Privacy Pass Authentication for Kagi Search

Honestly, I think what TFA calls "Kagi’s implementation of Privacy Pass" is the integration of the feature into their server and clients, not the RFC (which they acknowledge), or the protocol implementation.

So if they add “credit to raphaelrobert”, or a copy of your license to their code somewhere, Kagi will be compliant?

I’ve never had any of my open source software used, and I typically license it with MIT, so I’m curious how other groups and organizations actually comply with the license.

Captured 14 Feb 2025 ~12:15pm EST from README header

> This repository contains the source code of the core library implementing the Privacy Pass API used by Kagi.

Yeah... that doesn't feel great. Though I do think the folks at Kagi would be open to more accurately reframing that as "core library implementing a Crystal Lang wrapper for raphaelrobert/privacypass". It's likely unintentional, they were probably just focusing on getting it working and didn't get someone to reread this stuff.

> It's rare to see that a service you use actually does something that benefits the user rather that itself

The reason it's become so rare is most companies in this space (heck tons of tech companies period) have used a business model of offering a thing to one group of users and then turning around and selling the results of that thing to another group of users, where the latter group is the one actually driving your revenue. This by default almost assumes a hostility towards the former group because their interests will of course be at odds with the interests of the latter group.

What's refreshing about Kagi and other new tech companies is they have dumped this model in favor of having just one group that they serve and drive revenue from (ie. the 'old' model).

> (I don't use Orion, as there's no GNU/Linux version.)

We commenced work on Orion for Linux yesterday.

The downside of this is that if you are not on a larger network, the IP address will probably deanonymise you. Kagi knows you are logged in, and if you open a private browsing window to do a spicy search, they could link the searches. Fast switching between modes is undesirable.

FYI in case you’re not aware, they announced in a podcast near the end of 2024 that a Linux version of Orion is planned.

With kagi you'll get used to them making the correct choice. It's been stunning how they haven't really had any missteps

I wish my kagi t-shit could say the same. Bottom hem unraveled on the second wash, and so it's been consigned to the sleep and yard work shirts. They issued me a coupon for a free shirt as replacement, but it's yet to ship

yeah, same. I would only use privacy pass for icognito searches COUGH P0RN COUGH mainly (let's be honest). Feel free to submit the idea on kagifeedback.org

Kagi accepts bitcoins but Vlad (the founder) mentioned on their forum that so few people use this option that it does not make sense to work on accepting Monero.

I agree that third party stores selling tokens without any account at all would be the ideal solution, but without an account you'd be missing out on many of the features that make kagi worth using like being able to remove certain domains from results or prioritizing types of results over others.

The server does not generate the tokens, the client generates the tokens. The server is supposed to be able to verify that they were generated by a client who was granted the authority to generate them, but not which client did so. At least, not without side-channel information.

> The main building block of our construction is a verifiable oblivious pseudorandom function (VOPRF)

I am not sure how well tested that primitive is, but it definitely appears to be more than the server handing clients tokens and then pretending not to know who it gave them to.

The referenced paper: https://petsymposium.org/popets/2018/popets-2018-0026.pdf

Privacy Pass docs [0] cover this, but it is mostly referenced deeper in the paper. I believe the idea is that the tokens returned by the server are "unlinkable" to the (modified) tokens passed back by the client. So the server knows it passed back tokens A, B and C to some users, and later receives tokens X, Y and Z. It knows that X, Y and Z are valid, but not their correspondance to the tokens it issued. It uses elliptic curve cryptography for this.

[0] https://privacypass.github.io/

The idea is that the tokens aren't linked to any account. They're anonymous.

Yeah I think you don’t understand the premise behind privacy pass tokens.

The whole idea is that the server does not which WHICH client a token belongs to. It doesn’t generate the tokens.

> I'm not one of the people that has been concerned about that, but I'm curious to what extent this alleviates those concerns among those that have had them.

I am, it's mind-blowing to me that anyone would login to a search engine (yes, I know how many do it, now).

After a brief verification of the system, I'm pretty sure I'll sign up, now

Assuming the cryptography does what they say it does (am not a cryptography expert, so I can't verify that part), this would completely disjoin a search request from any account info. The account generates several "search tokens", and for each search request, one of those tokens is spent. The tokens are generated on-device, and until spent, never leave the device, so in theory there's no way for Kagi to know which account generated the token just from the token alone. This doesn't fix fingerprinting or IP associations (though the plugin for Firefox and Chrome supposedly takes efforts to try and limit fingerprinting too), but this isn't any better/worse than simply using Google or Duckduckgo, and functions on Tor if you really want some privacy.

Again, not sure on how the tokens are proven legit without ever sharing them, but there's probably some ~~zero-knowledge proof~~ stuff going on that covers that.

Edit: Not zero-knowledge proof. Seems to be Blind Signature?

Implementor here. During the Privacy Pass "issuance" protocol, the client will generate a "message" that the server will process. The output from the server is returned to the client, that further modifies this output to produce the final tokens. The last client modification randomises these tokens in such a way that the server will be unable to identify to what issuance they belong.

The very cool thing is that this is the case even if the server tries to misbehave during their phase. This means that users only need to trust the client software, which we open sourced: https://github.com/kagisearch/privacypass-extension

Some posters are mentioning blind signatures, and indeed Privacy Pass can utilise these as a building block. To be precise, however, I should mention that for Kagi we use "Privately Verifiable Tokens" (https://www.rfc-editor.org/rfc/rfc9578.html#name-issuance-pr...) based on "oblivious pseudorandom functions" (OPRFs), which in my personal view are even cooler than blind signatures

That's apparently explained in their citation [1], the paper about cryptographically anonymous token protocols. It's not a simple plaintext token.

https://news.ycombinator.com/item?id=19623110 ("Privacy Pass (cloudflare.com)", 53 comments)

The tokens are "generated" on the client, and the server just gives the client enough information to make that locally generated token become "valid", without being able to link that token to a specific validation attempt

Exactly the question I had in mind. You can't rely on server side trust so I'm curious if I just misunderstood something...

I believe "Privacy Pass" uses blind signatures, so the token that the TokenResponse contains can't be correlated to the one provided in the search query, if I understand it correctly.

> The token can only be redeemed once, which means that, realistically, the client is going to be in a loop generating and redeeming tokens in a given search session, which makes the pairs trivial to correlate.

One token request can produce N tokens. We have it configured where N = 500, so most users will be requesting more tokens fairly infrequently.

Yes, multi-device is definitely not easy. We've played with a few ideas, but it is definitely not a question with an obvious answer. For now, our rate-limiting allows you to use Privacy Pass on a few different devices by having each generate tokens independently. We will see how this goes and listen to user feedback before going back to the drawing board.

The cryptography privacy pass is based off [1] actually comes from Ecash[2] so we’ve gone full circle.

[1] https://www.petsymposium.org/2018/files/papers/issue3/popets... [2] https://en.m.wikipedia.org/wiki/Ecash

Yes, though Cloudflare has ended their privacy pass trial as far as I know.

I remember Safari as the only browser that implemented it natively, but I guess Orion has it now too.

I sat down on my desktop to take a closer look at how Kagi implemented this. It turns out that the privacy pass extension isn't the one implemented by CloudFlare (and rejected by Tor), but a new extension called Kagi Privacy Pass.

Ok, let's look at the source.

    curl -L https://addons.mozilla.org/firefox/downloads/file/4436183/kagi_privacy_pass-1.0.2.xpi > /tmp/extension.xpi
    unzip /tmp/extension.xpi -d /tmp/extension
    cd /tmp/extension

Alright, here's some nice, clean, easy-to-read Javascript. Nice! Wait, what's that?

    // ./scripts/privacypass.js
    /*
     * Privacy Pass protocol implementation
     */
    
    import init, * as kagippjs from "./kagippjs/kagippjs.js";
    ...
    // load WASM for Privacy Pass core library
    await init();

I opened ./kagippjs/kagippjs.js and was, of course, greeted with a WASM binary.

I personally would not install unknown WASM blobs in Tor browser. Source and reproducible build, please!

Let's continue.

    // get WWW-Authenticate HTTP header value
    let origin_wwwa_value = "";
    const endpoint = onion ? ONION_WWWA_ENDPOINT : WWWA_ENDPOINT;
    try {
      const resp = await fetch(endpoint, { method: "GET", headers: { 'X-Kagi-PrivacyPass-Client': 'true' } });
      origin_wwwa_value = resp.headers.get("WWW-Authenticate");
    } catch (ex) {
      if (onion) {
        // this will signal that WWWA could not fetch via .onion
        // the extension will then try normally.
        // if the failure is due to not being on Tor, this is the right path
        // if the failure is due to being on Tor but offline, then trying to fetch from kagi.com
        //   won't deanonymise anyway, and will result in the "are you online?" error message, also the right path
        return origin_wwwa_value;
      }
      throw FETCH_FAILED_ERROR;
    }

What?? If the Onion isn't reachable, you make a request to the clearnet site? That will, in fact, deanonymize you (although I don't know if Tor browser will Torify `fetch` calls made in extensions). You don't want Tor browser making clearnet requests just because it couldn't reach the .onion! What if the request times out while it's bouncing between the 6 relays in the onion circuit? Happens all the time.

> Was there any outreach to the Tor community at all prior to releasing this feature?

Do we know what fraction of Kagi users access it through Tor?

That's really smart. You should suggest it to Kagi directly: https://kagifeedback.org/

Here's a resource I found that walks through the ideas of the protocol, starting with simple implementations that have a problem, and then solving the problem one by one: https://privacypass.github.io/protocol/

I think that's the best conceptual overview of a crypto protocol I've ever seen.

See section 5.5 of the linked paper https://petsymposium.org/popets/2018/popets-2018-0026.php. I'm not sure if/how Kagi implemented this, but the idea is that Kagi's "public" component can be committed to publicly (e.g., in the browser extension itself).

In the simplest terms, the token generation process B->C is done with the user's private key. So even if the server knows A,X,B they can't link it to the token C.

> They ask God (used here to represent math itself)

Thank you so much, I am 100% stealing this

Not yet, but seems like I think they probably could do. Request it on https://kagifeedback.org/

Yes, should happen soon.

Meanwhile, Google gets hit with the anti-competitive judgment and Apple gets off by way of being more anti-competitive. Wild, isn't it?

Anecdotally I’ve had zero issues with the Safari extension.

[I worked on building this at Kagi]

Since we have no idea who is issuing search requests in Privacy Pass mode, if there was no limits on token issuance, you could simply generate infinite tokens and give them out (or use them as part of some downstream service), and we'd have no other recourse for rate-limiting to prevent abuse.

Setting a high, but reasonable limit on issuance helps prevent abuse, and if you run out of tokens, you can reach out to support@kagi.com and we'll reset your quota.

The reason they give in their docs is to “prevent abuse” (https://help.kagi.com/kagi/privacy/privacy-pass.html).

It feels like they picked a number no user should hit, while keeping it low enough to not pass Kagi out “free” to all their friends.

>Hope they can enable this in Safari so that I can use iCloud Private Relay with it.

What are you hoping to gain with that?

For me the killer kagi feature is that I can manually up and down weight domains in results. I can "pin" and always get wikipedia results or "block" and never get pintrest or raise or lower as needed. Brave search has a similar feature, but they only seem to support "block" not "lower", which is what I use a lot more often.

https://kagi.com/stats?stat=leaderboard

If you don't immediately notice the difference between Kagi's and Google's results, Kagi is not for you.

If you can't imagine a gap then I think it might not be for you.

I tried kagi after finally getting sick of some of my google results. Kagi was able to deliver on some of those results.

It's not like, shockingly better results. I do think they're better on average, but I'm not sure.

However, in the cases where I couldn't find what I was looking for on google and could on kagi, well, that's a binary result. I'll take the success and not the failure.

I was surprised by how much better I found the UI. That's actually the thing that sold me on the subscription to begin with. Going in, I would not have expected UI to sell me on such a thing.

I have since customized it somewhat; there are sites I usually really like results from and they are upranked, and sites I don't care for which are downranked. I've felt like this has lead to even better experience, but I haven't gone back to google to compare.

Other than the things others mentioned, with the ultimate plan you can use Claude with Kagi web-search, which is not something that the Claude web app supports, I believe.

For me, Kagi felt like a godsend as my Google searches had become polluted, and I had to dig way deeper in the search results to get anything decent. They also have an AI assistant that gives you access to all the major AI models and integrates with their search in a way that I have found very useful.

I would recommend at least giving it a try to see if you notice a difference. For my job, the monthly fee more than pays for itself

Auto filter for sources, downrank sources you dislike, sort results by recency, have an engine that actually respects what country or language you're trying to search into, and finally present results visually the way you want them. It's worth trying to use it actively for a month or so, and you'll see if you need it or not. I would not to back to google even if Google paid me.

Here is a case for 'not google':

https://i.imgur.com/PQNm1Yc.png

I want a search engine to return useful results. Right now, google has been captured by revenue generating results. It wouldn't be so bad if useful results were making money, but that doesn't seem to be the case.

[dead]

It depends on how hard those companies work beforehand to prevent themselves from being able to comply with such requests beforehand. Signal is a good example of this, Kagi seems to be onboard also.

I haven't looked closely enough at this token thingy Kagi is doing but it seems on the surface like it might scratch the itch by letting them decouple the accepting-payment part of their service from the providing-results part such that they know that you've paid, but not which payer you are.

Government's power over companies does not negate cryptographic privacy protections. For example, one criminal who used ProtonMail got caught because ProtonMail handed over their recovery GMail address to the law enforcement after they were compelled[1]. However, that means end-to-end encryption worked: that was the only thing they could hand over. I think the same principle applies here.

[1] https://www.techradar.com/computing/cyber-security/proton-ma...

I think the idea here is that it literally can't be traced to the user – at no point is there anything passed that would allow Kagi to make the association between the user and the query.

Isn’t the whole point that this method is secure by design so even if they wanted, they couldn’t track you?

Or are you saying the method is designed to look secure but there’s an intentional weakness that makes tracking possible?

If the system is implemented correctly then Kagi cryptographically can't link a particular search to a particular user.

XKCD #538 strikes again, and definitely extends to forcing people to lie about algorithms and possible backdoors.

I don't think, however, that this means we need to give up on crypto entirely. Just... be aware of the threat model for what you're encrypting.

I don't know nor do I really care what other search companies are making. I pay $10/month for Kagi because it works for me and it's good. I don't even care about Kagi as a company (I don't care about any company); their search works. It's a good product, and I'm happy to keep paying for it as long as it keeps being useful while all the free competitors are still terrible. I use about 2k searches per month.

edit: Even just the ability to rank, pin, and block domains alone is crazy useful. I never need to see Pinterest in any image search results again. If I see a crappy blog spam site, I just block it and it never shows up again. It feels like these are basic, fundamental features that every search engine should have had a long time ago. It's pretty sad that Kagi is getting so much praise for doing things that really should have been standard for at least a decade (not sad in any negative way toward Kagi, but because our standards and expectations for search have dropped this low).

$10 felt a bit steep until I realized there is probably the economies of scale at play here.

1) There is a marginal payment overhead. I'd assume $0.50-0.75, leaving their amount down to $9-ish.

2) It's a fairly niche product with a still-small userbase. ~40k users at ~$9/mo = $360k/mo (I know there's $5/mo users and $25/mo users but I'd assume there are far more $5/mo and $10/mo users than $25/mo users)

3) They have to keep the service running 24/7/365, so you have to hire devs either across multiple time-zones or compensate them enough to be OK fighting fires at 2am.

If you can pay $10/month for a better search experience, then Google's making way more than that much off your data.

Kagi saves me much more than $10 of time every month. I definitely don't regret the subscription cost. Their LLM thing (append "?" to your internet search query) is worth more than that on its own.

I’ve been paying for Kagi for a long time through all their pricing model changes and updates. I have never once hit the search limit. I know they base their tiers on market research of search volume balanced against cost of serving a query. If you’re looking for reasons not to pay for search, you’ll find them. But the pricing model is hardly one. If you want an amazing and respectful search experience, and want to back a company that’s truly doing right by users and innovating at the same time, give Kagi a try!

I support them ($10/mo) because they do a good job and I figured, if I pay, then the likelihood of them using sketchy ways of making money is reduced.

The reason why it's worth it is because its search works really well. I've tried DuckDuckGo, Bing and always subconsciously ended up back at Google. This is the only search service I've used that works better than Google search and I think it's a combination of them not putting ads on the search and the way they let you tweak the search to block poor quality sites. How much it costs them or how much google profits vs your payment is not really relevant to me. It's the best working search engine in my opinion.

Kagi Ultimate plan ($25/mo) includes Kagi Assistant with more than 15 different models (including Claude 3.5 Sonnet, Gemini 2.0, ChatGPT 4o + o3 mini, DeepSeek R1 etc). That plan suddenly becomes the cheapest, IMHO. I know that paid versions of LLM services offer more advanced models, but you at least get ahead of the rate limits this way.

I subscribe to an unlimited family plan. When considering how much cleaner my web experience is, it's a no-brainer. Default search engine on all our phones and devices.

They're my portal to the web. It's less like an optional web service (like a streaming service), and it feels more like I'm paying for them to be my ISP.

I pay $10/month just to have search results that aren't littered with SEO spam. The time savings alone make it totally worth it for me. Everything else is a giant bonus.

FWIW I signed up about 4 months ago on the starter plan and I'm definitely going to run over. I could be smarter about my searches though. I've switched to kagi on ALL of my devices, including work devices. And I could have searched to using google for most gifts/maps stuff instead.

some anecdotal data:

11/2024: 183 searches

12/2024: 360

1/2025: 376

2/2025: already at 222

Will definitely (happily) have to upgrade to the $10 plan. It's been great.

You can't expect world percentages to match US percentages. The US is only 5% of the world's population and has a very different relationship to search. Also, only 63% of the world is online, so what does "90% of global" even mean?

Back-of-the-envelope:

- 2tn searches per year.

- US is 20% of all searches.

- Us revenue is 76bn

$76bn / (2tn * 0.2) = $0.19 / search

So, getting 300 searches for less than $0.02 per search sounds like a pretty good deal.

I thought this too but at this point I've been subscribed well over a year. On a typical workday I might use 20+ searches, but I frequently use little to no searches on weekends and holidays, etc. Ultimately I end up using right around 300 per month (averaged out across the year), so I think their pricing isn't as wild as it initially looks.

It's just about the best Internet-related money I spend. I get fast, quality results on a service that doesn't obviously bend over backwards to monetize me. Ironic, in a way. I thought it was spendy at first, and now I can't imagine cancelling my subscription.

I assume Kagi's customers (of which I've been one since 5/22) are apt to value retaining their privacy more than Google values selling their data. That is to say, it's worth more than $10 (and more than $23 a month) for me to believe my data isn't being sold to advertisers. If you don't take that position, or set different values on it, I can certainly see why $5 or $10 a month wouldn't be worth it to you.

There's also the matter of Google search quality being increasingly bad, while Kagi's is consistently... okay. They also have a a lot of nice features, liking being able to change the weight of different sites in your list of results.

I don't have exact numbers, but I wouldn't be surprised if 80-90% of google ad revenue comes from the ad prices they can charge for US users. I would be shocked if the percentage was less than 50-60% of revenue from US alone, which would put the value extraction per user for google at ~10$/month/user

> This seems cool, but I still think the pricing of kagi is rather steep. It is $5/mo for 300 searches a month, which is really going to get you under 10 a day... That's insufficient.

You can split your searches with search engine shortcuts on the desktop, and the search engine quickbar on mobile.

When I still was on the starter plan, I used Kagi whenever I had a search that if I use google, I know I will:

- get a bunch of listicles and AI slop (Kagi downranks and bundles these)

- get a buch of AI images (again, Kagi clearly labels and downranks these)

- have to do multiple google searches for, but can instead use Quick Answer for

- will get a bunch of Reddit pre-translated results for

- technical / scientific questions, because of the sites I can uprank/downrank/block

I used google for things like:

- highest building in the world

- $bandname Wikipedia / Discogs

- name of thing I can't remember but have the approximate word for

You get the idea.

Depends on how you use it. For non-developers, under 10 searches per day on average sounds right. Not everyone has a job where they sit on a computer all day.

For me, I use Kagi only at home for personal use. And most months, I don't exceed 300. Of course, if I included work related searches, then yes - 10 searches won't get me far.

I've been paying $5 a month for over a year and have hit the 300 search limit only once. I feel like I'm pretty active on the web, but perhaps I just have days where I don't search as often as others.

Wow! I wouldn't be surprised if I make more than 100 searches per day.

This is an interesting idea, and indeed such an approach to providing privacy has been formalized to different degrees and varying levels of success (eg. [1][2]).

[1] https://arxiv.org/abs/1204.2136 [2] https://arxiv.org/abs/2210.03458

Unfortunately, as described, such a solution would only satisfy a somewhat meaningless notion of privacy. Specifically, the embeddings by definition contain potentially private information about the user, revealing things like "I'm asking about birds" to use your example. Even though it might "compress" the query in a slightly lossy way, it would still reveal a great deal of information about the query.

A true solution to this problem would require something like differential privacy and adding noise to the embeddings. However, the noise required would (likely) end up destroying too much information from the embedding to preserve accuracy of the LLM.

While this is a neat sounding idea, there's a few issues here:

1. Embeddings are very close to a reversible function. It's not hard to take an embedding and query back the closest query semantically from the source LLM.

2. We already don't log any queries from the users. I'm aware this has to be taken on faith from Kagi users. But you can believe that not having any user query data at all anywhere is a significant speed bump for us in feature development, bug tracking and roadmapping.

that's because you're a computer professional and the professional plan is more appropriate for you.

I gave a hundred searches to some normies I know and they told me that they save them to use when Google can't find what they want because Kagi works better (!) so they hoard the searches as backups to Google.

All I know is that I haven't used Google on purpose for a year and it's really turned into an eyesore

Unlimited is only $10, more than worth it for me.

They're saying that when someone uses a privacy token to search, they cannot track which account it's tied to. Therefor, they cannot track limits & billing.

> There's a monthly limit of 2,000 tokens per account to prevent abuse

https://help.kagi.com/kagi/privacy/privacy-pass.html

So I guess you _could_ share them, but only with so many people or so many searches.

We haven't heard about this issue before, do you mind reaching out to support@kagi.com with more details so we can debug?

Just as a data point, I haven't seen this in Safari on desktop or mobile, or in Edge (on my Windows work machine).

> The unstated downside

It is clearly stated in the blog post :)

We even considered variations of having some settings preserved in local storage and impact of that on anonymity. Ultimately decided that was not worth it.

Check the FAQ section (towards the end) for full details and analysis:

https://blog.kagi.com/kagi-privacy-pass#faq

Couldn't those be passed as query parameters?

Though those still get passed to the server, and your combination of personalization settings is likely to be globally unique, and it's almost certainly unique among the subset of users that are paranoid enough about their privacy not to store preferences in their session... But still.

Not only that but your searches themselves likely give Kagi more than enough information to identify you as an individual. We saw that nearly 20 years ago when AOL searches were published and people were able to track down specific individuals from their search terms. (https://www.nytimes.com/2006/08/09/technology/09aol.html)

Privacy Pass is an anonymous credential scheme that does exactly what you describe.

Where do you live and how much lower do you expect them to go?

Starting at $5 a month seems very reasonable to me for a non-essential premium search experience.

https://kagifeedback.org/d/687-implement-regional-pricing/5

> Regional, student, annual...discounts are not possible because we are not currently making any profit to discount it off from.

problem is that they have small margins because they have to pay a lot for their upstream providers (and those don't care about what region kagi users are from so charge the same)

> For example, in the case of Kagi, black links instead of blue feel off-putting.

Not exactly sure what you're getting at, but:

"Using CSS, you can fully customize Kagi's search and landing pages from your Appearance settings." : https://help.kagi.com/kagi/features/custom-css.html

In about two months!

Per-user search history can directly be sold to advertisers, no? I was under the impression Google and Microsoft do that, or at least use it internally to build a profile of each user, again used for advertising.

A problem with "zero knowledge" proofs is that Kagi needs to verify that the user has paid for the service, which requires the server to have some knowledge about the client at some point.

That's one of the the technical limitations behind gating it to unlimited accounts for now.

From [2] RFC 9576 § 4.1 "Shared Origin, Attester, Issuer", right before the sentence you quoted:

> In this model, the Attester, Issuer, and Origin share the attestation, issuance, and redemption contexts.

I haven't read the RFC in detail, but I believe this is where the nuance is: When you enable the privacy pass setting in the extension/browser the redemption context is changed relative to the attestation context by removing the session cookie, to just the information sent by the browser for someone who is not logged in. What remains is your IP address and browser fingerprinting, which can be countered by using Tor.

This would definitely seem like a big concern if you were just looking at the RFC, but the key here is that Kagi's system has a different set of security/privacy/functional requirements and therefore the issues mentioned in the RFC do not necessarily apply.

In the RFC's architecture, the request flow is like so:

1. CLIENT sends anonymous request to ORIGIN

2. ORIGIN sends token challenge to CLIENT

3. CLIENT uses its identity to request token from ISSUER/ATTESTER

4. ISSUER/ATTESTER issues token to CLIENT

5. CLIENT sends token to ORIGIN

You can see how the ISSUER/ATTESTER can identify the client as the source of the "anonymous request" to the ORIGIN because the ISSUER, ATTESTER and ORIGIN are the same entity, so it can use a timing attack to correlate the request to the ORIGIN (1.) with the request to the ISSUER/ATTESTER (3.).

However you can also see that if a lot of time passes between steps (1.) and (3.), then such an attack would be infeasible. Reading past your quote from RFC 9576 § 4.1., it states:

> Origin-Client, Issuer-Client, and Attester-Origin unlinkability requires that issuance and redemption events be separated over time, such as through the use of tokens that correspond to token challenges with an empty redemption context (see Section 3.4), or that they be separated over space, such as through the use of an anonymizing service when connecting to the Origin.

In Kagi's architecture, the "time separation" requirement is met by making the client generate a large batch of tokens up front, which are then slowly redeemed over a period of 2 months. The "space separation" requirement is also satisfied with the introduction of the Tor service.

There is some more discussion in RFC 9576 § 7.1. "Token Caching" and RFC 9577 § 5.5. "Timing Correlation Attacks".

One question you may have is: Why wasn't this solution used in the RFC?

This can be understood if you look at the mentions of "cross-ORIGIN" in the RFC. This RFC was written by Cloudflare, who envisioned it's use across the whole Internet. Different ORIGINs would trust different ISSUERs, tokens from one ORIGIN<->ISSUER network might not work in another ORIGIN<->ISSUER network. This made it infeasible for clients to mass-generate tokens in advance, as a client would need to generate tokens across many different ISSUERS.

Of course, adoption was weak and there ended up being only one ISSUER - Cloudflare, so they adopted the same architecture as Kagi where clients would batch generate tokens in advance (batch size was only 30 tokens though).

RFC 9576 § 7.1. also mentions a "token hoarding" attack, which Cloudflare felt particularly threatened by. Cloudflare's Privacy Pass system worked in concert with CAPTCHAs. Users could trade a completed CAPTCHA for a small batch of tokens, allowing a single CAPTCHA completion to be split into multiple redemptions across a longer time period.

However, rudimentary "hoarding"-like attacks were already in use against CAPTCHAs through "traffic exchanges". Opening up another avenue for hoarding through Privacy Pass would have only exacerbated the problem.

I believe you should currently be able to - create an account under a pseudonymous email address - pay for a plan using a pseudonymous Bitcoin wallet - use your login session to generate Privacy Pass tokens - search with such tokens via the Tor browser on Kagi's .onion domain

You have to generate the tokens while signed in, but once you have the tokens, you can use them without your searches being associated with your account (cryptographically provable).