Paper 2025/659

Scalable and Fine-Tuned Privacy Pass from Group Verifiable Random Functions

Dnnis Faut, Karlsruhe Institute of Technology, University of Luxembourg
Julia Hesse, IBM Research - Zurich
Lisa Kohl, Centrum Wiskunde & Informatica
Andy Rupp, Karlsruhe Institute of Technology, University of Luxembourg
Abstract

Abstract—Anonymous token schemes are cryptographic protocols for limiting the access to online resources to credible users. The resource provider issues a set of access tokens to the credible user that they can later redeem anonymously, i.e., without the provider being able to link their redemptions. When combined with credibility tests such as CAPTCHAs, anonymous token schemes can significantly increase user experience and provider security, without exposing user access patterns to providers. Current anonymous token schemes such as the Privacy Pass protocol by Davidson et al. rely on oblivious pseudorandom functions (OPRFs), which let server and user jointly compute randomly looking access tokens. For those protocols, token issuing costs are linear in the number of requested tokens. In this work, we propose a new approach for building anonymous token schemes. Instead of relying on two-party computation to realize a privacy-preserving pseudorandom function evaluation, we propose to offload token generation to the user by using group verifiable random functions (GVRFs). GVRFs are a new cryptographic primitive that allow users to produce verifiable pseudorandomness. Opposed to standard VRFs, verification is anonymous within the group of credible users. We give a construction of group VRFs from the Dodis-Yampolskiy VRF and Equivalence- Class Signatures, based on pairings and a new Diffie- Hellman inversion assumption that we analyze in the Generic Group Model. Our construction enjoys compact public keys and proofs, while evaluation and verification costs are only slightly increased compared to the Dodis-Yampolskiy VRF. By deploying a group VRF instead of a OPRF, we obtain an anonymous token scheme where communication as well as server-side computation during the issuing phase is constant and independent of the number of tokens a user requests. Moreover, by means of our new concept of updatable token policies, the number of unspent tokens in circulation can retrospectively (i.e., even after the credibility check) be decreased or increased in order to react to the current or expected network situation. Our tokens are further countable and publicly verifiable. This comes at the cost of higher computational efforts for token redemption and verification as well as somewhat weaker unlinkability guarantees compared to Privacy Pass.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Major revision. Euro S&P 2025
Keywords
Verifiable random functionsanonymous token schemesPrivacy Passpairing-based cryptography
Contact author(s)
dennis faut @ kit edu
juliahesse2 @ gmail com
Lisa Kohl @ cwi nl
andy rupp @ uni lu
History
2025-04-13: approved
2025-04-10: received
See all versions
Short URL
https://ia.cr/2025/659
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/659,
      author = {Dnnis Faut and Julia Hesse and Lisa Kohl and Andy Rupp},
      title = {Scalable and Fine-Tuned Privacy Pass from Group Verifiable Random Functions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/659},
      year = {2025},
      url = {https://eprint.iacr.org/2025/659}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.