Skip to content
This repository has been archived by the owner on Dec 21, 2020. It is now read-only.
Robert Kiel edited this page Jan 6, 2020 · 17 revisions

Welcome to the Wiki of Hopr 🎉

Table of contents

Background

Messaging should be done in a secure way. It seems to be clear what secure means but when digging deeper in the details, the definition of secure communication becomes more complex:

  1. secure communications should prevent unauthorized parties from learning the content of the message. This security goal is known as confidentiality and is achieved by reasonable encryption schemes like AES.
  2. the sender of the message also wants to make sure that manipulations to the message are observable by the designated receiver. That property is known as integrity and can be achieved by using a suitable scheme that generates message authentication codes like HMAC.

The combination of both schemes yields a construction that allows a sender to hide the content of the message and make the integrity of the message verifiable. However, this construction does not hide that sender and receiver have exchanged messages. It also leaks an upper bound that shows how much communication took place. A possible adversary might therefore also distinguish short conversations from longer ones. If the adversary also were able to observe actions that follow the reception of messages, the adversary might be able reason about the content of the observed encrypted data - without breaking the encryption scheme. This shows that in some cases confidentiality and integrity is not enough and it is also mandatory to protect metadata.

To hide who is communicating with whom, sender and receiver need other parties that helps them hiding that kind of information. More precisely, sender and receiver will always rely on services of other parties. There might be parties that deliver this service for free in order to support their ideological beliefs. For free means in that context that these parties pay the incurred costs. These costs include not only the price to buy the requirred hardware but also recurring costs like electricity or bandwidth. In addition, one might also consider legal costs in order to deal with abuse complaints.

If there is no incentive to run a service that provides anonymity, people that use this network need to rely on altruistic parties that offer such a service for the greater good. It seems therefore reasonable to compensate the parties that provide anonymity as a service. This becomes especially important if one relies on such a network or wants to run an application on top of such a network at scale.

Definitions:

The purpose of this section is to explain the below stated security guarantees.

Integrity

An adversary who is not in possession of the required secret is unable to convince the recipient of the message from the validity of a manipulated message. More precisely, the success probability that the adversary is able to find a new message that the receiver considers valid is negligible with respect to some security parameter.

Confidentiality

A potential adversary who is not in possession of the required secret does not learn the transferred messages. More procisely, the success probability that the adversary is able to distinguish the transferred message from a randomly chosen message of the same lenght is negligible with respect to some security parameter.

Sender anonymity

Neither the receiver nor a potential adversary who is able to observe the communication in the network is unable to determine which of the nodes has sent the message. More precisely, the success probability that the adversary determines the sender of the message is sufficiently low with respect to number of nodes in the network.

Remark: The sender can specify its identity inside the payload to link his identity to the message, but he does not need to.

Receiver anonymity

Same as sender anonymity, but for the receiver.

Sender-receiver anonymity

The sender is able to communicate with the receiver without knowing which of the nodes in the network belongs to the receiver. More precisely, the success probability that the sender of the message is able to detect which node in the network belongs to the receiver is sufficiently low with respect of the number of nodes in the network.

Remark: This property allows the sender to prepare a message to the receiver such that the receiver will be able to reply to the sender without knowing which of node in the network belongs to the sender.

Key features

  • Security properties:
    • Integrity
    • Confidentiality through end-to-end encryption
    • Sender* & receiver anonymity**
  • Incentivations for relay operators that:
    • preserve the previously mentioned security guarantees
    • allow efficient & automatic on-chain verification of inappropriate transactions in order to punish the sender of that transaction
    • allow them to have a working business model that covers their expenses
    • gets along without using inefficient cryptographic building blocks like homomorphic encryption and zero-knowledge proofs
  • Decentralized message delivery & decentralized directory service through WebRTC in combination with libp2p
  • Token & blockchain agnostic:
    • token must be transferrable through payment channels
    • blockchain must support smart contract that allow: string/byte concatenation, hashing & signature verification of chosen messages

Planned features

  • Security properties:
    • Sender-receiver anonymity
  • Scalable anonymity: Senders can choose the degree of anonymity that they want to achieve, especially they'll be able to define:
    • a strategy upon which the intermediate nodes are picked
    • how much cover traffic is sent along the messages
    • how much latency the relay nodes should add

Technical Description

The construction consists of two layers: one for message delivery and one for payments. Messages are embedded within SPHINX packet format that provably hides the relation between sender and receiver. The payment layer uses off-chain payments via payment channels and node operators need to stake assets to process transactions.

  • message delivery
    • network layer establishes a peer-to-peer connection between the nodes. To achieve that, the implementation uses libp2p in combination with WebRTC to bypass NATs. This allows each node to become a relay node and earn money.
    • messaging layer hides the connection between sender and receiver of a message. Therefore it uses slightly modified version of the SPHINX packet format by G. Danezis and I. Goldberg.
  • payment layer
    • principle(s) explains the principles that are used to have incentivations that satisfy the stated security properties.
    • protocol details gives a deeper description how mechanims work.