Yesterday MIT put out a press release entitled "How to stay anonymous online" in which they announce Riffle - a new anonymous communications network.

This announcement was quickly picked up by some of the tech press with outlandish headlines like MIT’s anonymous online communications protocol Riffle could beat Tor at its own game.

I say outlandish because despite the press release also hinting at a possible replacement to Tor in the opening paragraph - the Riffle paper, and it's authors, make no such claim.

And this is a shame, because Riffle is actually very interesting by itself, without being seen as a Tor replacement - which it isn't.

In this post I am going to give my thoughts on the Riffle scheme, but I very much suggest you go read the Riffle paper for yourself.

The Basics

Riffle is a new anonymous communication scheme which presents a network of a small number of servers and a larger number of clients.

Riffle aims to provide three security properties:

  1. Correctness - after a successful run of the Riffle protocol every honest client's message are available to all honest clients.

  2. Send Anonymity - no adversary can lean which messages were send from an honest client.

  3. Receiver Anonymity - no adversary can learn which messages were downloaded by an honest client.

The Protocol

Each client is setup with a primary server. All servers are given an index number from 1 to m, where m is the total number of servers.

Riffle splits up it's operation in epochs or time stages, and each epoch has two parts: Setup and Communication

During the Setup phase the servers and clients generate and share secrets for the communication phase.

During the Communication phase every client encrypts a onion encrypts a message with all the servers public keys and uploads it to it's primary server.

The servers then send all their messages to the designated first server (server #1)

Each server then authenticates, decrypts and shuffles each message. The server then passes on the shuffled ciphertexts to the next indexed server.

The last server authenticates and decrypts the ciphertext, leaving it with a set of plaintext messages which it shares with all the servers.

Finally the clients download the messages via PIR or through broadcast.

The paper suggests a number of optimizations to the above protocol, namely in how the shuffle process can be hybridized with authenticated encryption so that it is more efficient then traditional shuffles.

Uses of the Riffle Scheme

As presented, Riffle is not a Tor competitor - it's design limits it to a small number of servers and a slightly larger number of clients.

The reason should be obvious - every server has to communicate, either directly or indirectly, with every other server in the network.

This puts a maximum limit on the number of servers that can be added to the network before greatly increasing the latency of the protocol.

Further, because there is a maximum limit on the number of servers, there is a limit on the computational power than can be afforded to any given to any particular Riffle instance.

Despite this limit, Riffle can provide a basis for some interesting usecases - one of these is anonymous file sharing.

Small groups who wish to share files with each other can setup a Riffle network and following the protocol laid out in section 5 of the paper can achieve a BitTorrent-like system with an additional benefit:

  • The servers do not know which particular files each clients distributing or interested in - they are just aware of the shared set of files.

This is much better than the current state where it is fairly trivial to identify the files a particular client is uploading or downloading.

While the paper only provides an experimental test of up to 200 clients with 3 servers - and this would likely be very restrictive in a real world context (where torrents often have thousands of interested users) - it is possible that Riffle can provide a stepping stone to a global-scale anonymous file sharing system, or perhaps we will see small file sharing groups adopting this technology for use themselves.


I have mentioned several times in this post than scale is the main limitation of Riffle - unlike Tor it cannot serve a global population of millions of users, due to the nature of the communication between servers.

This means that Riffle networks are forced to be small, and their participants are likely to be easily identifiable as belonging to a Riffle network - although there is no reason that someone would not be able to participate in a Riffle network through some kind of anonymizing proxy - like Tor.

Additionally, the servers in a Riffle system, much like exit nodes in the Tor network are left holding the gun in the case that someone shares identifiably illegal or malicious data. Further because plaintext messages are visible to all servers and clients content correlation combined with extensive pattern of life analysis (and control over a proportion of servers and clients) can be used to deanonymize individuals.


Despite the hype, Riffle is an interesting addition to the growing collection of anonymous communication protocols and looks like, with some investment, it might find a home in a number of small niches, like file sharing, which are currently underserved by the current, prevailing tech.