Privacy Preserving Contact Tracer

Question

Privacy Preserving Contact Tracer

david415 opened this issue 4 years ago · comments

this paper describes a cryptographic protocol designed to be used with a mixnet such that it allows the spread of infection to be traced in a privacy preserving manner:

https://github.com/JonathanLogan/covidtracer/blob/master/pp-contact-tracer.pdf

David Stainton commented 4 years ago

ok

Will · Answer 1 · Wed Apr 01 2020 00:15:39 GMT+0800 (China Standard Time)

this hasn't gone through peer review, which the bibliography generally tries to wait for

Jeff Burdges · Answer 2 · Fri Apr 03 2020 15:24:42 GMT+0800 (China Standard Time)

Any thoughts on mixnet vs PIR for this application? I suppose mixnets might give cheaper mailbox queries?

Could your mobile device just hand out SURBs using mixnode keys that lives for at least two weeks?

Jeff Burdges · Answer 3 · Thu Apr 23 2020 19:10:29 GMT+0800 (China Standard Time)

I described a mixnet solution with a 32 byte SURB at TracingWithPrivacy/paper#10 but it leaks infected users activities, like all current "privacy preserving" designs.

You could fix the SURB scheme with some narrow mailbox server design, while you can only fix the non-mixnet schemes like DP-3T, etc. with TEEs, but iOS lacks any TEE. It resembles some voting mixnet more than Sphinx though: no MACs, no block ciphers, only stream ciphers or ElGamal. It might employ either universal reencryption or a server side TEE to protect infected user's privacy, but uninfected users privacy depends only upon the mixnet.

I think PIR could protect infected user's privacy, but IT-PIR leaks all users' activities against powerful enough adversaries, well like the mixnet. It's possible relatively inexpensive variants for C-PIR might exist based on homomorphic hashing with lattices, not sure. Any thoughts @willscott ?

David Stainton · Answer 4 · Thu Apr 23 2020 23:28:38 GMT+0800 (China Standard Time)

@burgdes I can give you @willscott contact information if you need to discuss something with him as he doesn't seem to be responding to your comments here. also this particular issue tracker is supposed to be for the mix bibliography and not for design discussions.

Will · Answer 5 · Thu Apr 23 2020 23:34:15 GMT+0800 (China Standard Time)

It seems that what you really want is a zero-knowledge rendezvous system of some sort.

Re: C-PIR vs IT-PIR balance - I continue to suspect that it is more difficult for an adversary to subvert multiple disjoint entities who have set up an IT-PIR system / mixnet, than to gain sufficient computational advantage to subvert a C-PIR scheme.

Jeff Burdges · Answer 6 · Fri Apr 24 2020 00:00:09 GMT+0800 (China Standard Time)

Oh wow? I wouldn't have suspected that, unless you mean C-PIR remains outright intractable for acceptable security parameters. I noticed a flurry of C-PIR papers, but did not read them.