Use Case: Anonymous Tokens for Contact Tracing
Health authorities are trying to respond to the COVID-19 pandemic in multiple ways, among which is using smartphones to trace close contacts. The idea is that one could alert contacts in case of possible risk of infection. The dominant solution is the Google/Apple Exposure Notification System (ENS), which in part is largely based on the DP^3T initiative. In ENS, phones within range exchange short codes. In case of infection, the health authorities can provide a person with an upload code, which enables the patients to upload seeds for all codes sent from their handset anonymously. Other handsets can access these seeds, expand the codes, and check for overlap with their own records. DP^3T did not detail how the upload codes should be distributed. Some countries have central infrastructures containing test results, and are thus able to automatically provide the smartphone apps with upload tokens following authentication against said infrastructure.
As the Norwegian Institute for Public Health (FHI) announced their initial plans for a new version of Smittestopp (litt. translation: "Infection stop"), Eivind Arvesen raised the question of whether the suggested token system would make it possible to trace users. After having verified that this indeed could be the case, Tjerand Silde and Martin Strand wrote a note (Norwegian text only) describing how anonymous tokens could be used to improve privacy while providing the same functionality as the suggested token system. The improved version is inspired by Privacy Pass, designed for anonymous web-browsing. Based on the above note, FHI encouraged a pull request to the official project. Henrik Walker Moe then joined the team in order to write a simplified Privacy Pass implementation as an Open Source project.
Using the roles of Smittestopp and our notation for Privacy Pass, this is how one could use anonymous tokens in order to ensure that uploads are private. Note that tokens could still be correlated using timings, so authorities should refrain from extensive logging of requests.
The sequence of anonymous tokens in Smittestopp will be:
- FHI generates public and private keys, and distributes the private key k to Fhi.Smittestopp.Backend and Fhi.Smittestopp.Verification.
- Fhi.Smittestopp.App generates a request P, and lets the user identify itself against Fhi.Smittestopp.Verification.
- Fhi.Smittestopp.Verification verifies the infection status, and generates the response (Q, c, z), where the latter two constitute the transcript of the zero-knowledge proof of correctness.
- Fhi.Smittestopp.App verifies the proof, generates the tuple (t, W) and submits it to Fhi.Smittestopp.Backend.
- Fhi.Smittestopp.Backend verifies that W is generated from t and signed with the secret key k. It then stores t for as long as k is valid.
We believe that this work should be readily available for other countries' COVID-19 apps as well.
The following have been chosen to instantiate the system
- Elliptic curve library: Bouncy Castle
- Hash function: SHA256
- Elliptic curve: NIST curve P-256