This article is more than 1 year old

Meet Riffle, the next-gen anonymity network that hopes to trounce Tor

Here's hoping it's not a load of piffle

Next week, top eggheads will unveil a new anonymizing internet tool that they claim is snoop-proof and faster and more reliable against attack than Tor.

Dubbed Riffle, the system was developed by MIT and the École Polytechnique Fédérale de Lausanne in Switzerland. It uses the same onion-encryption system as Tor, which wraps messages in layers of encryption as they travel through the anonymizing network to disguise the route they've taken.

Like Tor, Riffle [paper PDF] runs connections through a mix network of nodes, bouncing packets from system to system to obscure the origin. What separates Riffle from Tor is that the former has extra defenses to potentially prevent spies from unmasking its users.

Protecting anonymized users from being identified is a major concern all round because these networks are used by whistleblowers, journalists, government workers and folks trying to evade censorship blocks, where unmasking them could lead to imprisonment or death.

Last year researchers at Carnegie Mellon University apparently found a way to deanonymize sections of the Tor network by using a series of infected nodes that ratted out the network's users. The CMU team got a reported $1m bounty from the Feds for that effort.

Riffle, however, is hardened against that level of infiltration. First, you have to understand that networks like Riffle and Tor are supposed to thwart passive surveillance: simply watching packets move from node to node within the mesh shouldn't be enough to work out who ultimately sent them, ideally.

Active surveillance is a real problem, though: malicious or hacked nodes in the network can tamper with the traffic they receive to eventually deduce where a connection originated. Riffle tries to tackle this by adding anti-tamper mechanisms to its design.

Each node can mathematically prove that data passing through it hasn't been meddled with. To do this, each Riffle client sends an initial message to all nodes in the mesh simultaneously to establish that mathematical proof – which sounds impractical but we're assured it works. Steps are taken to streamline this process as much as possible. The point is to establish a means to verify network-wide that traffic is not being interfered with.

Ultimately, if just one of the computers routing a Riffle connection remains uncompromised, that one machine will detect when the mathematical proof has been broken, signaling that someone has tried to tamper with the traffic. At that point, the alarm can be raised to stop people from being identified.

"Riffle uses a technique called a verifiable shuffle. Because of the onion encryption, the messages that each server forwards look nothing like the ones it receives," MIT's Larry Hardesty explained.

"The encryption can be done in such a way that the server can generate a mathematical proof that the messages it sends are valid manipulations of the ones it receives. Verifying the proof does require checking it against copies of the messages the server received. So with Riffle, users send their initial messages to not just the first server in the mixnet but all of them, simultaneously. Servers can then independently check for tampering."

Jonathan Katz, director of the Maryland Cybersecurity Center and a professor of computer science at the University of Maryland, added: "The idea of mixnets has been around for a long time, but unfortunately it's always relied on public-key cryptography and on public-key techniques, and that's been expensive.

"One of the contributions of this paper is that they showed how to use more efficient symmetric-key techniques to accomplish the same thing. They do one expensive shuffle using known protocols, but then they bootstrap off of that to enable many subsequent shufflings."

As a result, the system is strong and efficient, in theory. The development team says it takes a tenth of the resources to send large files as other anonymizing services and provides much better protection against active and passive monitoring.

Riffle will be presented at next week's Privacy Enhancing Technologies Symposium in Germany, and we expect it to be reviewed in depth by experts. ®

PS: A Tor core developer claims to have already broken Riffle.

More about

More about

More about


Send us news

Other stories you might like