On the Security of Rate-limited Privacy Pass

Chu TTH, Do K, Hanzlik L (2023)

Publication Language: English

Publication Type: Conference contribution

Publication year: 2023

Publisher: Association for Computing Machinery, Inc

City/Town: New York, NY

Pages Range: 2871-2885

Conference Proceedings Title: CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Event location: Copenhagen DK

ISBN: 9798400700507

DOI: 10.1145/3576915.3616619

Abstract

The privacy pass protocol allows users to redeem anonymously issued cryptographic tokens instead of solving annoying CAPTCHAs. The issuing authority verifies the credibility of the user, who can later use the pass while browsing the web using an anonymous or virtual private network. Hendrickson et al. proposed an IETF draft (privacypass-rate-limit-tokens-00) for a rate-limiting version of the privacy pass protocol, also called rate-limited Privacy Pass (RlP). Introducing a new actor called a mediator makes both versions inherently different. The mediator applies access policies to rate-limit users' access to the service while, at the same time, should be oblivious to the website/origin the user is trying to access. In this paper, we formally define the rate-limited Privacy Pass protocol and propose a game-based security model to capture the informal security notions introduced by Hendrickson et al.. We show a construction from simple building blocks that fulfills our security definitions and even allows for a post-quantum secure instantiation. Interestingly, the instantiation proposed in the IETF draft is a specific case of our construction. Thus, we can reuse the security arguments for the generic construction and show that the version used in practice is secure.

Authors with CRIS profile

Thi Thu Hien Chu Lehrstuhl für Informatik 13 (Angewandte Kryptographie)

Involved external institutions

CISPA − Helmholtz-Zentrum für Informationssicherheit DE Germany (DE)

How to cite

APA:

Chu, T.T.H., Do, K., & Hanzlik, L. (2023). On the Security of Rate-limited Privacy Pass. In CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (pp. 2871-2885). Copenhagen, DK: New York, NY: Association for Computing Machinery, Inc.

MLA:

Chu, Thi Thu Hien, Khue Do, and Lucjan Hanzlik. "On the Security of Rate-limited Privacy Pass." Proceedings of the 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copenhagen New York, NY: Association for Computing Machinery, Inc, 2023. 2871-2885.

BibTeX: Download