous platforms. The goals for cross-chain interoperability in this specification are to: - Describe the layers of interoperability that are relevant to Enterprise Ethereum blockchains. - Enable data consumption between different blockchains without using a trusted intermediary. - Allow transaction execution across blockchains without a trusted intermediary.

Synchronization and Disaster Recovery

Synchronization and disaster recovery refers to how nodes in a blockchain behave when connecting for the first time or reconnecting. Various techniques can help do this efficiently. For an Enterprise Ethereum blockchain with few copies, off-chain backup information can be important to ensure the long-term existence of the information stored. A common backup format helps increase client interoperability.

Additional Information

Defined Terms

The following is a list of terms defined in this Specification.

Defined Events, Functions, and Parameters

The following is a list of events, functions, and parameters defined in this Specification:

Summary of Requirements

This section provides a summary of all requirements in this Specification.

Acknowledgments

The EEA acknowledges and thanks the many people who contributed to the development of this version of the specification. Please advise us of any errors or omissions. This version builds on the work of all who contributed to [previous versions of the Enterprise Ethereum Client Specification](https://entethalliance.org/resources/), whom we hope are all acknowledged in those documents. We apologize to anyone whose name was left off the list. Please advise us at [https://entethalliance.org/contact/](https://entethalliance.org/contact/) of any errors or omissions. We would also like to thank our former co-editors Grant Noble and Robert Coote who worked on the first 5 versions, David Hyland-Wood (version 1) and Daniel Burnett (version 2), and former EEA Technical Director, the late and missed Clifton Barber, for their work on previous versions of this specification. Enterprise Ethereum is built on top of Ethereum, and we are grateful to the entire community who develops Ethereum, for their work and their ongoing collaboration to helps us maintain as much compatibility as possible with the Ethereum ecosystem.

Changes

Full details of all changes since the version 1.0 release of this Specification are available in the [GitHub repository for this Specification](https://github.com/entethalliance/client-spec). This section outlines substantive changes made to the specification since version 6:

New Requirements

- [**MTRC-010**](#req-mtrc-010):require clients to export metrics in the common form defined in [[EIP-2159]]. - [**XCLI-005**](#req-xcli-005):require clients to implement the Typed Transaction Envelope defined in [[EIP-2718]]. - [**XCLI-006**](#req-xcli-006):require clients to implement the Access List transaction type defined in [[EIP-2930]] (part of the Berlin upgrade). - [**XCLI-006**](#req-xcli-006):require clients to reject contracts whose first byte is `EF` as specified in [[EIP-3541]] (part of the London upgrade). - [**PRIV-005**](#req-priv-005):require clients to implement `eea_getPrivateTransactionReceipt` to provide receipts for restricted private transactions. - [**JRPC-035**](#req-jrpc-035):require clients to implement a standard error when restricted private transactions are created with invalid parameters. - [**CONS-092**](#req-cons-092): require support for the QBFT consensus algorithm. - [**PRIV-220**](#req-priv-220): clients SHOULD support encryption for all stored data. - [**PERM-300**](#req-perm-300) and [**PERM-330**](#req-perm-330): permissioning contracts supplied with clients SHOULD be certified to conform to EthTrust Security Levels (1, or 3). Note that this specification foreshadows a possible requirement for the use of CBOR [[rfc8949]] as a messaging format for restricted private transactions, pending feedback from implementors.

Updated Requirements

- [**XCLI-010**](#req-xcli-010) to require EVM compatibility with London network upgrade, (was Istanbul, and Berlin in editors' draft). - [**XCLI-035**](#req-xcli-035) to require gas price compatibility with London network upgrade, (was Istanbul, and Berlin in editors' draft). - [**PRIV-010**](#req-priv-010) to require implementing restricted private transactions.

Requirements removed

- [**EXEC-050**] Requirement to implement a precompile designed to support SGX-based trusted computing. - [**FINL-010**] Requirement for recognising finality, since it was not implementable by the client and is a function of the consensus algorithm used and any relevant external policy or regulation. - [**CONS-050**] Allowing clients to support multiple consensus algorithms. In principle anything the specification does not forbid is allowed for a conforming client, and since we require at least two consensus algorithms to be implemented, the requirement is redundant. - [**PRIV-040**], [**PRIV-090**], [**PRIV-100**], [**PRIV-110**] clients MAY or SHOULD encrypt specific types of data in storage. - [**PRIV-120**], [**PRIV-130**], [**PRIV-140**], [**PRIV-150**], [**PRIV-160**], [**PRIV-170**], [**PRIV-210**] Remove the requirements for unrestricted private transactions Similar sections in version 2, version 3, version 4, version 5, and version 6 describe the changes made to each version. Old requirements have been removed from earlier versions of the specification, for a variety of reasons. The full list of requirements removed in earlier versions is: ACCT-010, ACCT-020, CONS-010, CONS-020, CONS-030, CONS-040, CONS-050, CONS-060, CONS-070, CONS-080, CONS-090, CONS-100, DAPP-010, ENTM-010, ENTM-020, ENTM-030, ENTM-040, ENTM-050, ENTM-060, EXEC-050, FINL-010, ICHN-010, ILIB-010, JRPC-011, JRPC-060, NODE-030, NODE-040, NODE-050, NODE-060, NODE-070, NODE-080, OFFCH-010, ORCL-010, PART-020, PART-025, PART-030, PART-040, PART-050, PART-055, PART-060, PART-070, PERM-075, PERF-010, PERF-020, PERF-030, PERF-040, PERM-010, PERM-020, PERM-030, PERM-040, PERM-050, PERM-060, PRIV-040, PRIV-090, PRIV-100, PRIV-110, PRIV-120, PRIV-130, PRIV-140, PRIV-150, PRIV-160, PRIV-170, PRIV-200, PRIV-210, PROT-040, SCAL-010, SCAL-020, SMRT-010, SMRT-020, SMRT-050, SPAM-010, STOR-010, STOR-020, STOR-030, STOR-060, SYNC-010, SYNC-020, XCLI-005, and XCLI-010.