]> Batched Token Issuance Protocol Phoenix R&D
ietf@raphaelrobert.com
Cloudflare
caw@heapingbits.net
Internet-Draft This document specifies a variant of the Privacy Pass issuance protocol that allows for batched issuance of tokens. This allows clients to request more than one token at a time and for issuers to isse more than one token at a time.
Introduction This document specifies a variant of the Privacy Pass issuance protocol (as defined in ) that allows for batched issuance of tokens. This allows clients to request more than one token at a time and for issuers to isse more than one token at a time. The base Privacy Pass issuance protocol defines stateless anonymous tokens, which can either be publicly verifiable or not. While it is possible to run multiple instances of the issuance protocol in parallel, e.g., over a multiplexed transport such as HTTP/3 , the cost of doing so scales linearly with the number of instances. This variant builds upon the privately verifiable issuance protocol that uses VOPRF , and allows for batched issuance of tokens. This allows clients to request more than one token at a time and for issuers to issue more than one token at a time. In effect, batched issuance performance scales better than linearly. This issuance protocol registers the batched token type (), to be used with the PrivateToken HTTP authentication scheme defined in .
Motivation Privately Verifiable Tokens (as defines in ) offer a simple way to unlink the issuance from the redemption. The base protocol however only allows for a single token to be issued at a time for every challenge. In some cases, especially where a large number of clients need to fetch a large number of tokens, this may introduce performance bottlenecks. The Batched Token Issuance Protocol improves upon the basic Privately Verifiable Token issuance protocol in the following key ways:
  1. Issuing multiple tokens at once in response to a single TokenChallenge, thereby reducing the size of the proofs required for multiple tokens.
  2. Improving server and client issuance efficiency by amortizing the cost of the VOPRF proof generation and verification, respectively.
Client-to-Issuer Request Except where specified otherwise, the client follows the same protocol as described in . The Client first creates a context as follows: Here, 0x0001 is the two-octet identifier corresponding to the OPRF(ristretto255, SHA-512) ciphersuite in . SetupVOPRFClient is defined in . Nr denotes the number of tokens the clients wants to request. For every token, the Client then creates an issuance request message for a random value nonce with the input challenge and Issuer key identifier as described below: The above is repeated for each token to be requested. Importantly, a fresh nonce MUST be sampled each time. The Client then creates a TokenRequest structured as follows: ; } TokenRequest; ]]> The structure fields are defined as follows:
  • "token_type" is a 2-octet integer, which matches the type in the challenge.
  • "token_key_id" is the least significant byte of the key_id in network byte order (in other words, the last 8 bits of key_id).
  • "blinded_elements" is a list of Nr serialized elements, each of length Ne bytes and computed as SerializeElement(blinded_element_i), where blinded_element_i is the i-th output sequence of Blind invocations above. Ne is as defined in .
Upon receipt of the request, the Issuer validates the following conditions:
  • The TokenRequest contains a supported token_type equal to 0xF91A.
  • The TokenRequest.token_key_id corresponds to a key ID of a Public Key owned by the issuer.
  • Nr, as determined based on the size of TokenRequest.blinded_elements, is less than or equal to the number of tokens that the issuer can issue in a single batch.
If any of these conditions is not met, the Issuer MUST return an HTTP 400 error to the client.
Issuer-to-Client Response Except where specified otherwise, the client follows the same protocol as described in . Upon receipt of a TokenRequest, the Issuer tries to deseralize the i-th element of TokenRequest.blinded_elements using DeserializeElement from , yielding blinded_element_i of type Element. If this fails for any of the TokenRequest.blinded_elements values, the Issuer MUST return an HTTP 400 error to the client. Otherwise, if the Issuer is willing to produce a token to the Client, the issuer forms a list of Element values, denoted blinded_elements, and computes a blinded response as follows: SetupVOPRFServer is defined in . The issuer uses a list of blinded elements to compute in the proof generation step. The BlindEvaluateBatch function is a batch-oriented version of the BlindEvaluate function described in . The description of BlindEvaluateBatch is below. The Issuer then creates a TokenResponse structured as follows: ; uint8_t evaluated_proof[Ns + Ns]; } TokenResponse; ]]> The structure fields are defined as follows:
  • "evaluated_elements" is a list of Nr serialized elements, each of length Ne bytes and computed as SerializeElement(evaluate_element_i), where evaluate_element_i is the i-th output of BlindEvaluate.
  • "evaluated_proof" is the (Ns+Ns)-octet serialized proof, which is a pair of Scalar values, computed as concat(SerializeScalar(proof[0]), SerializeScalar(proof[1])), where Ns is as defined in .
Finalization Upon receipt, the Client handles the response and, if successful, deserializes the body values TokenResponse.evaluate_response and TokenResponse.evaluate_proof, yielding evaluated_elements and proof. If deserialization of either value fails, the Client aborts the protocol. Otherwise, the Client processes the response as follows: The FinalizeBatch function is a batched variant of the Finalize function as defined in . FinalizeBatch accepts lists of evaluated elements and blinded elements as input parameters, and is implemented as described below: If this succeeds, the Client then constructs Nr Token values as follows, where authenticator is the i-th Nh-byte length slice of authenticator_values that corresponds to nonce, the i-th nonce that was sampled in : If the FinalizeBatch function fails, the Client aborts the protocol.
Security considerations Implementors SHOULD be aware of the security considerations described in and implement mitigation mechanisms. Application can mitigate this issue by limiting the number of clients and limiting the number of token requests per client per key.
IANA considerations
Token Type This document updates the "Token Type" Registry () with the following value: Token Types
Value Name Publicly Verifiable Public Metadata Private Metadata Nk Reference
0xF91A Batched Token VOPRF (ristretto255, SHA-512) N N N 32 This document
References Normative References The Privacy Pass Architecture LIP Fastly Cloudflare This document specifies the Privacy Pass architecture and requirements for its constituent protocols used for constructing anonymous-credential authentication mechanisms. It provides recommendations on how the architecture should be deployed to ensure the privacy of clients and the security of all participating entities. Privacy Pass Issuance Protocol Brave Software Brave Software Cloudflare Google LLC Cloudflare This document specifies two variants of the the two-message issuance protocol for Privacy Pass tokens: one that produces tokens that are privately verifiable, and another that produces tokens that are publicly verifiable. The privately verifiable issuance protocol optionally supports public metadata during the issuance flow. Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups Brave Software Cloudflare, Inc. Cloudflare, Inc. Cloudflare, Inc. An Oblivious Pseudorandom Function (OPRF) is a two-party protocol between client and server for computing the output of a Pseudorandom Function (PRF). The server provides the PRF secret key, and the client provides the PRF input. At the end of the protocol, the client learns the PRF output without learning anything about the PRF secret key, and the server learns neither the PRF input nor output. An OPRF can also satisfy a notion of 'verifiability', called a VOPRF. A VOPRF ensures clients can verify that the server used a specific private key during the execution of the protocol. A VOPRF can also be partially-oblivious, called a POPRF. A POPRF allows clients and servers to provide public input to the PRF computation. This document specifies an OPRF, VOPRF, and POPRF instantiated within standard prime-order groups, including elliptic curves. The Privacy Pass HTTP Authentication Scheme Apple Inc. Google LLC Cloudflare This document defines an HTTP authentication scheme that can be used by clients to redeem Privacy Pass tokens with an origin. It can also be used by origins to challenge clients to present an acceptable Privacy Pass token. Informative References HTTP/3 The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.