HOPR introduces data verifiability with Ceramic

How the HOPR network is using Ceramic to provide off-chain logging information to node runners, while keeping the data private.

HOPR introduces data verifiability with Ceramic

The HOPR protocol is a layer-0 privacy foundation for the new generation of decentralized applications. The incentivized HOPR mixnet lets any application send data without leaking data or metadata. HOPR nodes will rely on Ceramic to track node payments without sacrificing user privacy.

Interested in learning more about the privacy protocol? Visit HOPRnet.org to run a node yourself.

Encryption is not enough for privacy

Standard end-to-end encryption does not provide sufficient privacy, because it still leaks important metadata, such as who is exchanging data, when, and how often. Given enough metadata, global adversaries and private companies can identify your behavior across multiple applications, even when the content of the traffic you exchange remains encrypted. Services like VPNs can hide your information from your internet service provider (ISP) but can’t protect you from the general fingerprinting of your browser, mobile devices and websites visits on a daily basis. Over time, this online behavior creates a profile that can be traced.

HOPR addresses this challenge by ensuring all the data and metadata you produce and consume online stays private. To do this, HOPR feeds content through a state-of-the-art mixnet - the HOPR network.

The HOPR protocol

HOPR incentivizes node runners who relay packets using its own currency, the HOPR token. Messages routed through the network are embedded with HOPR tokens in the form of “tickets” to pay each node along the route. HOPR’s proof of relay mechanism ensures a node can’t claim a ticket until the data packet is relayed to the next downstream node. This creates positive incentives for nodes to be good actors in the network. Tickets are cashed out via an Ethereum compatible blockchain (EVM) but are not always valid. This probabilistic payment system ensures a node’s online behavior can not be analyzed using timing attacks.

To ensure privacy at any level of network usage, the HOPR network is constantly fed with cover traffic: arbitrary data which provides cover for real users. This is particularly important in the early years of the network, when usage will understandably be lower.

The HOPR Association has allocated 250M HOPR tokens to cover traffic, to be released over four years. These will be issued anonymously by nodes sponsored by the HOPR Association and routed through nodes based on multiple parameters including HOPR tokens staked, amount of channels open, and general connectivity.

Verify off-chain activity without compromising privacy

This incentivized cover traffic system, combined with proof of relay, is what sets HOPR apart from other privacy networks, which either lack the proper incentives to scale or end up compromising on privacy or decentralization. Privacy networks are very challenging to develop and then test - how can you monitor and verify node activity without sacrificing privacy?

This is particularly important for the development of cover traffic and the long-term economic balancing of the network. Since running HOPR nodes incurs electricity and internet bandwidth costs, it’s important to be able to distinguish between the kickstarter cover traffic (artificially high for the first four years) and real traffic (initially minimal, but growing as the network scales).

Tickets issued by cover traffic can be tagged as such and shared off-chain. This would allow analysis but prevent inspection by other nodes. The HOPR team needed a reliable way to implement this approach, since simply logging this information in a decentralized IPFS node, which anyone can add data, would allow  information about cover traffic metrics to be skewed or manipulated by any party in the network.

Using Ceramic to create a decentralized monitoring tool for HOPR nodes

Using Ceramic, HOPR can propagate user-specific data and allow node runners to inspect and share their node's information as needed. To do this, nodes create a log entry in a Ceramic Stream, a DAG-based data structure for storing continuous, mutable streams of content on IPFS, every time they receive a particular message (for example, one with the cover traffic tag). Since this information is published with the secp256k1 private key used by the HOPR nodes, this information can be connected to a HOPR node and verified as such. This prevents outside manipulation of data.

HOPR node runners can use the HOPR dashboard to see their node data, and by checking the Ceramic Streams pinned by their nodes, obtain meaningful information about the cover traffic sent to their nodes. In this way, Ceramic not only helps HOPR developers, but also allows users themselves to verify the state of the network without involuntarily compromising their privacy.

Previous iterations of HOPR testnets issued unverifiable cover traffic via a bot, which was cumbersome and of limited utility. Thanks to Ceramic, HOPR nodes can now easily compare notes and assess their own ability to connect to other nodes.

The HOPR Network is the first of its kind using Ceramic to log decentralized data for an open-source protocol, and we believe this approach can be used by any project which relies on peer-to-peer off-chain data, which would otherwise be unverifiable.

Using IDX to connect HOPR nodes to external accounts

Since HOPR nodes have their own private keys, which need to quickly sign and submit transactions on-chain, each node has a unique private identity. This is extremely important for privacy, but it also makes engaging with a community of node runners challenging. As a result, it wasn't trivial for the HOPR team to link HOPR node runners to another digital identity, enrich node runner data, or perform promotional actions linked to their staking program, which would be trivial in a centralized (but not private) setting. This is where Ceramic provides a lot more flexibility.

The identities of HOPR node runners are private, but they don’t have to be anonymous. It’s possible to connect node runners with another digital identity, as long as that connection is verifiable.

The HOPR team has already started using Ceramic’s identity protocol, IDX, for this use case in a recent testnet on the Polygon network. HOPR nodes leverage IDX to connect to external Ethereum accounts outside of the HOPR network. With IDX, HOPR nodes now have the ability to sign an Ethereum account, enabling users to connect their nodes with an existing pseudonymous digital identity - real or not.

What's next for HOPR?

In the coming weeks, the HOPR team will start to test our cover traffic nodes, which will become the cornerstone for the HOPR network. The HOPR Association will continue to run testnets with the community to finetune the HOPR protocol. From there, node adoption and development of the protocol will continue alongside the community. The HOPR team will continue to use Ceramic to strike the right balance between data gathering and privacy.

We’re excited about what’s next to come for the HOPR team and the impact they'll have on data privacy. Learn more on the HOPR website, follow them on Twitter or jump into the Telegram group to get involved.

Website | Twitter | Discord | GitHub | Documentation | Blog | IDX Identity