It really depends on the implementation around it, how a user conducts themselves, and what data you can buy. While there is zero knowledge inside the proof, its use creates a side channel that reveals information.
For instance: The relying party server needs to call the auth server on novel users. Thats a new, unavoidable indicator!
How large are token batches and how long do they last? Will the implementation force them to wait a time period between redemption and use?
A bad implementation means the user IP will talk to the A server, then it will contact the RP server, who will contact the A server. Because this happens once per connection (or 60 minutes in this bill) and takes maybe a few hundred milliseconds. there's not going to be a huge number of candidates to have to sort through. And that's just the handshake.
Oh, that's my bad, I re-read the privacy pass protocol to brush up and it does use signing without requiring the RP to necessarily make another call to the original approver server. I also see there's been work on hidden witness ZKP, so the RP may not even know who approved a given token.
Very cool! Always happy to be proven wrong with cool tech!
For instance: The relying party server needs to call the auth server on novel users. Thats a new, unavoidable indicator!
How large are token batches and how long do they last? Will the implementation force them to wait a time period between redemption and use?
A bad implementation means the user IP will talk to the A server, then it will contact the RP server, who will contact the A server. Because this happens once per connection (or 60 minutes in this bill) and takes maybe a few hundred milliseconds. there's not going to be a huge number of candidates to have to sort through. And that's just the handshake.