(Image Credit: iStockPhoto/ksushachmeister)
Researchers at MIT and the École Polytechnique Fédérale de Lausanne in Switzerland have developed a new anonymity system called Riffle, described as a spiritual successor to Tor. Like Tor, Riffle uses layered, “onion-style” encryption to protect messages as they travel through a dedicated anonymizing network, concealing the path of the communication.
Tor was long considered one of the most secure tools for private communications. However, high-profile incidents have raised questions about its invulnerability. In particular, the FBI’s infiltration of parts of the Tor network to collect evidence against Silk Road founder Ross Ulbricht highlighted weaknesses in practice, and subsequent research has exposed techniques that can deanonymize users under certain conditions.
Researchers at Carnegie Mellon University demonstrated a deanonymization approach that relied on controlling a set of Tor nodes to reveal users’ identities. Reports indicated the researchers received funding from the FBI, which suggests similar methods may have contributed to the agency’s investigation. Those events have motivated research into new systems designed to resist node-based attacks and other compromises.
Riffle aims to address these threats by incorporating cryptographic protections at every node so that nodes cannot tamper with or improperly shuffle messages without detection. It employs a combination of cryptographic techniques, including a “verifiable shuffle,” where clients initially send their messages to all servers in the mixnet and the network performs provable, simultaneous transformations. This design ensures that any server attempting to modify traffic can be detected mathematically, rather than relying solely on trust in the servers.
“Our initial motivation was anonymous file sharing, where sender and receiver don’t know one another,” says Albert Kwon, a graduate student in electrical engineering and computer science and the paper’s first author. He explains that honeypotting—where operators of an anonymity service attempt to entrap users—is a real concern. The team also explored other applications, such as anonymous microblogging, where a user can broadcast messages anonymously to a wide audience.
Jonathan Katz, director of the Maryland Cybersecurity Center and professor of computer science at the University of Maryland, notes that Riffle applies well-established cryptographic ideas in a new way for mixnets. Standard internet encryption typically uses an expensive public-key operation to protect a short symmetric key, which then encrypts the larger message. Riffle extends this approach into mixnet contexts but adds proofs that a server’s reshuffling operation was performed correctly, defending against malicious servers within the network rather than only external attackers.
To reduce computational overhead, Riffle combines verifiable shuffles with authenticated encryption. The verifiable shuffle is used initially to establish secure keys between each user and the mixnet servers; once those keys are established, authenticated encryption—more efficient to execute—is used for the remainder of the session. This approach allows the system to both prove the integrity of shuffles and keep ongoing message processing practical for real-world use.
If a node detects that a message has been tampered with or compromised, Riffle can respond to protect users before their identities are exposed. The architecture is explicitly designed so that tampering is detectable and can be mitigated, reducing the risk posed by malicious or compromised nodes.
Riffle will be presented at the upcoming Privacy Enhancing Technologies Symposium in Germany, where the design and evaluation will be discussed in detail.
What do you think about Riffle as a solution for anonymizing internet traffic? Share your thoughts in the comments.