A new system for anonymous exchange of digital information promises to address the shortcomings of popular anonymity software Tor while speeding up secure transfer of data files.
The system, dubbed Riffle, has been developed by a team from the Massachusetts Institute of Technology and the Swiss École Polytechnique Fédérale de Lausanne.
Riffle, which got its name from the way in which it swaps messages to cover up the order in which they were received, uses the same type of encryption as the Tor system but relies on privately instead of publicly shared keys to decrypt them.
Tor, short for The Onion Router, wraps each message in several layers of encryption. When the encrypted message is being transferred between secure servers, the so-called mixnets, each server removes one layer of encryption, with only the final server knowing the ultimate destination of the message.
The problem is that while this type of protection is sufficient against passive eavesdropping, it can fall victim to an active attacker who has taken control of one of the mixnet routers with malicious software. Such a scenario, the researchers explained, is not unlikely, as most of the mixnet routers are simple computers owned by volunteers running special software.
Once in control of the mixnet router, the attacker can tamper with the content of the messages and, for example, keep sending them to a single destination.
To prevent this type of intervention, Riffle uses a technique called the verifiable shuffle, which allows the servers to generate mathematical proofs that the messages they are sending are valid.
Verifying the proof does require checking it against copies of the messages the server received. With Riffle, users send their initial messages not only to the first server in the mixnet but to all of them at the same time. Servers can then independently check for tampering.
To streamline the process, instead of verifying the content of each message, Riffle verifies only the content of a private cryptographic key, which is subsequently used to authenticate the whole communication session.
The researchers say that as long as a single server in the mixnet remains uncompromised by an adversary, Riffle is cryptographically secure.
In experiments, the researchers demonstrated that sharing files via Riffle requires only one tenth of the time needed by Tor.
"The initial use case that we thought of was to do anonymous file-sharing, where the receiving end and sending end don't know each other," explained Albert Kwon, who led the research team. “But we also studied applications in microblogging, something like Twitter, where you want to anonymously broadcast your messages to everyone."
According to computer science professor Jonathan Katz of the University of Maryland, the joint MIT – EPFL team was the first to explore the idea of using private keys in combination with mixnets.
"The idea of mixnets has been around for a long time, but unfortunately it's always relied on public-key cryptography and on public-key techniques, and that's been expensive," Katz said. "One of the contributions of this paper is that they showed how to use more efficient symmetric-key techniques to accomplish the same thing. They do one expensive shuffle using known protocols, but then they bootstrap off of that to enable many subsequent shufflings."