SYSTEM Cited by 1 source

ARC — Anonymous Rate-Limit Credentials

ARC (Anonymous Rate-Limit Credentials) is an IETF Privacy Pass WG draft — draft-ietf-privacypass-arc-protocol — that extends Privacy Pass with rate-limit semantics: origins can bound a client's redemption volume while preserving the unlinkability property.

What problem ARC solves

Base Privacy Pass has three structural limits (see systems/privacy-pass), one of which is no dynamic rate limits: once N tokens are issued, the issuer cannot invalidate remaining tokens if the client begins misbehaving. ARC addresses this by making rate-limiting scope part of the credential itself — the origin can enforce "N redemptions per window" without either:

• Tracking the client across presentations (would break anonymity), or
• Requiring the client to re-contact the issuer for every redemption (would not scale).

The client obtains an ARC credential that represents a rate- limit budget; each redemption consumes credit; when the budget is exhausted, the client must renew with the issuer.

Relationship to Privacy Pass

ARC is a standardized primitive extension in the Privacy Pass suite. It rides on the same cryptographic stack (blinding, VOPRF / BlindRSA-class primitives) as the base protocol. The key design requirement is preserving unlinkability across redemptions — a client using ARC must be unable to be fingerprinted by how it spends its rate-limit budget.

Cloudflare's 2026-04-21 post frames ARC and ACT as the next Privacy Pass primitives and signals direct Cloudflare involvement in their development:

"We are helping to develop and explore new Privacy Pass primitives, such as Anonymous Rate-Limit Credentials (ARC) and Anonymous Credit Tokens (ACT)."

Design question it surfaces

The canonical design tension ARC has to solve: enforcing a rate limit requires counting, counting requires identifying, but identifying breaks anonymity. The cryptographic answer is to bind the counting to a credential that itself cannot be correlated across presentations — the credential knows how much is left, but the origin / observer does not know which client it belongs to.

This is non-trivial: naive approaches (e.g. counters in plain tokens) leak timing / volume information. The draft's mechanism operates within the reverse-flow framework to keep presentation-level unlinkability intact.

Positioning

ARC sits between:

• Base Privacy Pass — one-shot proof of a single check, no rate-limit state.
• ACT — generalized multi-presentation credentials, including use cases beyond rate-limiting.

ARC is the narrower, rate-limit-specific primitive; ACT is the broader, "I have good history with this service"-style credit-token primitive.

Deployment status

• IETF draft, not yet final. No production deployment numbers disclosed in the post.
• Cloudflare is an active contributor to the draft.
• The 2026-04-21 post positions ARC as a near-term extension of the already-deployed Privacy Pass infrastructure (which scales to billions of tokens/day), not a greenfield system.

Seen in

• sources/2026-04-21-cloudflare-moving-past-bots-vs-humans — introduced as one of two successor Privacy Pass primitives Cloudflare is co-developing.

Related

• systems/privacy-pass — base protocol ARC extends.
• systems/act-anonymous-credit-tokens — sibling credit-token extension.
• concepts/anonymous-credential — the primitive class.
• concepts/unlinkability — the defining property ARC must preserve.
• concepts/rate-limit-trilemma — the governance lens.
• IETF draft draft-ietf-privacypass-arc-protocol.