[curves] PrivacyPass

Trevor Perrin trevp at trevp.net
Sat Nov 11 08:52:51 PST 2017

Nice elliptic curve / zero-knowledge protocol:


The underlying crypto looks to me like a "blinded" VRF ("blinded" in
the sense of "blind signatures", since VRFs can be viewed as a type of
signature).  It's being called a "verifiable oblivious PRF", perhaps
because it was arrived at by adding the "verifiable" property to an
"oblivious PRF" rather than vice versa?

For efficiency it's batched, so that a single "signature" is a proof
for multiple VRF outputs.

The VRF is used to blind-issue anonymous credentials (i.e. the server
signs nonces, but is blind to the nonce or signature values, and the
client checks that the signature is "verifiably unique" to prevent the
server from tagging the signature in some way).

These credentials are less sophisticated than most "anonymous
credentials" schemes in the literature:  They don't prove anything
beyond "the server gave me a credential", and are single-use because
multiple presentations would be linkable.

But that's sufficient for proving that a Tor user solved a captcha, so
this seems like a great match of problem to a (relatively) simple and
efficient solution.


More information about the Curves mailing list