The Riffle Project

Published By:
Published ON:
March 24, 2017

Online anonymity has become very popular with users becoming concerned about their privacy when using the Internet. TOR is one of the most widely used (and arguably, most effective) ways of maintaining a level of online anonymity. Although TOR has some great advantages, it nevertheless has its limitations.

One possible alternative to TOR is the Riffle anonymity network. But how does it the answer to the call for better online privacy?

What is the Riffle Project?

In July 2016, at the Privacy Enhancing Technologies Symposium, researchers from the MIT Computer Science and Artificial Intelligence Laboratory in collaboration with the Ecole Polytechnique Federale de Lausanne presented a new anonymity scheme, which they called the ‘’Riffle’’ project.

Riffle consists of a small set of anonymity servers and a large number of users. It guarantees anonymity amongst all uncompromised clients as long as there exists at least one uncompromised server. Riffle uses a new hybrid verifiable shuffle technique and private information retrieval for bandwidth and computation-efficient anonymous communication.

What does that mean? To put it simply, Riffle reduces the bandwidth overhead while at the same time ensuring user communication, privacy, and anonymity. Therefore, it is believed to be faster and more secure.

How does Riffle work?

At the heart of the system is a series of servers called a Mixnet. Each server permutes the order in which it receives messages before passing them on to the next. For example, if messages from senders Alan, Bob, and Caroline reach the first server in the order A, B, and C, that server would send them to the second server in a different order — say, C, B, A. The second server would permute them before sending them to the third, and so forth. In a real-life scenario, there will be hundreds of thousands of messages floating along the nodes of the Riffle network all mixed up. Therefore, it will be practically impossible to predict the path of the message.

Fig 1-Deployment model of Riffle

The aim of the Mixnet is precisely that - to collect user inputs and shuffle them before sending them out. However, it is likely that the Mixnet will fail to provide the level of anonymity that the model claims to provide.

Like TOR, Riffle also uses a technique known as onion routing or onion encryption. With onion encryption, the sender computer wraps each message in several layers of encryption using a public-key encryption system. Each server in the Mixnet removes only one layer of encryption, so that only the last server knows a message’s ultimate destination.

To thwart message tampering, Riffle uses a technique called hybrid verifiable shuffle (as opposed to traditional verifiable shuffle). As result of the onion encryption, the messages that each server sends look nothing like the ones it receives. Having said that, encryption can be done in a way that the server can generate mathematical proof that the messages it sends are valid manipulations of the ones it receives. Verifying the proof does require checking it against copies of the messages the server received. Generating and checking proofs is an intensive process that will significantly slow down the network if it has to be repeated for every message.

To overcome this potential problem, Riffle uses yet another technique called authentication encryption, which can verify the authenticity of an encrypted message. Authentication encryption is much more efficient to execute than the verifiable shuffle, but it requires the sender and the receiver to share a private cryptographic key. Therefore, Riffle appears to use the verifiable shuffle technique only to establish secure connections that let each user and each Mixnet server agree upon a key. It then uses the authentication encryption technique for the remainder of the communication session.

Fig 2. Anonymous File Sharing Protocol

A Mixnet with onion encryption is only effective against a passive adversary that is the one that observes traffic going in and out of the relay network. That leaves the Mixnet vulnerable to active adversaries, which can infiltrate the servers with their own code. If, for instance, an adversary that has taken control of a Mixnet router wants to determine the destination of a particular message, they could simply replace all the other messages they receive with their own, bound for a single destination. They could then passively track the one message that does not follow its own pre-specified route.

Riffle vs. TOR

Arguably, TOR is the only credible competition for Riffle, therefore the comparison between the two anonymous communication systems is inevitable.

Riffle is believed to have a number of advantages over TOR. For example:

  • Riffle is more secure than TOR as it relies on an anti-trust model. Therefore, as long as one server in the anonymity network is safe, Riffle is secure.
  • TOR has been criticised for its poor performance. Riffle is faster than TOR. In the research, it was revealed that file transfers in Riffle took one-tenth of the time required for TOR and other anonymity networks. As far as file sharing was concerned, Riffle can achieve a bandwidth of over 100KB/per client in an anonymous network of 200 clients.

Having said that, there are a number of limitations to Riffle:

  • The Riffle model assumes that users would like to communicate with other users in the same group. However, what happens if the users may also want to interact other Riffle groups, or the general Internet?
  • There appears to be no mechanism to prevent malicious servers from claiming that the one safe server is malicious. Though this scenario is assessed to be rare, it nevertheless is a possibility.

Is the Riffle anonymity network the answer to the call for better online privacy? Perhaps. It certainly utilises improved protocols and techniques, as discussed above. However, it also suffers from serious limitations. Time will tell if this proof of concept project replaces TOR.