elliemdaw
commented
4 years ago With the TCN protocol as it stands today, typical k-anonymity with hash prefixes could be difficult because the server only keeps the reports and the users won't know which report they want to check. But with some form of sharding I think similar goals can be achieved... issue #16 has some discussion on geo-based sharding.
While not specific to the implementation of the TCN, in looking at a system to determine contacts that may be utilized by hospitals, it seems it would be ideal to leverage the property of k-anonymity.
An example of this being used in the real world is the Pwned Password v2 check. In collaboration with Cloudflare. They devised a system to check whether hashes of passwords have been compromised, allowing you to type in your password, but not send the full hash to the server. In a similar way, an extra layer of privacy and security could be added to any contact tracing systems, that would minimize information disclosure to those that are using an app or other client to check cross-contact.
For more information on the specific of the Pwned Password implementation, please see here:
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
Are there recommendations for anyone who might hope to implement these proposals according to best-practices?
Thanks in advance, Michael S. Moody