Existing anonymity systems sacrifice anonymity for efficient communication or vice-versa. Onion-routing achieves low latency, high bandwidth, and scalable anonymous communication, but is susceptible to traffic analysis attacks. Designs based on DC-Nets, on the other hand, protect the users against traffic analysis attacks, but sacrifice bandwidth. Verifiable mixnets maintain strong anonymity with low bandwidth overhead, but suffer from high computation overhead instead.
In this paper, we present Riffle, a bandwidth and computation efficient communication system with strong anonymity. Riffle consists of a small set of anonymity servers and a large number of users, and guarantees anonymity among all honest clients as long as there exists at least one honest server. Riffle uses a new hybrid verifiable shuffle technique and private information retrieval for bandwidth- and computation-efficient anonymous communication. Our evaluation of Riffle in file sharing and microblogging applications shows that Riffle can achieve a bandwidth of over 100KB/s per user in an anonymity set of 200 users in the case of file sharing, and handle over 100,000 users with less than 10 second latency in the case of microblogging.
 Tor metrics portal. https://metrics.torproject.org.
 S. Bayer and J. Groth. Efficient zero-knowledge argument for correctness of a shuffle. In Proceedings of the 31st Annual International Conference on Theory and Applications of Cryptographic Techniques EUROCRYPT’12 pages 263-280 Berlin Heidelberg 2012. Springer-Verlag.
 M. Bellare R. Canetti and H. Krawczyk. Keying hash functions for message authentication. pages 1-15. Springer- Verlag 1996.
 M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4):469-491 Sept. 2008.
 D. Bernstein. The poly1305-aes message-authentication code. In H. Gilbert and H. Handschuh editors Fast Software Encryption volume 3557 of Lecture Notes in Computer Science pages 32-49. Springer Berlin Heidelberg 2005.
 D. J. Bernstein. Curve25519: new diffie-hellman speed records. In In Public Key Cryptography (PKC) Springer- Verlag LNCS 3958 page 2006 2006.
 D. J. Bernstein. New stream cipher designs. chapter The Salsa20 Family of Stream Ciphers pages 84-97. Springer- Verlag Berlin Heidelberg 2008.
 J. Brickell and V. Shmatikov. Efficient anonymity-preserving data collection. In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining KDD ’06 pages 76-85 New York NY USA 2006. ACM.
 X. Cai X. Zhang B. Joshi and R. Johnson. Touching from a distance: Website fingerprinting attacks and defenses. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS 2012) October 2012.
 J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. Technical report 1997.
 D. Chaum. The dining cryptographers problem: Unconditional sender and recipient untraceability. J. Cryptol. 1(1):65-75 Mar. 1988.
 D. Chaum and T. P. Pedersen. Wallet databases with observers. In Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology CRYPTO ’92 pages 89-105 London UK UK 1993. Springer-Verlag.
 D. L. Chaum. Untraceable electronic mail return addresses and digital pseudonyms. Commun. ACM 24(2):84-90 Feb. 1981.
 B. Chor and N. Gilboa. Computationally private information retrieval (extended abstract). In Proceedings of the Twenty-ninth Annual ACM Symposium on Theory of Computing STOC ’97 pages 304-313 New York NY USA 1997. ACM.
 B. Chor E. Kushilevitz O. Goldreich and M. Sudan. Private information retrieval. J. ACM 45(6):965-981 Nov. 1998.
 H. Corrigan-Gibbs D. Boneh and D. Mazieres. Riposte: An Anonymous Messaging System Handling Millions of Users. ArXiv e-prints Mar. 2015.
 H. Corrigan-Gibbs and B. Ford. Dissent: Accountable anonymous group messaging. In Proceedings of the 17th ACM Conference on Computer and Communications Security CCS ’10 pages 340-350 New York NY USA 2010. ACM.
 H. Corrigan-Gibbs D. I. Wolinsky and B. Ford. Proactively accountable anonymous messaging in verdict. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13) pages 147-162 Washington D.C. 2013. USENIX.
 G. Danezis R. Dingledine D. Hopwood and N. Mathewson. Mixminion: Design of a type iii anonymous remailer protocol. In In Proceedings of the 2003 IEEE Symposium on Security and Privacy pages 2-15 2003.
 W. Diffie and M. Hellman. New directions in cryptography. Information Theory IEEE Transactions on 22(6):644-654 Nov 1976.
 R. Dingledine N. Mathewson and P. Syverson. Tor: The Second-Generation Onion Router. In Proceedings of the 13th USENIX Security Symposium pages 303-320 August 2004.
 M. J. Freedman and R. Morris. Tarzan: A peer-to-peer anonymizing network layer. In Proceedings of the 9th ACM Conference on Computer and Communications Security CCS ’02 pages 193-206 New York NY USA 2002. ACM.
 J. Furukawa and K. Sako. An efficient scheme for proving a shuffle. In In Proc. of CRYPTO ’01 pages 368-387. Springer-Verlag 2001.
 N. Gilboa and Y. Ishai. Distributed point functions and their applications. In P. Nguyen and E. Oswald editors Advances in Cryptology - EUROCRYPT 2014 volume 8441 of Lecture Notes in Computer Science pages 640-658. Springer Berlin Heidelberg 2014.
 S. Goel M. Robson M. Polte and E. G. Sirer. Herbivore: A Scalable and Efficient Protocol for Anonymous Communication. Technical Report 2003-1890 Cornell University Ithaca NY February 2003.
 S. Goldwasser and S. Micali. Probabilistic encryption; how to play mental poker keeping secret all partial information. In Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing STOC ’82 pages 365-377 New York NY USA 1982. ACM.
 D. Herrmann R. Wendolsky and H. Federrath. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naive-bayes classifier. In Proceedings of the 2009 ACM Workshop on Cloud Computing Security CCSW ’09 pages 31-42 New York NY USA 2009. ACM.
 A. Kwon M. AlSabah D. Lazar M. Dacier and S. Devadas. Circuit fingerprinting attacks: Passive deanonymization of tor hidden services. In 24th USENIX Security Symposium (USENIX Security 15) pages 287-302 Washington D.C. Aug. 2015. USENIX Association.
 S. Le Blond D. Choffnes W. Zhou P. Druschel H. Ballani and P. Francis. Towards efficient traffic-analysis resistant anonymity networks. In Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM SIGCOMM ’13 pages 303-314 New York NY USA 2013. ACM.
 N. Mathewson and R. Dingledine. Practical traffic analysis: extending and resisting statistical disclosure. In 4th International Workshop on Privacy Enhancing Technologies May 2004.
 S. J. Murdoch and G. Danezis. Low-cost traffic analysis of tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy SP ’05 pages 183-195 Washington DC USA 2005. IEEE Computer Society.
 C. A. Neff. A verifiable secret shuffle and its application to e-voting. In Proceedings of the 8th ACM Conference on Computer and Communications Security CCS ’01 pages 116-125 New York NY USA 2001. ACM.
 L. Nguyen and R. Safavi-naini. Breaking and mending resilient mix-nets. In Proc. PET’03 Springer-Verlag LNCS 2760 pages 66-80. Springer-Verlag LNCS 2003.
 A. Panchenko L. Niessen A. Zinnen and T. Engel. Website Fingerprinting in Onion Routing Based Anonymization Networks. In Proceedings of the ACM Workshop on Privacy in the Electronic Society (WPES) pages 103-114 October 2011.
 B. Pfitzmann. Breaking an efficient anonymous channel. In In EUROCRYPT pages 332-340. Springer-Verlag 1995.
 B. Pfitzmann and A. Pfitzmann. How to break the direct rsa-implementation of mixes. In Advances in Cryptology- EUROCRYPT ’89 Proceedings pages 373-381. Springer- Verlag 1990.
 J. Pouwelse P. Garbacki D. Epema and H. Sips. The bittorrent p2p file-sharing system: Measurements and analysis. In M. Castro and R. van Renesse editors Peer-to-Peer Systems IV volume 3640 of Lecture Notes in Computer Science pages 205-216. Springer Berlin Heidelberg 2005.
 J.-F. Raymond. Traffic Analysis: Protocols Attacks Design Issues and Open Problems. In H. Federrath editor Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability pages 10-29. Springer-Verlag LNCS 2009 July 2000.
 M. K. Reiter and A. D. Rubin. Anonymous web transactions with crowds. Commun. ACM 42(2):32-48 Feb. 1999.
 M. Rennhard and B. Plattner. Introducing morphmix: Peerto- peer based anonymous internet usage with collusion detection. In Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society WPES ’02 pages 91-102 New York NY USA 2002. ACM.
 L. Sassaman B. Cohen and N. Mathewson. The pynchon gate: A secure method of pseudonymous mail retrieval. In Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society WPES ’05 pages 1-9 New York NY USA 2005. ACM.
 R. Sion and B. Carbunar. On the computational practicality of private information retrieval.
 E. G. Sirer S. Goel and M. Robson. Eluding carnivores: File sharing with strong anonymity. In In Proc. of ACM SIGOPS European Workshop 2004.
 A. Teich M. S. Frankel R. Kling and Y. Lee. Anonymous communication policies for the internet: Results and recommendations of the aaas conference. Information Society 15(2) 1999.
 M. Waidner and B. Pfitzmann. The dining cryptographers in the disco: Unconditional sender and recipient untraceability with computationally secure serviceability. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology EUROCRYPT ’89 pages 690- New York NY USA 1990. Springer-Verlag New York Inc.
 T. Wang and I. Goldberg. Improved website fingerprinting on tor. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2013). ACM November 2013.
 D. Wikström. Four practical attacks for "optimistic mixing for exit-polls" 2003.
 D. I. Wolinsky H. Corrigan-Gibbs B. Ford and A. Johnson. Dissent in numbers: Making strong anonymity scale. In Presented as part of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 12) pages 179-182 Hollywood CA 2012. USENIX.
 D. I. Wolinsky E. Syta and B. Ford. Hang with your buddies to resist intersection attacks. In Proceedings of the 2013 ACM SIGSAC conference on Computer Communications Security CCS ’13 pages 1153-1166 New York NY USA 2013. ACM.