hamagen-react-native icon indicating copy to clipboard operation
hamagen-react-native copied to clipboard

Published 20 hours ago verified publisher icon MohGovIL

The Case for Bluetooth (Suggestion)

Open xvaX8Vn opened this issue 4 years ago • 5 comments

Relying on locations published by authorities is problematic for two reasons. First it's vulnerable to human errors and malicious behavior (publishing wrong info) and second, it takes time. Besides, tracking people's locations indoors can be inaccurate.

To tackle these issues I suggest generating a public/private key pair {pub, pvt} at installation time. Now, assuming Bob went close enough to Carol for a Bluetooth connection to be established, then they both send their corresponding {id=H(pubme), proof=signme(H(pubother))} where H is a cryptographic hash function and they both add a new entry to their (truncated) list of "touched" users as {id, proof, time, location}. If a user appears twice we can override the last entry, keeping only the last appearance.

If Bob has been tested positive, he gives his public key and proves to Arthur (the authority) that he has the corresponded private key. Arthur then publishes {H(pubb), signa(H(pubb))} using his public key. When Carol receives it she can verify the message is from Arthur and if H(pubb) appears in her truncated list she gets a notification with the corresponding time and location. She can then use proofb as an evidence for being near Bob. (It is not a proof, although it otherwise requires cooperation.)

This way Arthur cannot push false information, no one can pretend to be someone else, it is much faster and it does not require Arthur to know anything about other users except for their public key. If a user agree to share his/her "touched" list with Arthur, it can be used to warn second generation. Users can upload their keys after installation so if they are tested positive, we know their public key is not fresh and therefore useless

Actually I had a much simpler idea, using only hash functions and random numbers, it is inspired by what they did in Singapore: https://www.tracetogether.gov.sg

In any case, location tracking would still be beneficial since some devices do not support it. We need both.

xvaX8Vn avatar Mar 29 '20 06:03 xvaX8Vn

Sounds like a good idea. Hopefully the source code of TraceTogether will be published soon. https://www.theregister.co.uk/2020/03/26/singapore_tracetogether_coronavirus_encounter_tracing_app_lessons/

benfei avatar Mar 29 '20 16:03 benfei

Check out this (admittedly Android only) API for the broadcast and sharing of the keys in a peer to peer fashion https://developers.google.com/nearby/connections/overview

barakplasma avatar Apr 03 '20 22:04 barakplasma

There is an open source implementation for similar feature: https://github.com/tripleblindmarket/covid-safe-paths/pull/279

benfei avatar Apr 06 '20 21:04 benfei

see https://github.com/DP-3T/documents/issues/66 and for context: DP3T-White-Paper and dp3t-app-android as well as https://github.com/DP-3T/documents/issues/222 and Google/Apple-Cryptography-Specification

tbd7hhyw avatar Apr 23 '20 03:04 tbd7hhyw

Also see #213

kaplanlior avatar May 14 '20 17:05 kaplanlior