Riposte: An Anonymous Messaging System Handling Millions of Users (1503.06115v7)

Abstract: This paper presents Riposte, a new system for anonymous broadcast messaging. Riposte is the first such system, to our knowledge, that simultaneously protects against traffic-analysis attacks, prevents anonymous denial-of-service by malicious clients, and scales to million-user anonymity sets. To achieve these properties, Riposte makes novel use of techniques used in systems for private information retrieval and secure multi-party computation. For latency-tolerant workloads with many more readers than writers (e.g. Twitter, Wikileaks), we demonstrate that a three-server Riposte cluster can build an anonymity set of 2,895,216 users in 32 hours.

• The paper presents Riposte, a novel anonymous messaging system that achieves scalability to millions while resisting traffic analysis using cryptographic techniques like Reverse PIR and Distributed Point Functions (DPFs).
• Riposte successfully demonstrated handling an anonymity set of nearly 2.9 million users over 32 hours, showcasing its high throughput for large-scale internet applications.
• The system offers strong anonymity and scalability, making it suitable for sensitive applications requiring traffic analysis resistance, such as secure whistleblowing platforms or anonymous microblogging.

Analysis of Riposte: An Anonymous Messaging System

The paper "Riposte: An Anonymous Messaging System Handling Millions of Users" by Henry Corrigan-Gibbs, Dan Boneh, and David Mazières presents a sophisticated system designed to balance the complex trade-offs between security and scalability in anonymous messaging systems. Riposte targets applications where the number of readers significantly surpasses the number of writers, such as platforms similar to Twitter or Wikileaks, making it pertinent for whistleblower protection against traffic analysis attacks.

Core Contributions

The authors achieve the unique properties of simultaneously protecting against traffic analysis while ensuring scalability and disruption resistance through a novel synthesis of cryptographic techniques. The main innovations include:

1. Traffic Analysis Resistance: Riposte enables anonymity by ensuring that no server or coalition of servers can listen to the communication channels and deduce which client sent which message. This is achieved by leveraging techniques from private information retrieval (PIR) and secure multi-party computation.
2. Denial-of-Service Protection: Riposte ensures that malicious clients cannot perform anonymous denial-of-service (DoS) attacks. The use of audit mechanisms involving a third party server—operating as a sometimes distrustful auditor—establishes credibility in assessed writes, adding an operational overhead that protects the system.
3. Scalability: Riposte dramatically scales to anonymity set sizes in the millions, shattering previous constraints found in systems like DC-nets, which could scale only up to several thousand clients due to the bandwidth and computation costs. The paper examines two variants, each with unique trade-offs regarding the security-collusion threshold among servers, adopting distributed point functions (DPFs) to efficiently handle data in large networks.
4. Reverse PIR Protocol: An innovative use of reverse PIR in which clients write messages into a database distributed across servers, without revealing the write location. This is the reverse operation to the classical PIR problem of reading from the database without revealing the index of interest.

Experimental Evaluation

The authors substantiate their claims with empirical results, demonstrating Riposte's capability to process write requests at different scales. Most notably, they exhibit a three-server cluster successfully handling an anonymity set as large as 2,895,216 users over 32 hours, with a high rate of throughput for internet-scale applications. This is an impressive feat for a system aiming at a high-security threshold.

Cryptographic Foundations and Performance

The paper is grounded in the practical deployment of advanced cryptographic primitives. The authors employ a (2,1)-DPF using a combination of AES-based pseudorandom generators for efficient client-to-server communication, maintaining performance at large table sizes, where bandwidth efficiency becomes critical. Furthermore, the s-server scheme theoretically tolerates up to s−1 malicious servers, incorporating zero-knowledge proofs to validate client requests, albeit at increased computational cost.

Broader Implications

The implications of Riposte extend into the domain of secure whistleblowing and anonymous microblogging. The latency-tolerant design allows a ubiquitous set of anonymous communications without temporal penalties inherent to many anonymity networks. Speculatively, with further optimization, Riposte could underpin systems providing strong privacy guarantees for politically sensitive communications or social media platforms needing robust anonymity protections.

Future Directions

Opportunities for further research and enhancement of Riposte involve optimizing the zero-knowledge proof mechanisms to reduce computational overhead and investigating fully homomorphic encryption approaches that might offer additional privacy guarantees with less reliance on trust in server non-collusion.

Overall, the paper significantly advances the state of anonymous communication systems, highlighting promising paths for future exploration in the balance of scalability, security, and efficiency. The methodology and empirical results presented offer a robust foundation for the development of similarly secure, scalable anonymous systems, applicable in a wide array of domains from sensitive personal messaging to distributed social platforms.