Dubbed Riffle, the new system taps the same onion encryption technique after which Tor is named, but it adds two others as well. First is what's called a mixnet, a series of servers that each permute the order in which messages are received before passing them on to the next server.
If messages arrive at the first server in the order A, B, C, for example, that server would send them to the second server in a different order, such as C, B, A. The second server would them reshuffle things again when sending the messages on. The advantage there is that a would-be attacker who had tracked the messages’ points of origin would have no idea which was which by the time they exited the last server.
A mixnet used with onion encryption is protected against passive adversaries, which can only observe network traffic. But active adversaries, which can infiltrate servers with their own code, are another matter. If one has commandeered a mixnet router and wants to determine the destination of a particular message, for instance, it could simply replace all the other messages it receives with its own, bound for a single destination. Then it could passively track the one message that doesn’t follow its own prespecified route.
That's where Riffle's third protective measure comes in. Essentially, it takes a two-pronged approach to validating the authenticity of messages using techniques called verifiable shuffle and authentication encryption. Verifiable shuffle keeps things secure while each user and each mixnet server agree upon a cryptographic key; authentication encryption, which is much more efficient, then takes over for the remainder of the communication session.
The overall result is that Riffle remains cryptographically secure as long as one server in the mixnet remains uncompromised, according to MIT. Meanwhile, Riffle also uses bandwidth much more efficiently than competing systems, its creators say. In experiments, it required only one-tenth as much time as similarly secure experimental systems to transfer a large file between anonymous users.
Riffle was developed by researchers at MIT’s Computer Science and Artificial Intelligence Laboratory and the École Polytechnique Fédérale de Lausanne. The system isn't yet available for public use, but the researchers will present a paper describing their work at the Privacy Enhancing Technologies Symposium in Germany next week.
“The idea of mixnets has been around for a long time, but unfortunately, it’s always relied on public-key cryptography and on public-key techniques, and that’s been expensive,” says Jonathan Katz, director of the Maryland Cybersecurity Center and a professor of computer science at the University of Maryland. “One of the contributions of this paper is that they showed how to use more efficient symmetric-key techniques to accomplish the same thing. They do one expensive shuffle using known protocols, but then they bootstrap off of that to enable many subsequent shufflings.”