
Riffle: an efficient communication system with strong anonymity - clarkmoody
http://dspace.mit.edu/handle/1721.1/99859
======
mirimir
Kwon thesis:
[https://dspace.mit.edu/bitstream/handle/1721.1/99859/9277182...](https://dspace.mit.edu/bitstream/handle/1721.1/99859/927718269-MIT.pdf)

Paper:
[https://people.csail.mit.edu/devadas/pubs/riffle.pdf](https://people.csail.mit.edu/devadas/pubs/riffle.pdf)

------
luan42
With no real reaction after the NSA leaks and with people in various
governments trying somehow to criminalize encryption and anonymity, this is
exactly what we need. We don't need another centralized Google/Facebook/etc.
powered application.

~~~
Panino
> With no real reaction after the NSA leaks

I know where you're coming from but I don't think this is the case. There are
too many examples to give but here are some nice ones:

In 2013, there were only a small number of E2E encrypted messenger users. Now
there are over a _billion_ Signal Protocol users alone, not even including
other systems. This isn't getting deployed because it's easier to develop,
support, or use than plaintext.

In 2013, RC4 was widely used in TLS and random number generation (on BSD
systems). It has been kicked out and now ChaCha is seeing wide deployment in
the same places (although FreeBSD is lagging behind).

Let's Encrypt has substantially increased TLS availability and usage.

In 2013, the default crypto in OpenSSH was (IIRC) P-256 and AES-CTR, with
ECDSA host keys. It's now X25519 and ChaCha20-Poly1305 with EdDSA host keys.

In 2013, TLS was mostly RC4 and CBC. Now (on my servers) it's mostly GCM and
ChaCha. Even the IETF has said to stop using RC4.

The NaCl family, including in particular Libsodium, has a TON of users.
Besides supporting only strong crypto, the high-level API has made it almost
impossible to publish a successful new crypto library today that's in the
style of OpenSSL where the only answer to "how to I accomplish X?" is "go fuck
yourself." Good riddance to Russian roulette crypto libraries.

We're even seeing movement in pqcrypto. So while some people are being
reactive and switching out bad crypto for good (as in above examples), some
are being _proactive_. Google is experimenting with pq-safe key agreement, as
just one example. Tor is working on it as well. So not only has there been a
positive reaction since 2013, but people are beginning to be more proactive as
well, trying to stay ahead of the curve.

The number of users of strong crypto has increased by several billion since
2013.

~~~
pdimitar
Paranoid response alert:

This doesn't mean much, in my opinion. It might stop several thousand teams of
garage hacker heroes but it's hard to argue it would stop NSA / GCHQ / anybody
else on their level.

With all of the leaks (good chunk of them are just theories, admittedly) that
claim that agencies can utilize hardware backdoors remotely, it's hard for me
to imagine I am safe from snooping, ever. What good would a stronger SSL/TLS
key do if the agencies can directly connect to my CPU? What good would a
strong VPN and a network like Tor do if my NIC reports my traffic via a
backdoor in its driver without a chance of me ever noticing?

I definitely agree some progress has been made. No two opinions about it.

I do question if these countermeasures achieve anything at all against the
biggest and most formidable snoopers however. I feel like they are letting us
argue over things they've cracked long ago and are letting us think we're
safe.

Usually when public statements are made by them which try to smear/outlaw a
technology, it's then I'd think the agencies are having a hard time. If they
don't say anything, I'm presuming they got things well under control and where
they want them to be.

Not the ideal theory but all of this reply was just my thoughts anyway. If I
had any facts whatsoever, I'd most likely be in a prison, so there's that. We
can mostly only theorize here.

~~~
alanwatts
Compromised endpoints is the elephant in the room in the crypto debate.

~~~
pdimitar
Indeed they are. And it's somewhat discouraging seeing people argue over the
best encryption algorithm instead of trying to hunt down Intel's rootkits, for
example. Again, I can't _claim_ anything; I am just reading and hearing
things. They might be total crap and I might be an idiot for thinking they
might be true. But they're still worth considering IMO.

~~~
kardos
It's not at all discouraging to argue over the best encryption, it's plenty
healthy to keep the research going so weak/defeated methods get deprecated and
only the strongest remain in use.

But you're right that endpoint security is the next monumental task and the
challenges are not entirely unknown [1]. How do you suggest we proceed to
achieve trustworthy hardware?

[1] [https://libreboot.org/faq/#intel](https://libreboot.org/faq/#intel)

~~~
pdimitar
That's a very good question and a very tough one to answer. In my opinion we
the humanity gave up the easy way to a secure and publicly audited hardware
when Intel started growing. We lost the battle right there and then. To try
and do the same they achieved in 10-15 years but be entirely transparent and
auditable... seems impossible right now. :(

However, projects like Raspberry Pi are admirable and are efforts in the right
direction (even though recently it has been questioned if it can be hacked the
same way that Qualcomm-based Androids can). I recently heard about that
1000-core CPU as well. I wonder if that's entirely public? If it is, it might
render the x86 / AMD64 model irrelevant so we shouldn't spend gigantic efforts
in trying to catch up with 10-15 years of hard work from Intel.

So probably the general direction would be to make old and good hardware
protocols famous by trying to "libre"-ify them and bring them up to speed to
today's computational requirements (mind you, I still want to play my games on
Ultra settings). Even if we start replacing things one by one, every iteration
could decrease the attack sufrace. That'll force the malicious actors to take
counter-measures; for example, I'd think trying to outlaw ARM (or economically
attack its usage, which is the much more used way of doing things IMO) and
only license Intel/AMD for certain applications would be a telling sign that
somebody doesn't like what's happening.

I am not a hardware person (wish I was; I am not even electrical /
electronical engineer!) but I am a privacy-conscious person, and quite
paranoid too. I am sure there's a way but alas, I can't answer you in as
constructive manner as I'd want to. I can only do a "boss speak" and be
oblivious to the details. And at 36 with a well-built career I am beginning to
doubt I'll ever try and become a hardcore hardware engineer in addition to my
programming/sysadmin experience.

My apologies if I wasted your time reading this.

EDIT: btw, the linked article is scary....

~~~
ogurechny
A little remark: Raspberry Pi is a nice market for Broadcom, Premier Farnell
and other big players involved in making it. It also has proprietary chip that
needs closed source software to work (while Intel provides a lot of open
source code).

I guess their project has been really successful if “privacy-conscious” and
“paranoid” persons consider it “admirable” based on nothing but the internet
hype.

~~~
pdimitar
You got me. I am not an expert. Your information is highly appreciated. This
is not a sarcasm.

What would you recommend in terms of a really "libre" hardware?

~~~
ogurechny
The answer is simple: there is no libre hardware if you want top performance,
common architecture, don't have ability to order chips in hundreds of
thousands or to make your own, etc.

The question is not whether some proprietary solution looks “free enough” if
you squint your eyes more than the other proprietary solution. The question is
whether people understand that chain of trust that ends in someone else's
hands has its problems no matter how big that someone is, and bother to fix
that vulnerability.

~~~
roninb
I've been waiting to run across someone who may be able to scratch an itch
that's been in the back of my head for a few months now and you seem like you
might be able to help me out...

Would the developing J-Cores[0] being worked on by 0pf[1] be able to catch up
(I'm thinking more along the lines of performance of recent mobile processors,
not desktop processors)? I am under the impression that, while a monumental
task is ahead of them, they have the boon of hindsight. Of a dozen processor
architectures competing back then only a handful survived the decade and only
2 or 3 are being fabbed now (i386/amd64, ARMvX, and IBM?) and they can base
decisions on the successes and failures of other chipsets, speeding up the
development process. Is that fallacious thinking?

I know most of their goals are along the lines of getting custom fabs down to
$20k and making the term "penny processor" a household term, but is there
potential (read:hope) for a secure, performant (whatever that means to you)
processor that we can use for daily computing without fear of a hardware-based
backdoor?

------
swordswinger12
If you're interested in the basic tools used in this system, this is another
paper that uses some similar ones:
[http://arxiv.org/abs/1503.06115](http://arxiv.org/abs/1503.06115)

Phil Rogaway called it 'elegant', fwiw.

------
robotmlg
The name reminds me of the Solitaire cipher from Neal Stephenson's
Cryptonomicon, which is calculated using a deck of playing cards:
[https://en.wikipedia.org/wiki/Solitaire_(cipher)](https://en.wikipedia.org/wiki/Solitaire_\(cipher\))

~~~
puddintane
Interestingly enough that is being discussed on the front page of HN right
now! That is if you have not already seen this.

[1]
[https://news.ycombinator.com/item?id=12076568](https://news.ycombinator.com/item?id=12076568)

~~~
robotmlg
Yeah, I saw that and wondered if my comment was the inspiration for that post
:-)

------
wtbob
It's interesting, for certain, but still requires all clients to dedicate an
identical amount of bandwidth (n.b.: this is very probably required for
traffic-analysis-resistant anonymity): 'Moreover, each message needs to be
padded to a fixed length to prevent privacy leakage through the size of the
message,' (pg.23) and 'To be fully traffic analysis resistant, all users are
required to upload a message, even if they do not wish to communicate that
round' (pg. 25).

Granted, the second sentence leaves open the possibility that perhaps all
users _aren 't_ required to upload a message, at the cost of increased
susceptibility to analysis, but I don't think that's really intended: worst-
case, there's one client message per round, which provides no real anonymity
against the client's primary server.

I'm not putting it down, really: Riffle is a remarkable achievement. Sadly, it
appears that anonymity is really, really hard to do truly efficiently.

~~~
wtbob
Also, if I'm reading it correctly then each plaintext message from a
particular client ends up at the same location within an epoch, due to the
one-time shuffle at the beginning of each epoch. That might be able to reveal
information about a client's activity within the epoch.

I also wonder if the presence of distinguishably-mandatory plaintext messages
could be used within an epoch, particularly with respect to the previous
point. E.g. maybe knowing the the same client was active in rounds 1 & 2, the
inactive in round 3, then active in round 4, then inactive in rounds 5 & 6,
then active in rounds 7 & 8 could be used to identify the client (imagine a
low-latency system, and keystroke timings or voice packet lengths).

------
magicfractal
It would be nice to understand on a high level how it compares with other
systems for the non-experts.

------
jcfrei
link to a prototype implementation by the author:
[https://github.com/kwonalbert/riffle](https://github.com/kwonalbert/riffle)

~~~
mirimir
> NOTE: This prototype implements most of what's described in the paper, but
> does NOT make any guarantees about security. This prototype is almost
> certainly full of security bugs. Please do not adapt this code to use for
> real anonymous communication.

So I wonder if this will be updated.

------
daxorid
Somewhat reminiscent of agl's awesome-but-defunct pond, with turn-based rather
than randomized sends.

~~~
mirimir
Anyone know why it's defunct, if it's so awesome?

~~~
sporkenfang
The author graduated and nobody stepped up to maintain the work. Happens to
99% of graduate student projects. The sad truth here is a lot of well
maintained open source work is funded by companies who pay individuals to work
and/or maintain the projects. Lots of cool ideas have no such luck.

~~~
mirimir
OK, I get it. I didn't know that he did Pond as a grad student.

------
indolering
> For latency sensitive microblogging, we can support up to 10,000 users with
> less than one second latency with 160 byte messages.

This is not a general-purpose mix network.

------
grondilu
> Anonymous communication is an important part of democratic societies and
> freedom of speech.

Is it?

~~~
vertis
It's easy to take for granted in an advanced democratic state, because freedom
of speech is protected in one way or another.

For a certain subset of societies that suppress information and views,
anonymous communication becomes more important. Enabling more voices is in
essence making the society more democratic (or leading towards).

In addition, if you look at what's going on in Poland[1] at the moment, then
you could very well argue that a popular service that can't be censored would
help present a more balanced view of what is going on.

From that perspective it becomes a safeguard to prevent slipping, even if
things are sailing along fine at the moment.

[1]: [http://www.independent.co.uk/news/world/americas/barack-
obam...](http://www.independent.co.uk/news/world/americas/barack-obama-
attacks-polish-democracy-in-a-speech-polish-tv-changes-speech-a7129136.html)

~~~
bpchaps
Absolutely. Back when I first started doing FOIA requests, everything was
anonymous. Not necessarily because of paranoia, but because it gave me a calm
peace of mind after submitting requests.

After some bogus FOIA redactions and misinterpretations, I submitted a Request
for Review (RFR) to the Illinois attorney general's office who refused to
continue without a signature with a valid first and last name to associate the
RFR to the original FOIA request.... even though my first and last name
weren't actually on any previous requests (their argument made no sense,
especially with ESIGN in mind). My lawyer even told me that it would be a
waste of time to fight it and to just accept it - since a lawsuit would very
likely require my name anyway. Or alternatively give up on the request.

Since my writing style stand out like a sore thumb, staying "anonymous" seemed
pretty silly going forward, so I stopped. These days, I feel naked when
submitting a request and in a lot of ways, it definitely feels like it does
limit certain types of requests. If anything, my requests are a little bit
more agitated - I definitely no longer have the same peace of mind as before.

