[Cryptography] Apple releasing a crypto spec COVID-19 tracking

Phillip Hallam-Baker phill at hallambaker.com
Sat Apr 11 15:38:32 EDT 2020

On Fri, Apr 10, 2020 at 8:35 PM Tom Mitchell <mitch at niftyegg.com> wrote:

> Apple releasing a  crypto spec COVID-19 Tracking.
> Apple link to pdf.
> https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ContactTracing-CryptographySpecification.pdf

I have been looking at this proposal and it looks to me like we are only
seeing half of it. So I am having to infer quite a bit.

So the basic math seems to be device generates a master key from which a
series of daily keys are generated using the number of the day as a salt.
These are then broadcast via bluetooth. If the user is found to have been
infected, the subset of the daily keys is called the 'diagnosis keys'. This
is then communicated to some form of publication service.

What is not immediately clear is how secret the master key is. The spec
implies that this is fixed for a given device for reasons I am not
completely clear on. It is not clear that the device manufacturer can't
reconstruct the master key.

The other part that is less than clear is what is then done with the data
in the case someone is identified as having the disease. One possibility is
that everyone downloads the entire database each day and sees if they have
been infected. Another is use of some form of homomorphic scheme to allow
Alice to determine if her daily key is among the ones possibly contaminated
or not without disclosing that information to anyone else. This bit of the
description seems a bit sketchy...

So the intent seems to be to construct a scheme that allows

1) Alice to determine if she was in proximity to other people who were
2) Allows the authorities to determine how many other people Carol with
Covid was in proximity with but not who they are.

The scheme seems to be relatively robust in isolation. If this is all the
information I was giving out I don't think it would represent a huge
privacy concern given my current travel pattern. The identifiers are only
linkable across a day and I go to about one shop a week if that.

Where the scheme probably fails is when this data is mixed in to all the
other linkable identifiers my devices are constantly spewing. There are the
pressure sensing caps on the tires of the car for a start. And the phone is
spewing identifiers and the MAC address on the WiFi and the bluetooth.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200411/1f101977/attachment.htm>

More information about the cryptography mailing list