Cryptology ePrint Archive: Report 2020/559

Striking the Balance: Effective yet Privacy Friendly Contact Tracing

Giuseppe Garofalo and Tim Van hamme and Davy Preuveneers and Wouter Joosen and Aysajan Abidin and Mustafa A. Mustafa

Abstract: Successful contact tracing effectively facilitates the fight against pandemics of highly contagious diseases such as COVID-19. Existing efforts either rely on effective yet privacy-invasive surveillance infrastructure, or focus on privacy-preserving decentralised solutions which may limit their effectiveness. The former collects vast amounts of sensitive data such as identity, location and social interactions of every user, which allows function creep. The latter relies on users' willingness to share their risk scores with authorities, which limits their ability to quickly identify people at-risk and to run analytics. We propose a practical solution that aims to strike a balance between functionality and privacy: one that does not collect sensitive information, such as, location data, while at the same time allowing effective tracing and notifying the close contacts of infected users. To protect users' privacy, our solution uses local proximity tracing based on broadcasting and recording constantly changing anonymous public keys via short-range communication, for example, Bluetooth. These public keys are used to establish a shared secret key between two people in close contact. These three keys are then used to generate two unique per-user-per-contact hashes: one for infection registration and one for health status query. These hashes are never revealed to the public. To support functionality, risk score computation is performed centrally, which provides the health authorities with minimal, yet insightful and actionable data. Data minimization is achieved by the use of per-user-per-contact hashes and by enforcing role separation. In our design, the health authorities and the GPs act as proxies, while the matching between hashes is outsourced to a third-party, i.e. the matching service. This separation ensures that out-of-scope information, such as social interaction within the population, is hidden from the health authorities and, at the same time, the matching service does not learn sensitive information about the users. Our solution requires a degree of trust in the entities involved that is considerably lower w.r.t. centralised alternatives.

Category / Keywords: applications / contact tracing, anonymity, secret sharing

Date: received 13 May 2020

Contact author: giuseppe garofalo at kuleuven be,tim vanhamme@kuleuven be,aysajan@kuleuven be,mustafa mustafa@manchester ac uk

Available format(s): PDF | BibTeX Citation

Version: 20200515:095648 (All versions of this report)

Short URL: ia.cr/2020/559


[ Cryptology ePrint archive ]