Double-Blind Armadillo: Enabling Privacy with Unlinkability
Double-Blind Armadillo severs identity, payments, and phone usage data via partitioned services, blinded tokens, and batched relays.
By Team Phreeli
In most telecommunications systems today, sensitive personal information such as identity, payment method, and phone number is typically stored together in a single database. This design simplifies management for service providers but also creates a point of vulnerability: one single location where personal, financial, and communication information converge. This centralization makes personal data an attractive target for data brokers, hackers, or even insider misuse, leaving individuals at increased risk.
Double-Blind Armadillo, created by Least Authority for Phreeli, is a new privacy-focused system architecture and cryptographic protocol designed around the principle that no single party should be able to connect an individual’s real identity, payments, and phone records. Customers should be able to access services, manage payments, and make calls without having their activity tracked across systems. It works by partitioning critical information relating to individual customer identities, payments, and phone usage into separate service components that only communicate through carefully controlled channels. Each part of the system knows only the essential information that is required to perform its job and nothing more. For example, the payment service never learns which phone number belongs to a person, and the phone service never learns their name.
This approach enables the privacy property known as unlinkability, which ensures that even when different parts of a system must cooperate to provide a service, no single party can piece together a full picture of who the individual is or what they do. Unlinkability thus prevents the creation of comprehensive behavioral profiles and, in turn, drastically reduces some of the risks commonly associated with data exposure. A database leak that contains only a long list of phone numbers with no other context, for example, is of significantly less value to an attacker than a database that contains the same phone numbers alongside the names of their owners.
Rather than relying on permanent individual identifiers, the system uses short-lived cryptographic “blind tokens” to authorize actions. These tokens, derived from the established Privacy Pass protocol, serve as small digital “proofs” that can be used to show an individual customer is authorized to perform a given action without revealing who they are (or, in a reverse, that a phone number is legitimate without revealing its owner). This design allows the system to verify the legitimacy of an account or phone number or to perform operations without ever exposing or linking the two identifiers.
In addition to the use of blinded tokens, Double-Blind Armadillo employs a blind relay (or “mixing”) service to collect and forward messages between the system’s backend components. This relay collects common service operations (such as activating a new SIM card or processing a payment) across all individual customers of the service, finalizing those operations together in large batches only at specific times. This helps to ensure that an observer at any two ends of the system (for example, one inside the payment processor and the other on the phone network) cannot easily identify the originator of any given operation based on timing alone. If Bob, for example, pays for service at 9:45 a.m. and the phone network sees one, and only one, new number activated at 9:46 a.m., it is reasonable to assume that this number likely belongs to Bob. But if all of the new activations for a given day all are batched together to occur at the same time, such as exactly midnight, it becomes significantly more difficult for an observer to correlate a given number to a given name. This approach ensures that even when information must move from one service to another, there is no direct link tying an individual customer’s real identity to their phone number or vice versa.
To further understand how these two properties, unlinkability and time-based batching, work together to preserve privacy, imagine an armadillo-themed amusement park in which all employees are required to wear an armadillo costume that completely conceals their faces and all other identifying features. Employees clock in at an unassuming “Employees Only” building, each arriving at any time they choose, but every shift begins at a specific hour. From the perspective of an observer already inside the park, various people might be seen entering the “Employees Only” building at different times. Yet every eight hours, dozens of costumed armadillos emerge simultaneously to start their shifts. Our amused onlooker might watch or follow any of these armadillos as they move around the park, running games and entertaining guests, but identifying which person is inside which costume would be especially difficult. In this example, the employees’ access cards are akin to the “blind tokens” used to authorize access to different parts of the system, while the “Employees Only” building is comparable to the “relay” or “mix” service used to batch operations together. This illustrates how Double Blind Armadillo maintains a clear separation between individual customers’ identities and their actions, thereby enabling unlinkability without sacrificing functionality.