In the near future, we hope to publish a paper detailing the security goals that we hope for our protocol to achieve. With these goals we also present proofs of security that assume the hardness of standard cryptographic assumptions such as the discrete log problem.
No, we regard Privacy Pass and the protocol we use as being beta releases currently and still under active development. There are still features that have not been completely implemented in the extension such as DLEQ proof verification. We hope to be able to introduce these features and thus a complete implementation of the extension in the near future. In the meantime, if you notice anything wrong at all then we would love for you to get in touch or contribute using the links below.
Privacy Pass only stores data relating the tokens that are used creating ‘passes’. Privacy Pass may also make changes to outgoing requests if a situation is deemed to instantiate either the signing or redemption phase of our protocol.
In preliminary tests on consumer hardware, our extension takes ~1.1 seconds to generate blinded tokens to be signed by the server and ~1.9 seconds to parse the signed tokens and verify the DLEQ proof. Creating a pass that can be used to redeem signed tokens takes <40ms.
In terms of request sizes, Privacy Pass adds ~2kb of data to client requests for tokens to be signed and ~0.4kb for requests to redeem a pass. The server signing response includes ~17kb additional data.
Privacy Pass is currently supported by Cloudflare to help reduce the number of CAPTCHAs that need to be solved by honest users. The privacy-preserving aspect of Privacy Pass means that users can redeem tokens instead of solving more CAPTCHAs without compromising their anonymity.
Great! the server that we have written is open-sourced under the BSD-3 license. You can use this implementation or one of your own creation to construct a compatible server for the Privacy Pass extension. If the extension needs to be adapted to include support for your new server then get in contact with the Privacy Pass team or submit a PR yourself, as above.
Feel free to contact any member of the Privacy Pass team and they should be able to help. Otherwise open a PR as above, or create an issue in the GitHub issue tracker.