Paper 2025/1847

Security Analysis of Privately Verifiable Privacy Pass

Konrad Hanff, Hasso Plattner Institute, University of Potsdam
Anja Lehmann, Hasso Plattner Institute, University of Potsdam
Cavit Özbay, Hasso Plattner Institute, University of Potsdam
Abstract

Privacy Pass is an anonymous authentication protocol which was initially designed by Davidson et al. (PETS’18) to reduce the number of CAPTCHAs that TOR users must solve. It issues single-use authentication tokens with anonymous and unlinkable redemption guarantees. The issuer and verifier of the protocol share a symmetric key, and tokens are privately verifiable. The protocol has sparked interest from both academia and industry, which led to an Internet Engineering Task Force (IETF) standard. While Davidson et al. formally analyzed the original protocol, the IETF standard introduces several changes to their protocol. Thus, the standardized version’s formal security remains unexamined. We fill this gap by analyzing the IETF standard’s privately verifiable Privacy Pass protocol. In particular, there are two main discrepancies between the analyzed and standardized version: First, the IETF version introduces a redemption context, that can be used for blindly embedding a validity period into the Privacy Pass tokens. We show that this variant has significant differences to public metadata extension that has been proposed for the same purpose in the literature. Redemption context offers better privacy and security than public metadata. We capture both stronger guarantees through game-based security definitions and show that the currently considered one-more unforgeability notion for Privacy Pass is insufficient when a redemption context is used. Thus, we propose a new property, targeted context unforgeability, and prove its incomparability to one-more unforgeability. Second, Davidson et al. focused on a concrete Diffie-Hellman based construction, whereas the IETF version is built generically from a verifiable oblivious pseudorandom function (VOPRF). Further, the analyzed protocol omitted the full redemption phase needed to prevent double-spending. We prove that the generic IETF construction satisfies the desired security and privacy guarantees covering the full life-cycle of tokens. Our analysis relies on natural security properties of VOPRFs, providing compatibility with any secure VOPRF instantiation. This enables crypto agility, e.g., allowing to switch to efficient quantum-safe VOPRFs when they become available.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. ACM CCS'25
Contact author(s)
konrad @ khanff de
anja lehmann @ hpi de
cavit oezbay @ hpi de
History
2025-10-08: approved
2025-10-06: received
See all versions
Short URL
https://ia.cr/2025/1847
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/1847,
      author = {Konrad Hanff and Anja Lehmann and Cavit Özbay},
      title = {Security Analysis of Privately Verifiable Privacy Pass},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/1847},
      year = {2025},
      url = {https://eprint.iacr.org/2025/1847}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.