The highest-stakes onchain markets, including perp exchanges, orderbooks, and institutional rails, rely on data that cannot be public. Positions, balances, liquidations, and routing logic are inherently sensitive, yet hiding this data pushes risk back onto users and undermines the core promise of being onchain. Independent auditing and safe exits become dependent on trusted offchain operators, weakening verifiability exactly when it matters most.

Enter Celestia’s Private Blockspace: a new way to keep sensitive data private yet accountable using Verifiable Encryption. Networks publish encrypted state to Celestia, allowing anyone to verify data availability and protocol commitments without revealing the underlying contents. The result is private systems with public verifiability guarantees: fault-resistant, auditable, and architecture designed to support safe exit mechanisms.

Private Blockspace uses the Celestia network, inheriting the stability and scale demanded by production workloads. With Celestia’s blockspace handling 5.3 MB/s today and Fibre Blockspace designed to unlock the capability for 1 Tb/s of throughput under target conditions, it’s built for applications where performance, like privacy, is non-negotiable.

Mechanisms around encryption key generation and sharing are customizable for developers to design, with a proposed protocol that optimizes for end user interests in this section.

Private Blockspace, at a glance

• For exchanges and institutional onchain infrastructure that require private state with public verifiability guarantees
• Keep balances, positions, and order flow confidential without pushing trust onto operators
• Publish encrypted state to Celestia so anyone can verify data is available and accounted for
• The result: private systems that are publicly accountable, fault-resistant, and safe to exit.

Contact us about deploying Private Blockspace, or check out the docs.

What’s possible with Private Blockspace

Accountable offchain exchanges

In centralized services, like centralized exchanges, there is typically full trust in a single protocol operator by all users. This can be a privacy benefit: all operations and application state are only known in full to the operator. With fully ZK-proven protocols settling on a layer 1 blockchain, like ZK rollups or central limit order book exchanges (CLOBs), the operator is fully constrained to correctly settle trades and orders, but if they are unwilling or unable to process orders to withdraw liquidity, those users' funds may become trapped. With Private Blockspace, protocol operators can be required by protocol design to prove availability of that state, while only selectively disclosing confidential internals under conditions defined by the application’s design and governance.

In production: Hibachi

For example, Hibachi is the first independent deployment using Private Blockspace for a fast perps exchange. Hibachi publishes verifiably encrypted exchange state to Celestia, keeping balances and positions private, while making data availability and correctness publicly verifiable.

Network operators can selectively disclose data to third parties, most notably each user for their specific state. Hibachi is working towards a path where users may be able to recover funds from the otherwise confidential exchange state. See the account-centric model described below for an initial design on how that may be achieved.

Trust Minimized Data Marketplaces

Private Blockspace also enables trust minimized data markets where private data can be exchanged without intermediaries. Sellers publish verifiably encrypted data to Celestia, allowing buyers to verify availability and integrity before payment—without accessing the data itself. 

This shifts trust from intermediaries to verification: payment is enforced only once data availability is proven, protecting both buyers and sellers. The result is private data exchange that is auditable, fault-resistant, and verifiable by design.

How it works

Private Blockspace on Celestia allows distribution of encrypted user state while also publicly proving select properties of that state. With today’s encryption schemes, it is generally considered computationally infeasible to prove that the ciphertext is anything but random noise - otherwise you leak information that likely will lead to breaking the encryption completely. That’s why Private Blockspace is paired with a new primitive protocol: Verifiable Encryption.

Verifiable Encryption (VE)

VE proves select properties of fully encrypted data without decryption. Assertions like “this encrypted data contains a Merkle proof with root of 0xabc123…” are now possible with VE that are impossible for normally encrypted data. Running encryption in a zkVM proves that a specific key/nonce/cryptographic algorithm was used, while also providing “anchors” attesting to any properties of the unencrypted data (like its hash). For details and pure VEs use cases outside of just Private Blockspace, see this document on Verifiable Encryption in depth.

Key Exchange and Management Strategies

When using Private Blockspace, there is a critical question of how to manage keys to decrypt: who gets them under what circumstances? If keys are withheld, it practically means the data is withheld. So how can keys be available without publicly revealing them? Fortunately, many key exchange and reconstruction protocols exist that can resolve this. A proposed account-centric model enables encryption keys to be user-defined prior to data being encrypted and published. Here are a few options:

Account-centric model

With an account-centric model of Private Blockspace, it can be enforced that *all* account data was made available publicly, and also encrypted such that the only parties able to decrypt a specific account state are parties holding the user's specified key to encrypt their state with.

User Defined Encryption Keys: Users create and define keys for their account's encryption, and require protocols to use the new keys. Thus ensuring they are always able to decrypt state, while enabling forward secrecy.

Conditional Selective Disclosure: Users can specify decryption only by specific parties through standard public key crypto and key exchange protocols. Additionally, multi-party conditions can be implemented through threshold encryption and related schemes.

User-Initiated Protocol Progression: If implemented within the application, users should be able to progress the protocol by proving a correct STF on their state onchain without requiring any other party. This enables "forced" state updates, such as enabling withdrawal workflows for tokens deposited into the protocol, with or without Private Blockspace. 

For more details check out the Private Blockspace implementation or to learn how Private Blockspace can fulfill your requirements, please get in touch with the Celestia Labs team here.

Disclaimer

Private Blockspace and related components (including verifiable encryption) are experimental technologies that may require additional application logic and third-party infrastructure. Celestia Labs provides the underlying modular data availability infrastructure only and does not operate, control, or endorse any applications, networks, or third-party projects that may use these technologies. Builders and operators are solely responsible for the design, deployment, and operation of any applications built with or upon Celestia’s infrastructure, including compliance with all applicable laws, regulations, and licensing requirements in relevant jurisdictions.. Any references in this post to financial use cases (such as exchanges, stablecoins, or tokenized assets) are illustrative examples of potential architectures, not representations of existing or future Celestia Labs products or services. Nothing in this post constitutes investment, legal, or financial advice, or an offer to buy or sell any token, security, or financial instrument. References to third-party projects, including Hibachi, are for informational purposes only and do not imply partnership, endorsement, or affiliation.Nothing in this post constitutes investment, legal, or financial advice, nor an offer to buy or sell any token or asset. Celestia Labs only provides underlying infrastructure, not financial, exchange, or payment services.