Asked about how this works on HN, because I felt like the explanation they gave boiled down to "we gave user A these codes, but we didn't log that we did, so if they use them later we won't know!"...
Asked about how this works on HN, because I felt like the explanation they gave boiled down to "we gave user A these codes, but we didn't log that we did, so if they use them later we won't know!" and as I suspected my understanding was wrong. To quote from the response I got on HN-
Privacy Pass docs [0] cover this, but it is mostly referenced deeper in the paper. I believe the idea is that the tokens returned by the server are "unlinkable" to the (modified) tokens passed back by the client. So the server knows it passed back tokens A, B and C to some users, and later receives tokens X, Y and Z. It knows that X, Y and Z are valid, but not their correspondance to the tokens it issued. It uses elliptic curve cryptography for this.
[0] https://privacypass.github.io/
It's really interesting that this is possible, and if it works, this pattern might hold the solution to helping re-anonymize the web to a reasonable extent.
The thing to search for is 'blind signatures', they are a very cool cryptographic system! A client can blind a message (often just random bytes) and get back a signature for the blinded message...
The thing to search for is 'blind signatures', they are a very cool cryptographic system! A client can blind a message (often just random bytes) and get back a signature for the blinded message from a signer. The client can then unblind both the message and signature and present them to another entity for verification. The important property being that only the client sees and can link the blinded and unblinded message and the signatures for both. So even if the signer stored the exact message they saw and signature they returned, the verifier sees a completely different message and signature. Yet they can still ensure that the signer did in fact sign the blinded message.
Asked about how this works on HN, because I felt like the explanation they gave boiled down to "we gave user A these codes, but we didn't log that we did, so if they use them later we won't know!" and as I suspected my understanding was wrong. To quote from the response I got on HN-
It's really interesting that this is possible, and if it works, this pattern might hold the solution to helping re-anonymize the web to a reasonable extent.
The thing to search for is 'blind signatures', they are a very cool cryptographic system! A client can blind a message (often just random bytes) and get back a signature for the blinded message from a signer. The client can then unblind both the message and signature and present them to another entity for verification. The important property being that only the client sees and can link the blinded and unblinded message and the signatures for both. So even if the signer stored the exact message they saw and signature they returned, the verifier sees a completely different message and signature. Yet they can still ensure that the signer did in fact sign the blinded message.