Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
See all formats and pricing
More options …


An Efficient Communication System With Strong Anonymity

Albert Kwon / David Lazar / Srinivas Devadas / Bryan Ford
Published Online: 2015-12-30 | DOI: https://doi.org/10.1515/popets-2016-0008


Existing anonymity systems sacrifice anonymity for efficient communication or vice-versa. Onion-routing achieves low latency, high bandwidth, and scalable anonymous communication, but is susceptible to traffic analysis attacks. Designs based on DC-Nets, on the other hand, protect the users against traffic analysis attacks, but sacrifice bandwidth. Verifiable mixnets maintain strong anonymity with low bandwidth overhead, but suffer from high computation overhead instead.

In this paper, we present Riffle, a bandwidth and computation efficient communication system with strong anonymity. Riffle consists of a small set of anonymity servers and a large number of users, and guarantees anonymity among all honest clients as long as there exists at least one honest server. Riffle uses a new hybrid verifiable shuffle technique and private information retrieval for bandwidth- and computation-efficient anonymous communication. Our evaluation of Riffle in file sharing and microblogging applications shows that Riffle can achieve a bandwidth of over 100KB/s per user in an anonymity set of 200 users in the case of file sharing, and handle over 100,000 users with less than 10 second latency in the case of microblogging.

Keywords : anonymous communication; verifiable shuffle; private information retrieval


  • [1] Advanced crypto library for the go language. https://github.com/DeDiS/crypto.Google Scholar

  • [2] Bittorrent. https://bittorrent.com.Google Scholar

  • [3] Emulab network emulation testbed. http://www.emulab.net/.Google Scholar

  • [4] Secret-key authenticated encryption. http://nacl.cr.yp.to/secretbox.html.Google Scholar

  • [5] Secretbox - godoc. https://godoc.org/golang.org/x/crypto/nacl/secretbox.Google Scholar

  • [6] Tor metrics portal. https://metrics.torproject.org.Google Scholar

  • [7] S. Bayer and J. Groth. Efficient zero-knowledge argument for correctness of a shuffle. In Proceedings of the 31st Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’12, pages 263-280, Berlin, Heidelberg, 2012. Springer-Verlag.Google Scholar

  • [8] M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. pages 1-15. Springer- Verlag, 1996.Google Scholar

  • [9] M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Cryptol., 21(4):469-491, Sept. 2008.Google Scholar

  • [10] D. Bernstein. The poly1305-aes message-authentication code. In H. Gilbert and H. Handschuh, editors, Fast Software Encryption, volume 3557 of Lecture Notes in Computer Science, pages 32-49. Springer Berlin Heidelberg, 2005.Google Scholar

  • [11] D. J. Bernstein. Curve25519: new diffie-hellman speed records. In In Public Key Cryptography (PKC), Springer- Verlag LNCS 3958, page 2006, 2006.Google Scholar

  • [12] D. J. Bernstein. New stream cipher designs. chapter The Salsa20 Family of Stream Ciphers, pages 84-97. Springer- Verlag, Berlin, Heidelberg, 2008.Google Scholar

  • [13] J. Brickell and V. Shmatikov. Efficient anonymity-preserving data collection. In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’06, pages 76-85, New York, NY, USA, 2006. ACM.Google Scholar

  • [14] X. Cai, X. Zhang, B. Joshi, and R. Johnson. Touching from a distance: Website fingerprinting attacks and defenses. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS 2012), October 2012.Google Scholar

  • [15] J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. Technical report, 1997.Google Scholar

  • [16] D. Chaum. The dining cryptographers problem: Unconditional sender and recipient untraceability. J. Cryptol., 1(1):65-75, Mar. 1988.Google Scholar

  • [17] D. Chaum and T. P. Pedersen. Wallet databases with observers. In Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’92, pages 89-105, London, UK, UK, 1993. Springer-Verlag.Google Scholar

  • [18] D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2):84-90, Feb. 1981.Google Scholar

  • [19] B. Chor and N. Gilboa. Computationally private information retrieval (extended abstract). In Proceedings of the Twenty-ninth Annual ACM Symposium on Theory of Computing, STOC ’97, pages 304-313, New York, NY, USA, 1997. ACM.Google Scholar

  • [20] B. Chor, E. Kushilevitz, O. Goldreich, and M. Sudan. Private information retrieval. J. ACM, 45(6):965-981, Nov. 1998.CrossrefGoogle Scholar

  • [21] H. Corrigan-Gibbs, D. Boneh, and D. Mazieres. Riposte: An Anonymous Messaging System Handling Millions of Users. ArXiv e-prints, Mar. 2015.Google Scholar

  • [22] H. Corrigan-Gibbs and B. Ford. Dissent: Accountable anonymous group messaging. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pages 340-350, New York, NY, USA, 2010. ACM.Google Scholar

  • [23] H. Corrigan-Gibbs, D. I. Wolinsky, and B. Ford. Proactively accountable anonymous messaging in verdict. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 147-162, Washington, D.C., 2013. USENIX.Google Scholar

  • [24] G. Danezis, R. Dingledine, D. Hopwood, and N. Mathewson. Mixminion: Design of a type iii anonymous remailer protocol. In In Proceedings of the 2003 IEEE Symposium on Security and Privacy, pages 2-15, 2003.Google Scholar

  • [25] W. Diffie and M. Hellman. New directions in cryptography. Information Theory, IEEE Transactions on, 22(6):644-654, Nov 1976.Google Scholar

  • [26] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The Second-Generation Onion Router. In Proceedings of the 13th USENIX Security Symposium, pages 303-320, August 2004.Google Scholar

  • [27] M. J. Freedman and R. Morris. Tarzan: A peer-to-peer anonymizing network layer. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, pages 193-206, New York, NY, USA, 2002. ACM.Google Scholar

  • [28] J. Furukawa and K. Sako. An efficient scheme for proving a shuffle. In In Proc. of CRYPTO ’01, pages 368-387. Springer-Verlag, 2001.Google Scholar

  • [29] N. Gilboa and Y. Ishai. Distributed point functions and their applications. In P. Nguyen and E. Oswald, editors, Advances in Cryptology - EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pages 640-658. Springer Berlin Heidelberg, 2014.Google Scholar

  • [30] S. Goel, M. Robson, M. Polte, and E. G. Sirer. Herbivore: A Scalable and Efficient Protocol for Anonymous Communication. Technical Report 2003-1890, Cornell University, Ithaca, NY, February 2003.Google Scholar

  • [31] S. Goldwasser and S. Micali. Probabilistic encryption; how to play mental poker keeping secret all partial information. In Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC ’82, pages 365-377, New York, NY, USA, 1982. ACM.Google Scholar

  • [32] D. Herrmann, R. Wendolsky, and H. Federrath. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naive-bayes classifier. In Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW ’09, pages 31-42, New York, NY, USA, 2009. ACM.Google Scholar

  • [33] A. Kwon, M. AlSabah, D. Lazar, M. Dacier, and S. Devadas. Circuit fingerprinting attacks: Passive deanonymization of tor hidden services. In 24th USENIX Security Symposium (USENIX Security 15), pages 287-302, Washington, D.C., Aug. 2015. USENIX Association.Google Scholar

  • [34] S. Le Blond, D. Choffnes, W. Zhou, P. Druschel, H. Ballani, and P. Francis. Towards efficient traffic-analysis resistant anonymity networks. In Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM, SIGCOMM ’13, pages 303-314, New York, NY, USA, 2013. ACM.Google Scholar

  • [35] N. Mathewson and R. Dingledine. Practical traffic analysis: extending and resisting statistical disclosure. In 4th International Workshop on Privacy Enhancing Technologies, May 2004.Google Scholar

  • [36] S. J. Murdoch and G. Danezis. Low-cost traffic analysis of tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, SP ’05, pages 183-195, Washington, DC, USA, 2005. IEEE Computer Society.Google Scholar

  • [37] C. A. Neff. A verifiable secret shuffle and its application to e-voting. In Proceedings of the 8th ACM Conference on Computer and Communications Security, CCS ’01, pages 116-125, New York, NY, USA, 2001. ACM.Google Scholar

  • [38] L. Nguyen and R. Safavi-naini. Breaking and mending resilient mix-nets. In Proc. PET’03, Springer-Verlag, LNCS 2760, pages 66-80. Springer-Verlag, LNCS, 2003.Google Scholar

  • [39] A. Panchenko, L. Niessen, A. Zinnen, and T. Engel. Website Fingerprinting in Onion Routing Based Anonymization Networks. In Proceedings of the ACM Workshop on Privacy in the Electronic Society (WPES), pages 103-114, October 2011.Google Scholar

  • [40] B. Pfitzmann. Breaking an efficient anonymous channel. In In EUROCRYPT, pages 332-340. Springer-Verlag, 1995.Google Scholar

  • [41] B. Pfitzmann and A. Pfitzmann. How to break the direct rsa-implementation of mixes. In Advances in Cryptology- EUROCRYPT ’89 Proceedings, pages 373-381. Springer- Verlag, 1990.Google Scholar

  • [42] J. Pouwelse, P. Garbacki, D. Epema, and H. Sips. The bittorrent p2p file-sharing system: Measurements and analysis. In M. Castro and R. van Renesse, editors, Peer-to-Peer Systems IV, volume 3640 of Lecture Notes in Computer Science, pages 205-216. Springer Berlin Heidelberg, 2005.Google Scholar

  • [43] J.-F. Raymond. Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems. In H. Federrath, editor, Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability, pages 10-29. Springer-Verlag, LNCS 2009, July 2000.Google Scholar

  • [44] M. K. Reiter and A. D. Rubin. Anonymous web transactions with crowds. Commun. ACM, 42(2):32-48, Feb. 1999.Google Scholar

  • [45] M. Rennhard and B. Plattner. Introducing morphmix: Peerto- peer based anonymous internet usage with collusion detection. In Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES ’02, pages 91-102, New York, NY, USA, 2002. ACM.Google Scholar

  • [46] L. Sassaman, B. Cohen, and N. Mathewson. The pynchon gate: A secure method of pseudonymous mail retrieval. In Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, WPES ’05, pages 1-9, New York, NY, USA, 2005. ACM.Google Scholar

  • [47] R. Sion and B. Carbunar. On the computational practicality of private information retrieval.Google Scholar

  • [48] E. G. Sirer, S. Goel, and M. Robson. Eluding carnivores: File sharing with strong anonymity. In In Proc. of ACM SIGOPS European Workshop, 2004.Google Scholar

  • [49] A. Teich, M. S. Frankel, R. Kling, and Y. Lee. Anonymous communication policies for the internet: Results and recommendations of the aaas conference. Information Society, 15(2), 1999.Google Scholar

  • [50] M. Waidner and B. Pfitzmann. The dining cryptographers in the disco: Unconditional sender and recipient untraceability with computationally secure serviceability. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology, EUROCRYPT ’89, pages 690-, New York, NY, USA, 1990. Springer-Verlag New York, Inc.Google Scholar

  • [51] T. Wang and I. Goldberg. Improved website fingerprinting on tor. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2013). ACM, November 2013.Google Scholar

  • [52] D. Wikström. Four practical attacks for "optimistic mixing for exit-polls", 2003.Google Scholar

  • [53] D. I. Wolinsky, H. Corrigan-Gibbs, B. Ford, and A. Johnson. Dissent in numbers: Making strong anonymity scale. In Presented as part of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 12), pages 179-182, Hollywood, CA, 2012. USENIX.Google Scholar

  • [54] D. I. Wolinsky, E. Syta, and B. Ford. Hang with your buddies to resist intersection attacks. In Proceedings of the 2013 ACM SIGSAC conference on Computer Communications Security, CCS ’13, pages 1153-1166, New York, NY, USA, 2013. ACM. Google Scholar

About the article

Received: 2015-08-31

Revised: 2015-12-02

Accepted: 2015-12-02

Published Online: 2015-12-30

Published in Print: 2016-04-01

Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2016, Issue 2, Pages 115–134, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2016-0008.

Export Citation

© 2016. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. BY-NC-ND 4.0

Comments (0)

Please log in or register to comment.
Log in