Privacy Pass is Anamorphic: Practical Consequences and Attacks in the Black-box Model
Authors: Mirosław Kutyłowski (NASK National Research Institute), Oliwer Sobolewski (NASK National Research Institute)
Volume: 2026
Issue: 4
Pages: 561–586
DOI: https://doi.org/10.56553/popets-2026-0135
Abstract: Privacy Pass is a cryptographic scheme for issuing one-time anonymous authorization tokens, first designed as an anti-DDoS tool and an alternative to CAPTCHAs. It has attracted a lot of attention from the industry and is currently used and supported by the technological giants such as Cloudflare, Google and Apple. At the same time, Privacy Enhancing Technologies became the focus of European and non-European lawmakers (for example in the eIDAS 2.0 regulation and GDPR). Security and privacy by-design is now quite frequently a formal requirement. Privacy Pass could be used in that context as well as a lightweight solution for many application areas, e.g., for age verification. It is therefore imperative that Privacy Pass is analyzed in all possible aspects and adversarial models that are realistic, yet have not been considered during the design process. In this work, we first prove that the three most prominent variants of Privacy Pass are anamorphic. Then, we show that anamorphism of Privacy Pass makes it insecure in a model where user's device or client application is working against them (as it can be supplied by a malicious third party, the OS might be subverted or the device could be subverted). Due to anamorphism, the attacks on unlinkability remain undetectable even if an auditor is given all private keys used in the protocol, including the signer/issuer's private key. On the positive side, anamorphism can also be used to achieve a private metadata-like functionality and utilized, for example, for lawful deanonymization of malicious users, without reshaping Privacy Pass.
Keywords: Anamorphic Cryptography, Privacy Pass, Blind Signatures, Kleptography, Algorithm Substitution Attacks
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.