Riffle: A new anonymity system to rival Tor

A group of researchers from MIT and the Swiss Federal Institute of Technology in Lausanne have come up with a new anonymity system that is both bandwidth and computation efficient, as well as less susceptible to traffic analysis attacks than Tor, the currently most widely used anonymity network.

It’s called Riffle, and for the moment, there is an existing prototype and two applications (one for file sharing and one for microblogging – all anonymously).

How does Riffle work?

“Riffle consists of a small set of anonymity servers and a large number of users (clients), and guarantees anonymity among all honest clients as long as there exists at least one honest server,” the researchers say.

“[It] achieves bandwidth and computation efficiency by employing two privacy primitives: a new hybrid verifiable shuffle for upstream communication [client-to-server], and private information retrieval (PIR) for downstream communication [server-to-client].”

Deployment model of Riffle

The anonymity servers, gathered into a mixnet, receive messages (from the clients) wrapped into several layers of encryption. In this aspect, Riffle works like Tor.

“To thwart message tampering, Riffle uses a technique called a verifiable shuffle. Because of the onion encryption, the messages that each server forwards look nothing like the ones it receives; it has peeled off a layer of encryption. But the encryption can be done in such a way that the server can generate a mathematical proof that the messages it sends are valid manipulations of the ones it receives,” Larry Hardesty, of the MIT News Office, explained.

“Verifying the proof does require checking it against copies of the messages the server received. So with Riffle, users send their initial messages to not just the first server in the mixnet but all of them, simultaneously. Servers can then independently check for tampering.”

The verifiable shuffle method is used only so that each client and mixnet can securely agree upon a private cryptographic key, which will be used to verify the authenticity of an encrypted message – this approach saves computational effort and makes the process faster.

Finally, private information retrieval (PIR) is used to protect the privacy of the recipient of the message.

The paper detailing the system has already been published, but Riffle will be officially publicly presented next week, at the 16th Privacy Enhancing Technologies Symposium in Darmstadt, Germany.

Is it more secure than Tor?

The security community will have to test and probe the Riffle system for weaknesses in order to see whether it is as secure as the creators believe.

Alan Woodward, a professor at the Department of Computing of the University of Surrey, thus explained the problems plaguing Tor at the moment:

“As Tor is a system run by volunteers it is possible for people to set up malicious relays. It has been used by researchers trawling for hidden services but it has become clear that the numbers of ‘spoiled onions’ is rather higher than might be explained by purely academic research. Whether it’s criminals or governments is irrelevant: what it shows is that Tor is potentially susceptible to people setting up malicious relays (including exit nodes) to unmask users.”

The latest example of such a spying attempt is the recent discovery of over 100 spying Tor nodes that attempt to compromise darknet sites.

“The new protocols described in detail in the Riffle research paper appear to be provably secure against precisely the threat model that has caused such concern in Tor [spoiled onions],” says professor Woodward. “It’ll be interesting to see if this causes a rethink in anonymous networking or if there is now so much momentum behind Tor that it continues despite its potential problems.”