Skip to content

tjesi/anonymous-tokens

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
documents
documents
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
computation.go
computation.go
 
 
main.go
main.go
 
 
token.go
token.go
 
 

Repository files navigation

anonymous-tokens

WARNING: THIS IS A PROOF OF CONCEPT AND SHOULD NOT BE USED IN PRACTICE

This is joint work by Tjerand Silde and Martin Strand. This work is implemented securely in C# in cooperation with Henrik Walker Moe. Check out the repository at github.com/HenrikWM/anonymous-tokens.

We present a simple protocol for anonymous tokens. The real world situation in mind is the Norwegian contact tracing app Smittestopp 2.0. We have three players in our protocol: Smittestopp Backend, Smittestopp App and Smittestopp Verification. More information about the setting can be found in the Fhi.Smittestopp.Documentation repository.

The situation is the following:

  • Smittestopp App (SA) initiate contact with Smittestopp Verification (SV) to report on a positive test.
  • The user authenticates himself, SV verifies that the user has tested positive, and issues a token to SA.
  • SA sends the token to Smittestopp Backend (SB) together with his diagnosis keys.
  • SB verifies the token, and conditionally accept the keys and sends them to all users in the system.

We give a brief analysis (in Norwegian) of the security of this protocol, and point out that a it is possible to correlate a user with his diagnosis keys, for example if SV and SB share their list of tokens. In our updated protocol we give a solution for randomised tokens that make it infeasible to make this connection, and hence, increase the privacy of the user. It goes as following:

  • SA samples a seed and sends a masked nonce computed from the seed to SV when initiating contact.
  • SV signs the masked nonce as a token, and proves that it used the correct signing key.
  • SA verifies the proof, and conditionally unmask the token before it sends it to SB together with the seed.
  • SB verifies that the randomised token was correctly computed with respect to the seed.

We note that the process of masking the seed make it impossible to correlate the token with the randomised token. See our attachment (in Norwegian) for the cryptographic details. Our solution is based on a Oblivious Pseudo-random Function (OPRF), and the protocol is inspired by Privacy Pass. See also the Privacy Pass paper and code.

Everything is implemented in Go, and we refer to the crypto/elliptic package for more details about the cryptography used in our code.

About

No description or website provided.

Topics

go tokens

Resources

Readme

License

MIT license
Activity

Stars

12 stars

Watchers

2 watching

Forks

2 forks
Report repository

Languages