Abstract: Rate-limiting is a common operational task used for preventing inadvertent exhaustion of shared resources in computer systems. Rate-limiting requires a persistent identifier against which to enforce said limits. In practice, this may be an application-layer identifier (token) or a network-layer identifier, such as an IP address. As the adoption of privacy-enhancing technologies like VPNs, Tor, and carrier-grade NATs continues to increase, using persistent network-layer identifiers becomes less effective for rate-limiting. Instead, privacy-invasive methods end up being used for tracking clients, such as cookies and user-unfriendly mechanisms like CAPTCHAs. Technologies like Privacy Pass were designed to help improve the user experience for clients using privacy-enhancing technologies like Tor, but the original protocol is limited in that it is stateless. Privacy Pass cannot be used to efficiently implement rate limiting as there is no persistent identifier. In this talk, we'll discuss an extension to the Privacy Pass protocol that supports rate limiting without privacy regressions. We'll discuss the cryptographic components of the protocol, its deployment model, and existing security analysis done with the ProVerif symbolic analyzer tool.