Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Sebastian Bürgel: HOPR – The Peer to Peer Network Changing Data Privacy
Episode Date: September 28, 2022HOPR is a decentralized and incentivized peer-to-peer mixnet open to anyone who wants to join and run a node. The network allows people, companies, and devices to exchange information online with its ...metadata stripped. People who communicate and transact using HOPR — or apps and services which run on top of the platform — can be sure that no-one can find out what data is being shared, who is sending or receiving it, or even how much data is being sent. HOPR gets its name from the fact that it provides metadata privacy by sending data packets through multiple nodes - or “hops” – in the network. Decentralization ensures that the network is fully independent and there is no entity that can control it or intercept the traffic.We were joined by HOPR founder Sebastian Bürgel, who chatted about the need for a platform such as this in the space, how it works by sending packets through nodes, the HOPR token, and The DecenGov DAO.Topics covered in this episode:Sebastian's backgroundAn overview of HOPRMixnet vs onion routingWho is the HOPR user?How packets move through the networkThe distribution requirements for HOPR nodesThe costs involvedThe HOPR tokenThe DecenGov DAOWhy privacy systems in crypto have such a hard time finding tractionEpisode links: HOPRHOPR on TwitterSebastian on TwitterJoin the Epicenter team!Sponsors: Tally Ho: Tally Ho is a new wallet for Web3 and DeFi that sees the wallet as a public good. Think of it like a community-owned alternative to MetaMask. - https://epicenter.rocks/tallycashThis episode is hosted by Friederike Ernst & Meher Roy. Show notes and listening options: epicenter.tv/463
Transcript
Discussion (0)
This is Epicenter, episode 463, with guest Sebastian Bergel.
Welcome to Epicenter, the show which talks about the technologies, projects, and people driving decentralization and the blockchain revolution.
I'm Friedricha Ernst and I'm here with Meheroy.
And today we're speaking with Sebastian Bergel, who is the founder of Hopper, which is a mixnet that we'll talk about in just a second.
But before we talk with Zavasan about Hopper, let me tell you about our sponsor this week.
Our sponsors tell you ho, which is redefining the wallet as a public good.
You can think of it like a community-owned alternative to Metamask.
It offers a very smooth user experience and has an impressive user interface.
So you can see all your account balances at once and swap between assets within the wallet.
a much lower price. It also offers a very good ledger integration and full ENS and U.N.S. domain name
support. Two weeks ago, they launched their community pledge with 70,000 signers
dedicating their commitment to defending Web3, and you can still sign the pledge on their
site. They recently also added their first side chain polygon, and you can enter the
Metaverse with a Web3 wallet that's fully community-owned and off.
operated and it's also a Dow.
And they have demonstrated their commitment to community ownership and public goods
by sponsoring EtherJS and pledging 2.5% of their total token supply to a Gitcoin acaduct.
Head to tally.cash slash download to redefine your Web3 wallet experience.
And also we as Epicenter are hiring.
So we're looking for a community manager to help grow our audience and take Epicenter to the next level.
So if you're passionate about crypto and creating great content, please let us know and contact us.
And full details can be found in the show notes.
And please feel free to share this job description with anyone who you think might be a good fit for this position.
Sebastian, it's a great pleasure to have you on.
It's absolutely pleasure to be on my favorite crypto podcast to be here.
Thank you for having me.
Fantastic.
Sebastian, can you give us a little bit of background about yourself?
What happened before blockchain?
I read you went to East Zurich.
Yeah, so basically, first of all, the university that I did most of my reason is called
ETH Zurich.
For the ones who I haven't heard, it has indeed nothing to do with Ethereum.
It's been around for over 100 years before Ethereum existed.
But yes, it's a funny thing.
So yeah, my life prior to joining the crypto movement was actually in micro-technology.
So I did a PhD here at ETH Zurich focusing on using microfabrication and microtechnologies for biomedical applications.
It's a pretty exciting thing to do.
I had a great project there.
But unfortunately, then the crypto bug had.
had stung me and I decided that I would first need to take, you know, some unpaid vacation
before I realized, okay, I have to go all in. There's no way I can stay in this old academia
world. I had co-funded a fintech startup here in Switzerland and had a little bit feeling
for what permissioned innovation actually means and how cumbersome it actually is if you
want to build something novel in the old school banking world. So, you know,
I'm very much a believer in permission less innovation after the experience that I made there.
And yeah, so then had to again pivot more towards crypto.
So I co-founded a blockchain education and service company called Validity Labs,
where I worked for a little over four years full time in educating people on public
blockchains and working on tokenization projects from startups to like large corporates.
and Swiss banks.
And yeah, it was there that we realized that there's really a missing link in the technology
stack that builds up this Web 3.
And yeah, that's, I guess what we'll talk about in a little bit.
And it was kind of the discovery period of founding Hopper.
Okay.
So in a nutshell, what does Hopper set out to do?
Yeah.
So fundamentally, any sort of cryptocurrency.
application is needs to send data across the wire somewhere, right?
So for any sort of application that you can think about, you need to send digital data from
A to B. And it might be, you know, your Bitcoin transaction, which you send from your Bitcoin
wallet to some note, which might be your own or might be a hosted provider.
It might be if you think about something totally outside of financial transactions, maybe we're
talking about something like Filecoin, right, where you want to create.
in access data or maybe we're thinking about the graph, right, to access on-chain information,
you always have this setting where you need to send data from A to B.
And that data is kind of typically it's secure, right? It's end-to-end encrypted. So I cannot,
I cannot change the data and I cannot impersonate you usually, but it's usually not private.
And that's what we set out to change. So if Frederike is requesting data,
from any Web 2 or Web 3 service,
she is kind of inherently also broadcasting her IP address.
And third parties can see things such as where she is when she requested the data,
how often she requested data,
and like how big this data packets are.
So even with end-to-end encryption,
there's a whole lot of metadata that all sorts of third parties,
not just like these evil kind of three-letter agencies that I was thinking about C,
but also, you know, more obvious things, such as your internet service provider and other for-profit organizations, they can see that data and use it against you.
So Hopper sets out to solve transport privacy for the web and web three.
So, I mean, like stating this problem in a different way, like this problem has existed since the beginnings of the internet.
So one way to maybe think about this issue is, even in a normal postal system,
system when let's say I'm sending a normal, normal analog paper post to Friderica with a from.
So it's a from address, which is my address and the two address, which is Friderica's address.
And it goes through the postal system and is going to touch the Swiss and German postal systems in this case.
So anyone that is handling that envelope knows from and to and he knows that pieces of data.
of data and if Frederica and I communicate very frequently, well, they know that these two individuals
write to each other every month, hence their friends or something like that can be gathered
without reading any of our letters and that the postal system can do.
Now shifting to the internet, it's exactly very similar where it's the message is
originating from my IP address so that's the from and it's going to another
IP address which is Friderikers which is the two the except with the thing is in
the internet I'm I'm sending messages much more frequently than I'm sending
physical envelopes so I'm doing a lot more communication than we used to like
30 years back let's say and and then the other the other issue is that the people
In the postal system, it's like the Swiss post and the German post that was handling the metadata, which is the from and two.
But on the internet, the metadata might be handled by lots of different parties.
And I might not know any of these parties.
And these parties may not even be any kind of like sort of official organizations like the postal service at all.
Yeah.
I think it's a great analogy.
and to make it a little bit more drastic,
there's this great meme going around Twitter every now and then
where people are actually,
somebody was receiving not a letter,
but actually a little packet.
And this packet was unfortunately wrapped in kind of some shrink wrapping format.
And to make matters worse and to highlight why there's a privacy issue
when you send stuff around,
it was actually kind of a female sex toy, right?
So that could be publicly seen and was probably very embarrassing to the person who received it.
So yes, that's a great analogy.
And so what Hopper does there to take this analogy back to what we do at Hopper is people are,
so we are taking these packages, we are chopping them down into little pieces that look indistinguishable from one another.
So you cannot see anymore.
Okay, Frederic is typically sending like these large envelopes.
when she's sending like, you know, some contractual agreement,
she sent like some small things,
which looks like a postcard for more personal stuff.
So in that sort of stuff is what we're chopping down in like little,
into like little things.
And from these little elements,
you cannot deduce anymore what was being sent, right?
So that is the first step of how Hopper protects metadata better than,
yeah, traditional ways of sending stuff around.
on the internet.
Maybe it's a dumb question, but like many people would think that kind of the VPN
solve this issue, right?
So many people start using a VPN when I think the normal experience is you want to watch
a TV show and it's not loud in your country.
And so you download your VPN and then the VPN service pretends as if you're in another
country and that seems to give some kind of confidence that hey a VPN can protect where my information
is originating from so aren't VPN's actually solutions to the problem of transport level privacy
yeah so it depends what users want to achieve right if you just want to achieve that the operator
of the website does not see where you're sitting right now then you know a VPN does a fair job
of obfuscating that.
But what's important to realize is you're fully trusting this one VPN operator to with your entire
browsing data, right?
All apps that you're using on your phone, if you're connected from a phone, all websites
that you're surfing, right?
So they see all that information and you're trusting a single entity.
So the trust assumption of a VPN is that one server operator, you know, their ISPs and
and all the infrastructure that they have around them is trustworthy.
And that trust is more often than not broken, right?
We see kind of on an almost weekly basis how there's a new VPN logging incident
and these logs, so connection data logs, are actually accidentally becoming public knowledge
to the wider internet.
So, you know, that's a pretty poor trust assumption.
Maybe let's talk about different kind of privacy preserving tools just to kind of categorize them at least mentally.
So, I mean, we know there's other mixed nets like NIM.
And then there's decentralized VPNs like orchid.
Then there's onion routing, right?
Like Tor.
And then there's like these whisper protocols like secure scuttlebot.
And in a way, they're all privacy preserving.
So maybe we can group them together.
So how is a mix net fundamentally different from an onion router?
Yeah.
So first of all, like when you talk about onion routing, maybe just as a recap for the listeners who might not be familiar with onion routing,
onion routing is very popular in a system that's called Tor.
And many people here might have heard about Tor from the Tour.
browser, right, that you can access, like, information privately. So what does it actually do?
Right. So onion routing is basically onion encrypting, so putting multiple shells of encryption
around the payload that you send around, which is then sent through multiple hops in a network.
And thereby obfuscating where data came from and where it goes to, right? So that's,
that's what an onion routing system like Tor actually does. Now,
I mentioned before the trust assumption of a VPN being kind of poor.
So now in such onion routing systems, typically your trust assumption is that the first and
the last note are not colluding.
So as you see data going into an kind of tour like network and when it comes out, you
can link the incoming and the outgoing traffic and in relatively trivial ways can see,
okay, this data is actually originating from Frederica.
and she's requesting, you know, this Wikipedia page, for example, right?
Wikipedia actually has a tour page, which is kind of useful.
So, yeah, that's significant step better than a VPN,
but still not a very strong trust assumption that can be broken by multiple, like,
node operators in the network and obviously strong, as we call them,
global passive adversaries.
So now moving on to the next category of,
Mixnets, which have been specifically designed as tools that allow you to defend against this global passive adversaries, right?
Like, again, the three-letter agencies and like, but not just three-letter agencies, but really also strong and big internet service providers and cloud operators, which have network-wide overview.
So, and in this MixNet category, there's MixNet is an active field of research for a few decades.
And in a mixnet category, like what is fundamentally new is that only since a few years, it is possible to incentivize these mixnets.
And that is something that mixnets like Hopper solve in a fairly unique way that you can pay the operators of such a network without revealing their privacy.
So that is something that is quite fundamentally different between mixnets and these incentivized mixnets, which,
which we currently see like Hopper.
And then you mentioned decentralized VPN.
So I think, when was it?
I think 2019 there were a bunch of DVPNs coming up.
Orchid, as you mentioned, one of them.
And the trust assumption of a DVPN is actually kind of problematic if you think about it.
So the kind of like the motto of these DVPNs is, hey, let's decentralize the VPN operator.
But what you're doing there is you're saying, hey, no, there's.
some person on the internet, which is relaying traffic for me,
and thereby I am trusting a rendo on the internet with all my connection metadata,
which indeed is not a very good trust assumption.
Now, some of these DVPNs have often tried to make it a bit better.
For example, Orchid recently introduced this multi-hop routing,
which goes in a similar direction as Tor, in fact.
So I think that is some breakdown of how some of these systems work.
And again, it comes down to trust assumptions.
Is it correct to say that the fundamental difference
between Tor and Hopper is that in Hopper,
you are able to add a layer of incentivization
that doesn't exist in Tor, meaning in Tor,
when the message goes from A to B,
it is going through a bunch of relay nodes
and volunteers essentially run those relay nodes,
which is why the number of
Kelia nodes are very limited, maybe 6,000 or 7,000 of them.
Whereas in Hopper, you are able to actually pay these nodes in the middle
and therefore hopefully make a more scalable system.
Yeah, so that is one important difference is on the incentivization side.
So you mentioned like there's a few thousand of these tour nodes.
Like the last also called Tor exit node, there's actually under 1400 nodes, right?
So it's really not very, very big.
And Tor clearly has issues scaling to internet scale,
despite having been around for over a decade.
But the other important difference that we should briefly talk about is the packet mixing.
So mix nets are called like that because they're not just forwarding packets as they hop through the network,
but they're mixing them up.
So imagine Meher is a mix node operator.
Mayer will receive packets from Sabah.
he will receive packets from Frederica and a bunch of other people.
Now, Meijer is doing two things as a mix-note operator.
His note is obviously doing that for him automatically, right?
So Meher is transforming packets so that incoming and outgoing packets look different,
and he's mixing them up.
So he's sending out packets after a short delay in a shuffled order.
And by doing so, even a strong adversary that sees every packet going into Meijer's computer
and coming out of Mayer's computer,
cannot link incoming and outgoing traffic.
And this unlinking is a strong privacy property of mixed nodes specifically that Torr doesn't have.
And it's one, yeah, one core differentiator between mixed nodes and traditional onion rotters.
This requires a base level of volume though, right?
So basically if you have, I mean, so basically otherwise you're vulnerable to all kinds of attacks, right?
I mean, so basically if I just were to, basically if Mehera only receives packets from me, then basically that would be absolutely no benefit in kind of mixing them up other than kind of adding latency.
Yes, that's absolutely an important point, right?
So as people say, privacy loves company, right?
When I'm alone, I sometimes bring this analogy, imagine you're standing in this in this football stadium and you only hear one voice in the football stadium.
And I know Meher is the only one standing in the football stadium.
I know it was Meher who was shouting, right?
But if there is, you know, 50,000 people standing around Meher and I hear some noise,
I have no idea if it was Meher who was shouting or any of the other 50,000 people.
And the same thing applies to MixNet.
You do want a large number of users and a diverse set of users, right?
I don't want to, you know, infer from any of these, you know, packets which are being sent around
this mix net that, oh, now that was probably an Ethereum user.
You want a large and diverse set of users.
And the second thing that mixnets can provide,
which we are working on at Hopper, is so-called cover traffic.
So effectively, we're providing this kind of background noise, right?
So even if, you know, you can say there's a party,
but the party is not very busy yet.
So we're having some background music that gives us a certain level of noise in the room already.
Now, cover traffic is kind of bogus traffic, which is sent through the network, but which
importantly is indistinguishable from real traffic in the network.
And by having cover traffic in the network, you kind of solve a little bit of chicken and
egg problem of how do you bring privacy to the early users of such mix nets.
And yeah, that is something which several mixnets like hopper use.
Okay, then maybe let's talk about the
protocol itself. So maybe let's start in the beginning. So who is the actual Hopper user? Is it
individual users or do I as a DAP designer decide to use Hopper for my messaging layer?
Yeah. So it really depends. So ultimately, it's, if you're using the internet today, right, you're
typing in your browser, maybe HTTPPS or nowadays, you don't even type that anymore.
You don't feel that under the hood, you know, this HTTP is protocol. It's,
using TCP IP, right?
So you don't, you don't really see or feel that,
but you use it.
And I can totally see the same thing happening on the Web 3
that you will use Hopper behind the scenes.
But so the first applications that we're kind of excited about
is to bring privacy to Ethereum based wallets.
Let's say a more private version of MetaMask, for example, right?
So in such a setting, what I would hope for end of day
is that you will,
you replace the transport mechanism between your wallet and the RPC provider.
So that's typically providers such as Infura.
Infura is like the default endpoint, which gives you access to the Ethereum blockchain.
And I would see this entry point and exit point between your wallet and the RPC provider
being hopper.
So you are a user, which doesn't necessarily mean that you need to pay for, you know, for the service.
like we can talk about the business models that you can map onto such a system, which is quite diverse.
So in MetaMask, can I specify I want to connect to the Ethereum system via Hopper?
So not yet. Like we're working towards that. And actually we had a first kind of public UX
hackathon with MetaMask just a week ago here in Zurich to think about like how would that even work,
Right. So how do you expose that to the user and go through exactly all these questions, right?
Do I as a user need to make a conscious decision and, you know, how do I configure it and so on?
So we're actively working with wallets towards that as we're as we're building out the network.
But no, Hopper is not is not having any active devs that use it yet.
However, if you want to play around with it, we have kind of a hosted version of the Hopper network.
We call it Hopper Playground.
So on Playground.hoppernet.org, you can like just, you know, at the click of a button,
you will get a bunch of hopper notes that are being spun up for you.
And you can use some applications that people are working on.
So to give you some examples for some quirky first apps that people build is we have like a chat app, right?
So something like Telegram, but much more private.
Somebody has been working on a private version of chess.
So, you know, the chess world has recently seen some, some little
scandals and if you now don't want to disclose, you know, where you're sitting or who you are
and just want to play chess and peace, you can do that with Hopper to give some examples.
Okay. So maybe let's pretend all of this already works for say, Meta Mask or I mean, even
the Hopper playground. Say I play anonymous chess. So this somehow you, um, uh, you, um, uh,
you kind of package my data up nicely.
Obviously it's encrypted.
All packets are like, as you said earlier.
So where does my packet go first?
And how does it know where to go?
Yeah.
So effectively as you send a packet out through the hopper network.
So the first thing to note is that the hopper packets are source routed.
So that means you decide which path the packet takes through this mixnet.
And we think that is important because privacy is something that is inherently subjective, right?
So what might be private and trustworthy to me might not be private and trustworthy to you.
So, you know, I as a user or I at least as an application developer have to be able to make these choices.
So basically you as a sender can decide which path this packet takes.
Realistically, it's going to be your app, right?
So your private version of Metamask is going to determine a path.
a multi-hop path through the hopper network to the recipient.
So then you will basically take this, let's say it's an RPC request, right?
I want to know how much balance do I have, how many Eath do I have on my wallet?
So that's being sent as a request through that network.
Now these packets, it might be that this doesn't fit into a single hopper packets, but we need
multiple.
So data is either chopped down or padded to exactly the same size.
And it's not just the data itself, but it's also the header of these packets.
And the headers are needed to encode information such as like which are the hops,
which are the hopper addresses, as we call them, through which I want to route this information.
But it also includes payment information.
And all that is encoded in a header format, which is also privacy preserving.
And there's people, luckily, who thought about this for quite a while and published a paper on that
in that format that we and a bunch of others are using is called Sphinx.
Sphinx is also used, for example, by Bitcoin Lightning Network.
And it ensures that even in a packet header, you're not leaking information about who is
passing data to whom.
And yeah, so then this data packet is being sent to the first mix node.
The first mix node is receiving the packet, is, you know, hopefully receiving also a bunch of
other packets, transforming it. So basically taking this first onion shell, also in this mixnet,
we're using onion encryption, taking one layer of encryption off, transforming the header,
and passing it on to the next party. Now specifically we talked about at Hopper is it's
incentivized. So what we do here is the incentivization scheme at Hopper is we want to prevent
free rider problems. So we want to make sure that Meher, as a,
Mix node operator only gets paid when he actually forwarded the packet.
So the mechanism that we came up with for that is a key sharing mechanism.
So Meherr needs two keys in order to derive a payment.
The first half is something that he can obtain from the packet header himself.
And the second one, he needs to pass this packet to the next downstream node who will get back
with the second key house.
So let's say Meher is the first relay note,
and Frederica happens to be the second.
So Frederica will get back to Meher, send him back the second key half,
with which Meher can then determine if he just received a payment.
So yeah, that is the first step.
I can maybe later on come to a second mechanism,
but that's the first mechanism of the payment.
So just for clarification, so let's say like,
the user is sending to Infura, a packet.
And so Infura gets to select who these hops are,
that Meher is a hop, so Friderica is a hop.
The sender of the packet gets to decide that.
So the sender of the packet, which in my case,
you know, let's say I'm the user, you know,
my wallet or me myself, as the sender gets to decide
through which path I want to root this traffic.
Right.
So in principle, because,
most users won't be technical enough to make these settings it would be metamask
that's you know writing the code for it and that code will automatically select
parts so so because because in this payment scheme when there are let's say two
hops and I'm one of the hops and I get one one key from the user and I get one key
from the next node, next hop, then you're assuming that me and the next hop are kind of uncorrelated
or unrelated to each other.
And so this is something that the Metamask code, which is picking these routes, will need to
address by itself.
And they are incentivized to address this because if things are correlated, then my packets could get stuck.
So MetaMask will end up designing such routes that have uncorrelated hops.
Now, we make it sound kind of very complicated, but we basically have this path selection strategy
that just does that for you.
And the first one that we have implemented is just choose a random route, like choose a random
hop at each step along the path.
But yes.
So you can change a different strategy, such as, for example, I want to avoid any notes
in North America because I find them inherently untrustful.
You can totally implement a strategy like that, right?
But that also means that the route that the packets are going to take is predetermined,
and you don't need to generate randomness on chain, which is often a problem, right?
Yeah.
So basically, I as a sender need to determine the path.
so I can have a local random number generator and we don't run into these issues.
Now, there is a second interesting issue though.
And that is a naive implementation of Hopper would basically pay each of you mix note operators
immediately as you relay the packet.
Now, the downside of that is we would leak the routing information on the payment layer, right?
So let's say Meher is the first note that gets paid.
He receives a payment immediately.
and then Frederike is the second one,
who receives the payment immediately.
That would leak a lot of information.
Now, in order to hide that information,
we're utilizing something that's called probabilistic micropayments,
which was, for example, also used by Orchid,
the DVPN system.
So what happens here is that actually Meher as the first mixed node operator,
he derives one key half himself,
gets the second key half from the down next node,
which is Frederica.
And with these two keys together, he is basically generating a random number.
And this random number cannot be spoofed by him and cannot be spoofed by the sender.
And this random number determines if this, we call it a ticket, because it's a little bit like a lottery ticket, is a win or a draw.
And when it was a win, he receives a payment and otherwise like nothing happens.
He cannot redeem a payment on chain.
So in that fashion, we have effectively implemented something that works like payment channels.
So we have payment channels here, which are probabilistic in nature.
And you need to do a lot of work.
So you need to forward a lot of packets in order to receive a payout for your service and helper.
It's a little bit similar if you want to say, you know, how mining works, right?
and proof of work in systems like Bitcoin.
You need to mine a whole lot of blocks.
And only after you did the job, you will find out, well, was this successful or not.
So it's something that is incentivizing the most atomic operation of the network that price utility.
In our case, is not creating blocks, but forwarding packets.
So on the internet, packets are sometimes dropped.
And I assume the same is true for Happer.
and I assume they will just be, basically they will just be reset eventually.
But what happens if I am a malicious node operator and I grieve the entire chain of people
who've been sending packets on by dropping them consistently?
Do you have any way of penalizing me?
Yeah.
So eventually, like what we want in any of these kind of Web3 systems is that it shouldn't be
attackable by exactly such attacks, right?
So let's think about what would happen in a system like that where Frederike just consistently
drops packets.
So first of all, the sender, which is free to choose any route they wish, would determine
that, hey, you know, for some reason, all the packets that go via Frederike somehow never,
never get anywhere and just choose a different route.
And secondly, on a more granular level is the upstream note from you, which I stick to the
example where Sebastian is sending something through Meher, who sent something to Frederica.
The upstream node would realize, hey, okay, this downstream note never gets back to me with an
acknowledgments of receiving the packet, so I never get a payment. So what would happen in such a
system is Meher's machine would just close his payment channel to Frederica, and his edge in the network
would effectively not exist anymore. So it would no longer be possible to relay data from Meijer to
Frederike.
And ultimately, all nodes would do that so that the one who is misbehaving and not doing any
work would not be able to relay traffic anymore.
And say, I'm not, I'm not malicious in the way of dropping packets, but say I'm a three-letter
agency and I kind of want to infiltrate the system.
How many nodes would I know, would I need in order to kind of glean information about who's sending
what to whom?
Yeah, that's a great question.
And it comes back to the trust assumptions that I mentioned initially, right?
So again, comparing this to a VPN, you need to operate this one server.
If we look at Tor, you need to compromise the entry, the first note and the last note,
the guard and the exit note.
And in a mix net like hopper, you only need one honest mix note along a path.
So if you have three hops and there's one honest mix note in the path, and you
compromise even both others, we're still fine.
So that is pretty strong.
And that's how Hopper can provide quite strong privacy guarantees.
Like eventually, you know, if the network gets too compromised, like, you know, you will
accidentally route your traffic through only compromised notes.
Well, there's nothing we can do there anymore.
But it makes it a lot stronger than in other systems.
Okay.
And how many different, I mean, I assume one party can operate more than one node, right?
So how many different parties do you need to operate nodes?
Or is it easy to tell which nodes are operated by the same party?
Because I mean, basically, if you send something along a path that has three different nodes
and all three of them are secretly me, that's not helping you at all, right?
Correct, correct, exactly.
Now, this is actually, there it starts getting very interesting and kind of tricky, right?
Because you could say, hey, you know, we just KIC everyone, right?
And there's like other systems that have proposed that, like, I'm strongly against such approaches
because it goes against my fundamental value perception of the Web 3 space.
So the Hopper network is open and permissionless at all times.
But the default path selection strategy that we implemented is,
selecting a path proportional to the stake that you have in the various payment channels that you have
open.
So what that means is if there's a party that is very strong, they would need to basically get an
increasing number of stake in order to relay a significant amount of traffic via you.
And even in that case, right, if it at some point becomes for whatever reason obvious that
you know, Frédike is like subverting the entire network and has all these notes, you know,
this path selection strategy can be very easily overridden and changed by something where, you know,
we just avoid the whale nodes or whatever happens to be the metric that identifies the subverted entities in the network.
So I am actually curious in terms of user experience.
It feels obvious that as a user, I will need to pay to send.
the traffic and these payments are additional to whatever I'm paying for my for my internet
connection right so could you give us an idea of you know what is the quantum of
these extra payments if I if I wanted to make all of my communications private
like maybe maybe we can assume a mobile connection first where I might
exchange I might send 5GB of data in a month so
Now, this is traditionally a very difficult question to answer.
And by analogy, this is a little bit similar to asking somebody, while you're coming up with
this new blockchain, you're saying it's all scalable and great, well, how much does it cost?
And, you know, giving an answer to that historically seems to haunt people, if we look at
Vitalik who says, you know, sending a transaction that costs more than five cents counts as
lifeness failure.
Well, you know, that's kind of rough.
In a very similar fashion, in a hopper.
network, it is hard to estimate how much a packet is going to cost end of day. What I envision
is it's going to be a dynamic pricing model. And here we get actually into an interesting,
into an interesting domain where saying, you know, when Sebastian wants to send something,
he just sets a price point. Similarly, how in Ethereum you can determine your gas price or in
Bitcoin, you determine what transaction fee you're willing to pay. But here's a problem. We want to
establish privacy and we want the anonymity set to be as large as possible. So you do not want Sebastian
to set like a very unique price point of the data packets that he's sending in Frederike like
one that is very specific to her because that would reveal who is currently using the network.
So everybody needs to pay the same price at all times. However, and that part is forward looking
and not implemented yet, we do envision that there will be a dynamic,
upgradeable price point of what these packets need to cost.
Now, where that will be settled on a per kilobyte or per megabyte pricing, I have literally
no idea where this is going to be in a dynamic network.
So if you compare this with Tor or VPN, that's a very different business model.
Right.
So basically I use a VPN and I pay like $10 US dollars a month of something to use it.
So it's kind of a flat fee.
Whereas I use Tor and it's free because it's operated by people who believe in the system, right?
So do you think there is a subset of prospective users or applications that will kind of rely on this?
And the bulk of our data that we send ends up unstripped of metadata?
Yeah.
So I totally believe, first of all, that people will use that.
And I would disagree that the business model needs to be very different.
I can totally imagine that people have been a VPN like business model where you pay your 10 euro a month.
And for that, you don't get unlimited bandwidth like just in the VPN.
But you can say you can use it like for, you know, maybe 100 megabyte or whatever that you sent through Hopper.
Right. So you come in and, you know, pay with your credit card.
You don't need to worry about any of this token business under the hood that is being abstracted away for you.
When you download software, you download software that is not just normal VPN software,
but it is software that utilizes Hopper.
And it contains a configuration for, you know, how you get this corresponding Hopper tokens that you require to pay for the infrastructure.
So I can totally see that you could spin such business models or even in fewer like business models
where the first 200,000 requests or something you get for free,
and afterwards you need to pay.
So I do think that for Hopper and more generally Web3 models,
we can spin existing business models that we're familiar with around them.
Okay. So maybe let's kind of segue into the Hopper token, right?
So basically there's a Hopper token that is being used as a payment token.
Yes.
So the Hopper token basically,
has these three functions of, as we already discussed, right,
so as an mixed node operator, you need to stake that.
I mean, when I say stake, it's like a gross simplification.
What you're actually doing is you're opening these probabilistic payment channels to other nodes.
By doing so, you're signaling, hey, I'm willing to relay data packets via Frederica.
And secondly, I signal that I think Frederica is a useful mix note that you should also relay
your traffic buy.
And so the second part is the users are using the token to pay for it, right?
So users pay the Mix node operators who are effectively infrastructure providers.
And ultimately, the Hopper token will also be used for governance decisions in the network.
And one that we already talked about is, well, how much should a single packet actually cost?
And that is something that, you know, currently in the current version of Hopper token,
or we simply have that hard-coded.
But ultimately, there will be a dynamic mechanism around that.
And that is why I'm pretty interested in decentralized governance,
because privacy networks should not be governed by one entity by a handful of people,
but by a more diverse set of people that have a say in this core infrastructure of what it does.
Okay, maybe kind of let's, let's, I want to dig my ears in here.
a bit. So I mean, the token function for governance and staking, I think these are really well
validated token use cases, whereas basically payment tokens so far, I would struggle to actually
think about a single one that's really taken off because usually it can be obstructed away,
right? So basically it can be people can be made to pay in a token that they already have.
And then maybe you have relay under the hood or something that kind of creates demand for that token.
But why did you choose to go that way rather than just having people pay and say die or eth?
Yeah.
So I mean, you could say, well, you could spin such a model in like the traditional argument is why don't you just use Bitcoin for this, right?
So that's that traditional argument that I get there.
And well, one thing that would be kind of tricky to do in such a way is how do.
you scale the network with, for example, cover traffic. It is hard to do that if you do not control
the inflationary supply of this of this token. So what we do at Hopper is we have reserved a comparatively
large amount of the total supply of 25% for incentivizing cover traffic that provides the utility of
privacy even for the early users or users when there's generally low utilization of the network.
So I do see that as a mechanism controlling the inflationary supply of the utility of the network is something that is important and has to be closely coupled with the network itself.
And yeah, that's why, I mean, you could say, okay, if we don't want any of that or if you're anyway, you know, have enough cash to incentivize this entire network, then, you know, maybe you don't need any of that.
I find it hard to argue how such a system would then remain credibly neutral, though.
So maybe you could run such a system that's based off of Rye or die, right?
But, you know, keeping it credibly neutral would probably be hard.
So the argument here is that you want to bootstrap the early node providers
and the hopper token is a way of getting early node providers into the network.
I mean like other networks have succeeded in doing something like this.
Helium is a perfect example, right?
Where distributing the early helium rewards was the main reason why lots of people ended up
installing the hardware in the first place.
So that kind of makes sense.
But still, like, is the reason for having Hopper a payment token more a regulatory reason
that the Swiss regulators
want kind of a payment
like utility
for it not to be a security?
It's more the opposite actually
for the Swiss regulator
like something that's not a payment token
would be way easier
because we wouldn't fall under harsh
like AML regulations.
So, you know, payment tokens
on that front only has downsides
actually.
Then why not just accept
I don't know, USDC
I mean, USDC, of course, the risk is they will put KYC on that system one day.
But yeah, why not the US dollar or the eat?
The question is in that case, how would you launch cover traffic?
How would you launch kind of cover traffic that is not controlled by one party,
which is kind of the donor to this whole exercise and actually able to distribute traffic
in a network that is indistinguishable from real traffic, right?
So, I mean, to me, that is an important feature to be able to have something that's a sustainable and be credibly neutral.
And I think token models that have their own inflationary supply have shown to be something that can be sustainable.
I mean, you mentioned helium, but I think there's a bunch of others.
And, you know, not stay under the control of a small group of people.
So maybe let's talk about the cover traffic then.
So who actually, who makes sure there is cover traffic?
Is it you?
And where are you sending all the stuff?
And wouldn't it be thinkable to kind of have a traffic mining program akin to a liquidity mining program to kind of let the ecosystem do that for you?
Yeah, that's exactly.
that's exactly actually on the roadmap.
So there's two designs which we currently have.
The first one, which is incredibly naive.
It's just we dispersed a bunch of traffic to create some buzz around there.
And we let you kind of start up some notes, fire up some notes and get the network going.
If you decentralize the problem as you, I like your analogy with this liquidity mining and traffic mining program.
The problem there is that you don't want to sibil that, right?
You don't want Meher to start his node and create a bunch of bogus traffic that is only relayed via his own nodes, right?
So that needs to be happening in a way that is actually trustworthy.
Now, luckily, there are some technologies going in the direction of, for example, trusted execution environments and other multiprovales.
and other multi-party compute schemes that allow us to decentralize that.
So in the same way, how it's now possible to like decentralize even like,
I just recently heard about that, that decentralizing in a whole ETH staking note,
you know, you can certainly decentralize the disbursement of cover traffic in the network.
And the first one that we're going to try out is trusted execution environments,
which allow you to do exactly that.
Very cool.
As a maybe last topic regarding Hopper, before we kind of talk about the general privacy ecosystem, is the governance.
So you have a new type of Dow that you have launched, right?
Yeah.
So at Hopper, we do believe that, you know, decentralization and involvement of the community in decision making processes is important.
important. And to that end, we did already early on a bunch of governance experiments that were
very actively experimenting with. So I like to say that, you know, when you go for a share
cooperation, we have several hundred years of experimentation and blueprints that we can build on.
I would say in the dial space, we do not have that. We do not have any kind of, or very few
kind of indications of best practices to follow. And that's,
why we did a bunch of experiments on actual decisions that we did in Hopperdowl. And that is, firstly,
we experimented with like one account one vote. We experimented with one token, one vote, and finally
also with quadratic voting schemes. And for the ones who are not familiar with quadratic voting, just
in a nutshell, it means that the more tokens I have, the more say I have, but the more
tokens I want to buy, it gets quadratically more expensive to buy myself votes.
And that is kind of a middle ground between kind of democracies, which typically have one
person, one vote schemes and like share corporations, which typically have one dollar, one vote.
So all of that is something that we're actively experimenting with at Hopper in order to launch
this privacy network, yeah, in a, in a, in a,
maximally resilient fashion.
And what is the current state of readiness of the hopper software?
Yeah.
So we have currently a network of 100 notes online that is just about to launch in two weeks.
We will replace the notes that we run there with more community notes.
So people can participate in running a note.
initially we have kind of artificially constricted the network size for two reasons.
The first one is, well, we want this to launch in a stable fashion.
And the second one is it doesn't like the bandwidth requirements of the network is not so large that would require like a huge network out there.
It's kind of similar to the discussion around the security budget of L1 blockchains where, you know, in proof of work, for example, how much hash power do you actually require?
require. Well, you just require so much that it's secure enough. And in our sense is we want to scale the network with the demand of applications that are being run on it. And that is the second side to it that we're very actively working on that is working on apps that actually use Hopper. So I talked about some of the quirky ones that we have ongoing already right now. And we're specifically focusing on wallets. And we want, we think that.
You know, wallets is our gateway to all of Web3, and they need to be significantly more private
than they are today.
So that is something we're working on, and this developer experience is ready to go.
So if you want to build some apps, check out what's already been built, and check out the Hopper's Bounties
program.
So you find it at bounties.hoppernet.org.
And, you know, if you want to build something that's not on there, just let us know, we're
happy to support you in building something that utilizes Hopper to build private applications.
When you say you think your gateway to all of Web 3 is wallets, let's maybe be a little bit more
specific here because basically when we talk about privacy and wallets, people immediately think about
shielded balances and kind of sending tokens.
in a privacy protected way to someone else.
But that's not what Harper does, right?
So basically you would strip the metadata,
but how much better would I be off
if I use a wallet that strip metadata?
Yeah.
So you're absolutely right, right?
Ultimately, what I'm always saying is we need full stack privacy.
Even the most perfect on-chain private L1 or L2, right?
And many great projects are working on that, right?
So it's like Monera and Zcash, there's like Dusk, there's Secret Network, and there's AdStack, and a bunch of others.
So all of them, even if you have perfect on-chain privacy, that's not all, right?
Because again, if you are interacting with any of these chains, you're sending a transaction from my wallet.
I'm sending a transaction from my wallet, which can be observed at least by my internet service provider,
which will know that I am, you know, just accessing, let's say, ad stack, for example.
And in that case, eventually there will be some observables.
So I know there are some people working on privacy preserving dexes, right?
So, you know, if you think about it, ultimately there will be something that you can observe of the decks.
For example, the price, right?
You always want to observe the price of a pool on a decks, even if it's privacy respecting.
Now I see that Frederica came online.
she made some transaction.
I don't see anything that she did there
because it's a private L1 or L2.
Afterwards, I see that the price
was moving way up, right?
Then Friedrich is offline.
I don't see anything of her.
Now she's coming online again
and the price goes way down.
So what I'm saying is
even in a privacy respecting
on a privacy L1 or L2,
I can correlate
the underlying transport information
on the IP address level
with what happens on chain.
So even a perfectly private L1 needs this transport level privacy that we're building at Hopper.
And if we're thinking about the today, you know, because you asked how much better off would I be?
Well, do I want in Fuhra to know all my accounts and link them together?
I don't, right?
And this is really tricky to solve today.
I don't want any of the RPC providers that we have out there to identify all my accounts,
some of which may or may not be anons, right?
So we want to keep that stuff private.
Okay, but you could in principle keep that private
by connecting to your own debt note or a friend's deb note
or something similar, right?
So ideally that is indeed the case, right?
I have a deb note, but like on my mobile wallet,
I'm not always carrying my debt note on my back.
So then it already gets a little bit tricky.
Right. And in that case, you know, your your mobile internet service provider can can link all that data.
Kind of going forward, the second layer where I see privacy issues is not just, you know, on the wallet side, but also between the nodes itself.
So one project we recently kind of were digging into is the privacy of like proof of stake beacon chains.
So, you know, Ethereum beacon chain or nosus beacon chain.
And, you know, also on that side, we don't have privacy.
So I find it kind of funny how even the most Anon people on Twitter are, you know, posting who is there, which one is their validator note.
Because like we have, for example, right now on the nosus beacon chain, like kind of a data harvesting note running, which is collecting all attestations.
And I can find out your IP address from that, right?
And if you run that on a dub note in your out of your own home, then I can find out where you run that.
And, you know, I can I can launch a highly targeted attack against you, which is kind of problematic.
So also on that side, I argue we need to talk about privacy much more seriously than we do today if we do not want to see some really weird level of attacks against the infrastructure.
sure. Yeah, that is a that is a very valid point. Maybe I mean, so basically Hopper runs on
Nosis chain slash Ethereum. I mean, seeing that you're kind of stripping the metadata and we
already talked about how like on, there are privacy preserving layer ones already. Why didn't you
launch hopper. I mean, not that I don't like having your noses chain. Don't get me wrong.
But why didn't you launch on an inherently privacy preserving chain like Zcache or Monero, where
basically stripping metadata would be a much larger value at seeing that all of the data is already
protected? Yeah. Yeah, that's a great question. Well, the simple answer is,
if there would be a private, like ultimately private L1 or L2, like very happy to go there,
but there is no such thing around today.
So at Harper, we need some on-chain cryptographic primitives that allow us to implement this
proof of relay mechanisms.
So that's the key sharing mechanism that I explained before, which is not possible to be
built with these simplistic privacy L1s like privacy coins like, you know, Monero or Zcash.
But ultimately, you know, that is where a seat is going, you know, that there is a private L1 that uses that.
One thing that's important to highlight, though, is Hopper runs on some chain, and currently it's noses chain.
But you could use Hopper to connect your wallet to an RPC provider on any chain.
You could use that for private Bitcoin transactions.
And this is something that people are sometimes confused by, you know, Hopper on the one hand, uses a chain.
for the incentives of the mix node operators.
But using Hopper, you can use for anything, any chain out there,
including, you know, Bitcoin, if you so choose.
Yeah, that makes tons of sense.
Maybe zooming out a little.
If you look at privacy systems in crypto and actually in the larger world,
there are quite a number of them.
And somehow,
they don't end up very successful, or, you know, nowhere near as successful as really they should be.
Why do you think there is this apathy towards privacy preservation?
Yeah, so first of all, I agree there, right?
And why there might be some specific reasons why some of these systems were not so successful.
ultimately it's hard to have a startup that executes well.
I would say the more overarching larger reason is that in crypto generally,
people have for too long been too high on making too much money too quickly.
And you know, why would you need privacy, right?
If I can like just, just, you know, Defy Summer has been great to many people here.
And it's been great, right?
But we only start seeing that the underpinning,
value of all of crypto, at least in my mind, is not just to make more money quicker than we can
today, but to have these ultimately resilient foundations on which we can build everything else.
Because it is something that the past weeks have in a very dramatic way shown, right?
The tornado cash sanctions have shown for the first time that we are headed for this inevitable
battle between today's power structure of the established world and all of this crypto craziness.
And I don't even mean the regulators.
I mean really the people who have a lot to lose if we're changing the entire system on which commerce in the world is being run.
And I am really absolutely convinced that if and when, like not if, but when that happens, we need strong privacy to protect the values that we're running for.
It's just that so far we, you know, have been making incremental steps and had all great.
parties making money, but, you know, this looming showdown between the power structures of today's
world in crypto has only, you know, barely begun. Like when that does happen, we better do have
privacy infrastructure in place that is strong enough. Yeah, but like I think Friedrich's question is,
it's so in my experience, right? Like so the nature of crypto is that the crowd can speculate
it on anything and raise the value of anything it so chooses and make money like there
with it right like iota is the perfect example right like i mean when the crowd wants to do it
the crowd can do it and and you know that there are like lots of different examples like that
in crypto but it's also concurrently with that it's it's like in the eight or nine years i've been in
this field. I've seen generations of privacy projects come, like a Monero. And then I've
seen like Monero slowly and slowly getting eroded in the market, right? Like falling, falling,
and now it's like something like number 30. Zcash, I think a lot like, like a similar story.
And to me, what feels really odd is on the one side, if you see like the crypto-retter
it's all about privacy conscious infrastructure privacy conference.
But the market action is not like that.
And in reality, it's like in crypto,
speculators can make or break a coin any day independent of fundamentals.
So it still feels like privacy doesn't take off as a bigger theme
or like struggles as a bigger theme in comparison to something else like,
you know smart contract chains or L2 chains like if you see the L2 chain world
well it's it's taking off very naturally even without a lot of fundamentals you
launch a new L2 chain it's gonna have a huge market cap so that theme that
theme succeeds massively but the privacy theme doesn't sort of succeed a lot
whereas like the crypto rhetoric is about privacy do you feel this the same way
or is it me just that feels like
like this. So I see that obviously, you know, there's no point in denying that, but I'm obviously
willing to, to, you know, take the different bet here. So I would say now, and that is different to a few
years ago, shots have been fired, right? And there's currently like, you know, a brilliant
coder who is currently in jail for writing privacy software that helps the betterment of the entire
space. So, you know, we had what I would call regulatory overstepping that is the first out of what
I think is going to be many shots that will be fired against all of crypto and all of Web3
because what this is all about is about challenging the power structures of today's world. And it will
only get worse from here. And the only thing that can really sustainably improve the whole thing
is strong privacy.
It's not going to be, it's not going to be regulations.
Like the Web 3 is anarchy.
And anarchy goes both ways.
There is no regulations that can protect the people or, you know,
only of the bigger structures.
So the only thing that can help us here is strong privacy across the full stack.
And that's why I think now maybe more than five years ago is the right time for privacy.
and I wish there were more of these projects that successfully are bringing that privacy to the whole stack.
And I had another question.
Have you or has Hopper ever been contacted by a three-letter agency?
We have not.
I would say Hopper is so far doing well flying under the radar.
You know, so far we're out of there, but maybe that they,
changes with the level of production readiness.
Like one thing that I'm kind of happy about is to not work on a on chain privacy.
So Hopper does not do any coin mixing, right?
So to some of the three letter agencies who do listen to Epicenter, like we have seen evidence of that.
So Hopper is not a mixer.
Hopper is only for private data, which I think is important for everyone in the space.
And ultimately, maybe just to, you know, put that also out there,
regulators have the task to protect the people.
That is the mission of Hopper and a lot of Web3 also, right?
Empowerment of the people is, I would say,
the overarching theme of all of the Web3 movement.
That's what we want to achieve.
So I don't think we're fundamentally at odds with regulators.
We're fundamentally at odds with power structures that want to retain.
chain power.
You know, this is kind of a little bit of a segue, but bear with me.
So in Balaji's book, he talks about how Twitter bios are the perfect way of kind of
analyzing the perceived identity of people.
So basically how people describe themselves in their Twitter bios is actually really interesting.
I've paid a lot of attention to this hence.
And Ed Snowden's Twitter bio says,
I used to work for the state.
Now I work for the people.
So do you think, Sebastian,
so basically you kind of conflated the two a second ago, right?
So basically you assume that the state works for the people also.
Well, I mean, there's certainly some power structures within the state
that do not work for the people.
people. But I was talking about the regulator itself, which has a specific mandate, which, at least
in Europe, has been many times shown to protect the people from, for example, powerful
structures in North America that are data harvesting and going against the people. But that
being said, you know, ultimately, I believe in the good in people, right? So ultimately, I do believe
in people wanting to do innovation for good.
I do believe that people want to build great things.
We have to just let them more.
And unleashing that power in a safe way is what I'm after.
And again, I don't think that's fundamentally at odds with any good states or regulators out there.
I would hope so.
So Hapa relies on the fact that many people run nodes, right?
even if the requirements on any particular node is not particularly high,
you need to have more than, say, five nodes in order to kind of run a mixing network.
So how can people become a part of Hopper?
Yeah.
So there is at least two or three sides to it.
So first of all is you can build on top of Hopper.
So check out what's been built and apply for bounties.
We're also busy at hackathons where you can build stuff
because it's not just the people running the infrastructure,
it's also people building stuff with that infrastructure and using it.
So using it is the second part.
Check out what other people have already been built.
You don't need to install complicated stuff.
Just check out the hopper playground.
And the third thing is indeed, as you say, to run a note.
If you want to run a note initially,
As I mentioned before, we have restricted the size of the number of mixed notes to currently 100.
If you want to run a note, check out our website.
So we will have the next network launch in two weeks from now.
So at that point, you can run a note and find all the instructions on our website.
And, yeah, contribute to data privacy for others.
Thank you, Sebastian, for coming on.
That was super elucidating if somewhat apocalyptic in his outlook.
So I like you feel that there might be more regulatory action coming.
And I fear we are also making it too easy for three letter agencies to shut down certain functions of Web3
because we're not committed enough to decentralization and credible neutrality,
which kind of go hand in hand, right?
So basically if you have like five big node operators,
there's like five people you have to call.
Exactly.
Exactly.
Yeah.
Like the last thing I would want to add to that one is just a thought that, you know,
I find sometimes people being surprised by.
And that is if we don't take privacy seriously, this whole web,
vision is going to bring us to a world that is worse than today's Web 2.0.
And that is because the data harvesting crooks of the Web 2.0, they're not just going to go away.
They will see our world and they will say, anarchy?
Well, anarchy is great because the rules and regulations that constrain me in today's Web 2.0,
they don't apply here anymore.
I can use that.
I can use that against people, you know, with what you call today MEV.
I'm fine calling in that way.
I'm a professional data harvester.
So again, to prevent that from happening and have the Web 3 be a safe place,
we do need privacy across the stack.
Absolutely.
Thanks Federique for having me on.
Thanks, Meher, for this great show.
Thank you for joining us on this week's episode.
We release new episodes every week.
You can find and subscribe to the show on iTunes, Spotify, YouTube, SoundCloud,
or wherever you listen to podcasts.
And if you have a Google home or Alexa device, you can tell it to listen to the latest episode of the Epicenter podcast.
Go to epicenter.tv slash subscribe for a full list of places where you can watch and listen.
And while you're there, be sure to sign up for the newsletter, so you get new episodes in your inbox as they're released.
If you want to interact with us, guests or other podcast listeners, you can follow us on Twitter.
And please leave us a review on iTunes.
It helps people find the show, and we're always happy to read them.
So thanks so much, and we look forward to being back next week.