Existing anonymity systems sacrifice anonymity for efficient communication or vice-versa. Onion-routing achieves low latency, high bandwidth, and scalable anonymous communication, but is susceptible to traffic analysis attacks. Designs based on DC-Nets, on the other hand, protect the users against traffic analysis attacks, but sacrifice bandwidth. Verifiable mixnets maintain strong anonymity with low bandwidth overhead, but suffer from high computation overhead instead.
In this paper, we present Riffle, a bandwidth and computation efficient communication system with strong anonymity. Riffle consists of a small set of anonymity servers and a large number of users, and guarantees anonymity among all honest clients as long as there exists at least one honest server. Riffle uses a new hybrid verifiable shuffle technique and private information retrieval for bandwidth- and computation-efficient anonymous communication. Our evaluation of Riffle in file sharing and microblogging applications shows that Riffle can achieve a bandwidth of over 100KB/s per user in an anonymity set of 200 users in the case of file sharing, and handle over 100,000 users with less than 10 second latency in the case of microblogging.
 Advanced crypto library for the go language. https://github.com/DeDiS/crypto.
 Bittorrent. https://bittorrent.com.
 Emulab network emulation testbed. http://www.emulab.net/.
 Secret-key authenticated encryption. http://nacl.cr.yp.to/secretbox.html.
 Secretbox - godoc. https://godoc.org/golang.org/x/crypto/nacl/secretbox.
 Tor metrics portal. https://metrics.torproject.org.
 S. Bayer and J. Groth. Efficient zero-knowledge argument for correctness of a shuffle. In Proceedings of the 31st Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’12, pages 263-280, Berlin, Heidelberg, 2012. Springer-Verlag.
 M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. pages 1-15. Springer- Verlag, 1996.
 M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Cryptol., 21(4):469-491, Sept. 2008.
 D. Bernstein. The poly1305-aes message-authentication code. In H. Gilbert and H. Handschuh, editors, Fast Software Encryption, volume 3557 of Lecture Notes in Computer Science, pages 32-49. Springer Berlin Heidelberg, 2005.
 D. J. Bernstein. Curve25519: new diffie-hellman speed records. In In Public Key Cryptography (PKC), Springer- Verlag LNCS 3958, page 2006, 2006.
 D. J. Bernstein. New stream cipher designs. chapter The Salsa20 Family of Stream Ciphers, pages 84-97. Springer- Verlag, Berlin, Heidelberg, 2008.
 J. Brickell and V. Shmatikov. Efficient anonymity-preserving data collection. In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’06, pages 76-85, New York, NY, USA, 2006. ACM.
 X. Cai, X. Zhang, B. Joshi, and R. Johnson. Touching from a distance: Website fingerprinting attacks and defenses. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS 2012), October 2012.
 J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. Technical report, 1997.
 D. Chaum. The dining cryptographers problem: Unconditional sender and recipient untraceability. J. Cryptol., 1(1):65-75, Mar. 1988.
 D. Chaum and T. P. Pedersen. Wallet databases with observers. In Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’92, pages 89-105, London, UK, UK, 1993. Springer-Verlag.
 D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2):84-90, Feb. 1981.
 B. Chor and N. Gilboa. Computationally private information retrieval (extended abstract). In Proceedings of the Twenty-ninth Annual ACM Symposium on Theory of Computing, STOC ’97, pages 304-313, New York, NY, USA, 1997. ACM.
 B. Chor, E. Kushilevitz, O. Goldreich, and M. Sudan. Private information retrieval. J. ACM, 45(6):965-981, Nov. 1998.
 H. Corrigan-Gibbs, D. Boneh, and D. Mazieres. Riposte: An Anonymous Messaging System Handling Millions of Users. ArXiv e-prints, Mar. 2015.
 H. Corrigan-Gibbs and B. Ford. Dissent: Accountable anonymous group messaging. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pages 340-350, New York, NY, USA, 2010. ACM.
 H. Corrigan-Gibbs, D. I. Wolinsky, and B. Ford. Proactively accountable anonymous messaging in verdict. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 147-162, Washington, D.C., 2013. USENIX.
 G. Danezis, R. Dingledine, D. Hopwood, and N. Mathewson. Mixminion: Design of a type iii anonymous remailer protocol. In In Proceedings of the 2003 IEEE Symposium on Security and Privacy, pages 2-15, 2003.
 W. Diffie and M. Hellman. New directions in cryptography. Information Theory, IEEE Transactions on, 22(6):644-654, Nov 1976.
 R. Dingledine, N. Mathewson, and P. Syverson. Tor: The Second-Generation Onion Router. In Proceedings of the 13th USENIX Security Symposium, pages 303-320, August 2004.
 M. J. Freedman and R. Morris. Tarzan: A peer-to-peer anonymizing network layer. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, pages 193-206, New York, NY, USA, 2002. ACM.
 J. Furukawa and K. Sako. An efficient scheme for proving a shuffle. In In Proc. of CRYPTO ’01, pages 368-387. Springer-Verlag, 2001.
 N. Gilboa and Y. Ishai. Distributed point functions and their applications. In P. Nguyen and E. Oswald, editors, Advances in Cryptology - EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pages 640-658. Springer Berlin Heidelberg, 2014.
 S. Goel, M. Robson, M. Polte, and E. G. Sirer. Herbivore: A Scalable and Efficient Protocol for Anonymous Communication. Technical Report 2003-1890, Cornell University, Ithaca, NY, February 2003.
 S. Goldwasser and S. Micali. Probabilistic encryption; how to play mental poker keeping secret all partial information. In Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC ’82, pages 365-377, New York, NY, USA, 1982. ACM.
 D. Herrmann, R. Wendolsky, and H. Federrath. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naive-bayes classifier. In Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW ’09, pages 31-42, New York, NY, USA, 2009. ACM.
 A. Kwon, M. AlSabah, D. Lazar, M. Dacier, and S. Devadas. Circuit fingerprinting attacks: Passive deanonymization of tor hidden services. In 24th USENIX Security Symposium (USENIX Security 15), pages 287-302, Washington, D.C., Aug. 2015. USENIX Association.
 S. Le Blond, D. Choffnes, W. Zhou, P. Druschel, H. Ballani, and P. Francis. Towards efficient traffic-analysis resistant anonymity networks. In Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM, SIGCOMM ’13, pages 303-314, New York, NY, USA, 2013. ACM.
 N. Mathewson and R. Dingledine. Practical traffic analysis: extending and resisting statistical disclosure. In 4th International Workshop on Privacy Enhancing Technologies, May 2004.
 S. J. Murdoch and G. Danezis. Low-cost traffic analysis of tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, SP ’05, pages 183-195, Washington, DC, USA, 2005. IEEE Computer Society.
 C. A. Neff. A verifiable secret shuffle and its application to e-voting. In Proceedings of the 8th ACM Conference on Computer and Communications Security, CCS ’01, pages 116-125, New York, NY, USA, 2001. ACM.
 L. Nguyen and R. Safavi-naini. Breaking and mending resilient mix-nets. In Proc. PET’03, Springer-Verlag, LNCS 2760, pages 66-80. Springer-Verlag, LNCS, 2003.
 A. Panchenko, L. Niessen, A. Zinnen, and T. Engel. Website Fingerprinting in Onion Routing Based Anonymization Networks. In Proceedings of the ACM Workshop on Privacy in the Electronic Society (WPES), pages 103-114, October 2011.
 B. Pfitzmann. Breaking an efficient anonymous channel. In In EUROCRYPT, pages 332-340. Springer-Verlag, 1995.
 B. Pfitzmann and A. Pfitzmann. How to break the direct rsa-implementation of mixes. In Advances in Cryptology- EUROCRYPT ’89 Proceedings, pages 373-381. Springer- Verlag, 1990.
 J. Pouwelse, P. Garbacki, D. Epema, and H. Sips. The bittorrent p2p file-sharing system: Measurements and analysis. In M. Castro and R. van Renesse, editors, Peer-to-Peer Systems IV, volume 3640 of Lecture Notes in Computer Science, pages 205-216. Springer Berlin Heidelberg, 2005.
 J.-F. Raymond. Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems. In H. Federrath, editor, Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability, pages 10-29. Springer-Verlag, LNCS 2009, July 2000.
 M. K. Reiter and A. D. Rubin. Anonymous web transactions with crowds. Commun. ACM, 42(2):32-48, Feb. 1999.
 M. Rennhard and B. Plattner. Introducing morphmix: Peerto- peer based anonymous internet usage with collusion detection. In Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES ’02, pages 91-102, New York, NY, USA, 2002. ACM.
 L. Sassaman, B. Cohen, and N. Mathewson. The pynchon gate: A secure method of pseudonymous mail retrieval. In Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, WPES ’05, pages 1-9, New York, NY, USA, 2005. ACM.
 R. Sion and B. Carbunar. On the computational practicality of private information retrieval.
 E. G. Sirer, S. Goel, and M. Robson. Eluding carnivores: File sharing with strong anonymity. In In Proc. of ACM SIGOPS European Workshop, 2004.
 A. Teich, M. S. Frankel, R. Kling, and Y. Lee. Anonymous communication policies for the internet: Results and recommendations of the aaas conference. Information Society, 15(2), 1999.
 M. Waidner and B. Pfitzmann. The dining cryptographers in the disco: Unconditional sender and recipient untraceability with computationally secure serviceability. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology, EUROCRYPT ’89, pages 690-, New York, NY, USA, 1990. Springer-Verlag New York, Inc.
 T. Wang and I. Goldberg. Improved website fingerprinting on tor. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2013). ACM, November 2013.
 D. Wikström. Four practical attacks for "optimistic mixing for exit-polls", 2003.
 D. I. Wolinsky, H. Corrigan-Gibbs, B. Ford, and A. Johnson. Dissent in numbers: Making strong anonymity scale. In Presented as part of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 12), pages 179-182, Hollywood, CA, 2012. USENIX.
 D. I. Wolinsky, E. Syta, and B. Ford. Hang with your buddies to resist intersection attacks. In Proceedings of the 2013 ACM SIGSAC conference on Computer Communications Security, CCS ’13, pages 1153-1166, New York, NY, USA, 2013. ACM.