feat: add collision resistance for truncated key id by raphaelrobert · Pull Request #45 · raphaelrobert/privacypass

raphaelrobert · 2025-11-02T16:42:51Z

Fixes #43.

jcjones

A drive-by!

jcjones · 2025-11-04T17:24:14Z

src/amortized_tokens/server.rs

+            if key_store.get(&truncated_token_key_id).await.is_some() {
+                continue;
+            }
+
+            key_store.insert(truncated_token_key_id, server).await;


I don't think it's critical (like, could just document it), but this is a Time-of-Check-Time-of-Use race condition, and a fix would be to write an atomic insert if absent method on the key_stores.

jcjones · 2025-11-04T17:24:46Z

src/amortized_tokens/server.rs

-        OsRng.fill_bytes(&mut seed);
-        self.create_keypair_internal(key_store, &seed, b"PrivacyPass")
-            .await
+        loop {


the other servers have a loop limit, this one does not.

jcjones · 2025-11-04T17:26:13Z

src/private_tokens/server.rs

+            key_store.insert(truncated_token_key_id, server).await;
+            return Ok(public_key);
+        }
+        Err(CreateKeypairError::SeedError)


#[error("Seed is too long")] seems sufficiently incorrect that you might want to make a CollisionExhausted maybe?

jcjones · 2025-11-04T17:28:21Z

src/public_tokens/server.rs

+            key_store
+                .insert(truncated_token_key_id, key_pair.clone())
+                .await;
+            return Ok(key_pair.pk);


Instead of cloning the privkey as well, we can just clone out the pubkey

Suggested change

key_store

.insert(truncated_token_key_id, key_pair.clone())

.await;

return Ok(key_pair.pk);

let public_key = key_pair.pk.clone();

key_store

.insert(truncated_token_key_id, key_pair)

.await;

return Ok(public_key);

jcjones · 2025-11-04T17:29:06Z

src/private_tokens/server.rs

+            let server = Self::server_from_seed(&seed, b"PrivacyPass")?;
+            let public_key = server.get_public_key();
+            let truncated_token_key_id =
+                truncate_token_key_id(&public_key_to_token_key_id::<CS>(&server.get_public_key()));


Suggested change

truncate_token_key_id(&public_key_to_token_key_id::<CS>(&server.get_public_key()));

truncate_token_key_id(&public_key_to_token_key_id::<CS>(&public_key));

jcjones · 2025-11-04T17:29:29Z

src/amortized_tokens/server.rs

+            let server = Self::server_from_seed(&seed, b"PrivacyPass")?;
+            let public_key = server.get_public_key();
+            let truncated_token_key_id =
+                truncate_token_key_id(&public_key_to_token_key_id::<CS>(&server.get_public_key()));


Suggested change

truncate_token_key_id(&public_key_to_token_key_id::<CS>(&server.get_public_key()));

truncate_token_key_id(&public_key_to_token_key_id::<CS>(&public_key));

jcjones · 2025-11-04T17:30:07Z

src/private_tokens/server.rs

-        self.create_keypair_internal(key_store, &seed, b"PrivacyPass")
-            .await
-    }
+        let attempts_limit = 100;


maybe make this a constant somewhere, and use the same one for all three servers?

jcjones · 2025-11-04T17:31:35Z

src/private_tokens/server.rs

-    }
+        let attempts_limit = 100;
+        for _ in 0..attempts_limit {
+            let mut seed = vec![0u8; <<CS::Group as Group>::ScalarLen as Unsigned>::USIZE];


You use GenericArray in Amortized Tokens, which puts the seed on the stack. That seems good, but I'd suggest just doing the same thing everywhere, whichever you like.

jcjones · 2025-11-04T17:35:14Z

src/public_tokens/server.rs

+        let mut verified = false;
+        for public_key in public_keys {
+            if signature
+                .verify(&public_key, None, token_input_bytes.clone(), &options)
+                .is_ok()
+            {
+                verified = true;
+                break;
+            }
+        }


Maybe this is an opportunity to use iter().any()? Something like:

Suggested change

let mut verified = false;

for public_key in public_keys {

if signature

.verify(&public_key, None, token_input_bytes.clone(), &options)

.is_ok()

{

verified = true;

break;

}

}

let verified = public_keys.iter().any(|public_key| {

signature.verify(public_key, None, token_input_bytes.clone(), &options).is_ok()

});

perhaps we can get rid of the .clone() on each iteration, too? hmmm

raphaelrobert · 2025-11-30T22:35:58Z

Thanks for the review, @jcjones. Much appreciated!

raphaelrobert added 2 commits November 2, 2025 11:05

allow truncated key id collisions for public tokens

c9402b3

avoid collisions when creating keys

e1c575f

jcjones reviewed Nov 4, 2025

View reviewed changes

raphaelrobert and others added 2 commits November 30, 2025 22:00

address review comments

0851a2e

Merge branch 'main' into truncated-key-id-collisions

4ef03d9

raphaelrobert merged commit c6be7b0 into main Nov 30, 2025
1 check passed

raphaelrobert deleted the truncated-key-id-collisions branch November 30, 2025 22:36

raphaelrobert mentioned this pull request Nov 30, 2025

feat: more expressive errors #44

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add collision resistance for truncated key id#45

feat: add collision resistance for truncated key id#45
raphaelrobert merged 4 commits intomainfrom
truncated-key-id-collisions

raphaelrobert commented Nov 2, 2025 •

edited

Loading

Uh oh!

jcjones left a comment

Uh oh!

jcjones Nov 4, 2025

Uh oh!

jcjones Nov 4, 2025

Uh oh!

jcjones Nov 4, 2025

Uh oh!

jcjones Nov 4, 2025

Uh oh!

jcjones Nov 4, 2025

Uh oh!

jcjones Nov 4, 2025

Uh oh!

jcjones Nov 4, 2025

Uh oh!

jcjones Nov 4, 2025

Uh oh!

jcjones Nov 4, 2025

Uh oh!

raphaelrobert commented Nov 30, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

	truncate_token_key_id(&public_key_to_token_key_id::<CS>(&server.get_public_key()));
	truncate_token_key_id(&public_key_to_token_key_id::<CS>(&public_key));

Conversation

raphaelrobert commented Nov 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jcjones left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

raphaelrobert commented Nov 30, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

raphaelrobert commented Nov 2, 2025 •

edited

Loading