Abstract
Automated contract tracing aims at supporting manual contact tracing during pandemics by alerting users of encounters with infected people. There are currently many proposals for protocols (like the “decentralized” DP-3T and PACT or the “centralized” ROBERT and DESIRE) to be run on mobile phones, where the basic idea is to regularly broadcast (using low energy Bluetooth) some values, and at the same time store (a function of) incoming messages broadcasted by users in their proximity. In the existing proposals one can trigger false positives on a massive scale by an “inverse-Sybil” attack, where a large number of devices (malicious users or hacked phones) pretend to be the same user, such that later, just a single person needs to be diagnosed (and allowed to upload) to trigger an alert for all users who were in proximity to any of this large group of devices.
We propose the first protocols that do not succumb to such attacks assuming the devices involved in the attack do not constantly communicate, which we observe is a necessary assumption. The high level idea of the protocols is to derive the values to be broadcasted by a hash chain, so that two (or more) devices who want to launch an inverse-Sybil attack will not be able to connect their respective chains and thus only one of them will be able to upload. Our protocols also achieve security against replay, belated replay, and one of them even against relay attacks.
Guillermo Pascual-Perez and Michelle Yeo were funded by the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska–Curie Grant Agreement No. 665385; the remaining contributors to this project have received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
This oversimplifies things, in reality a risk score is computed based on the number, duration, signal strength etc., of the encounters, which then may or may not raise an alert. How the risk is computed is of course crucial, but not important for this work.
- 4.
In Desire it’s called a “private encounter token” (PET), and is uploaded to the server for a risk assessment (so it’s a more centralized scheme), while in Pronto-C2 only diagnosed users upload the tokens, which are then downloaded by all other devices to make the assessment on their phones (so a more decentralized scheme).
- 5.
And some precautions we didn’t explicitly mention, like the necessity to permute the \(L^\mathrm{ser}\) list and let the devices store the \(L^\mathrm{eval}\) list in a history independent datastructure.
- 6.
The reason for only progressing if there was an encounter is that this way the chain is shorter (thus there’s less to up and download), the chain reveals less information (i.e., even the server can’t tell where the empty epochs were) and tracing using passive recording devices becomes more difficult.
References
Covid watch (2020). https://www.covidwatch.org/
Pact: Private automated contact tracing (2020). https://pact.mit.edu/
Pepp-pt: Pan-european privacy-preserving proximity tracing (2020). https://github.com/pepp-pt
Privacy-preserving contact tracing (2020). https://www.apple.com/covid19/contacttracing
Robert: Robust and privacypreserving proximity tracing (2020). https://github.com/ROBERT-proximity-tracing
Auerbach, B., et al.: Inverse-sybil attacks in automated contact tracing. Cryptology ePrint Archive, Report 2020/670 (2020). https://eprint.iacr.org/2020/670
Avitabile, G., Botta, V., Iovino, V., Visconti, I.: Towards defeating mass surveillance and sars-cov-2: The pronto-c2 fully decentralized automatic contact tracing system. Cryptology ePrint Archive, Report 2020/493 (2020). https://eprint.iacr.org/2020/493
Canetti, R., et al.: Privacy-preserving automated exposure notification. Cryptology ePrint Archive, Report 2020/863 (2020). https://eprint.iacr.org/2020/863
Canetti, R., Trachtenberg, A., Varia, M.: Anonymous collocation discovery: taming the coronavirus while preserving privacy. CoRR ArXiv:abs/2003.13670 (2020). https://arxiv.org/abs/2003.13670
Castelluccia, C., et al.: DESIRE: a third way for a european exposure notification system leveraging the best of centralized and decentralized systems. CoRR ArXiv:abs/2008.01621 (2020). https://arxiv.org/abs/2008.01621
Chan, J., et al.: PACT: privacy sensitive protocols and mechanisms for mobile contact tracing. CoRR ArXiv:abs/2004.03544 (2020). https://arxiv.org/abs/2004.03544
Danz, N., Derwisch, O., Lehmann, A., Puenter, W., Stolle, M., Ziemann, J.: Security and privacy of decentralized cryptographic contact tracing. Cryptology ePrint Archive, Report 2020/1309 (2020). https://eprint.iacr.org/2020/1309
Gvili, Y.: Security analysis of the covid-19 contact tracing specifications by apple inc. and google inc. Cryptology ePrint Archive, Report 2020/428 (2020). https://eprint.iacr.org/2020/428
Iovino, V., Vaudenay, S., Vuagnoux, M.: On the effectiveness of time travel to inject covid-19 alerts. Cryptology ePrint Archive, Report 2020/1393 (2020). https://eprint.iacr.org/2020/1393
Pietrzak, K.: Delayed authentication: preventing replay and relay attacks in private contact tracing. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 3–15. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_1
Troncoso, C., et al.: Dp3t: decentralized privacy-preserving proximity tracing (2020). https://github.com/DP-3T
Vaudenay, S.: Analysis of dp3t. Cryptology ePrint Archive, Report 2020/399 (2020).https://eprint.iacr.org/2020/399
Vaudenay, S.: Centralized or decentralized? the contact tracing dilemma. Cryptology ePrint Archive, Report 2020/531 (2020). https://eprint.iacr.org/2020/531
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Auerbach, B. et al. (2021). Inverse-Sybil Attacks in Automated Contact Tracing. In: Paterson, K.G. (eds) Topics in Cryptology – CT-RSA 2021. CT-RSA 2021. Lecture Notes in Computer Science(), vol 12704. Springer, Cham. https://doi.org/10.1007/978-3-030-75539-3_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-75539-3_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75538-6
Online ISBN: 978-3-030-75539-3
eBook Packages: Computer ScienceComputer Science (R0)