No, aggregate properties of private assets, such as total supply cap, cannot be verified by every user on Canton yet. If this is the main criticism of Canton, I wholeheartedly accept it! All of the claims people are throwing on X about Canton not being decentralized, not being cryptographically verifiable, and requiring complete trust in institutions are red herrings. Your observation is the only correct critique of Canton I've seen yet. I agree that publicly proving aggregate amounts is a desired property and that all transparent chains have it. zkSync Prividiums also have it, under the assumption that the entire ZKP stack works as advertised. Canton does not (yet) have this property. Now that we've distilled it to the core property that Canton lacks, we can talk about why the importance of it is completely overblown, and why this hasn't been a concern in practice for any users: (1) Many privacy assets on Canton have decentralized BFT issuers. You're not trusting any single institution; you're trusting a BFT consensus. A single honest Validator can report and cryptographically prove dishonest behavior. (2) For asset-backed tokens, Canton has the same trust model as transparent public chains. You ALREADY rely completely on an independent auditor to review that the aggregate amount on-chain equals the off-chain amount. Those same auditors cryptographically and independently audit the on-chain amount in Canton. We're already trusting stablecoin providers + their auditors to maintain the on- vs off- chain reserves, so the trust model on Canton is exactly the same! But Canton makes it much better - we're moving to a world where tokenized US Treasuries are on-chain, so the auditor gets cryptographic independent verification of the peg. If anything, Canton is the ONLY blockchain bringing on-chain cryptographic verifiability of RWA reserves! Repo transactions on Canton are the only repo transactions in the world where there's distributed cryptographic verification that your asset is fully backed! (3) For fully dematerialized assets, the registrar is legally allowed to change the aggregate amount. The important thing is that it's auditable by the issuer, not that it's publicly auditable. If DTCC tells you that Tesla has 3.3b shares outstanding, even if you could verify that aggregate number on-chain, can you independently verify that that's the correct amount? Only Tesla can say whether that number is correct so they're the only voice that matters from a trust-model perspective. All that said, I agree that publicly proving aggregate properties is a nice-to-have. But it's never been desirable enough to justify the trade-off of adding significant complexity to the software stack. Running a Canton Validator in a TEE would be dead simple and give you that property (with different trust assumptions), yet in practice, no one seems to think it's important enough to justify even that modest investment. This is actually one area where retrofitting ZKPs on top of Canton would not be very hard! By relaxing this single requirement, Canton has been able to add many other security properties.