DESIRE: A Third Way for a European Exposure Notification System Leveraging the best of centralized and decentralized systems

TL;DR

DESIRE advances European exposure notification by decentralizing operations, enhancing privacy with cryptographically generated encounter tokens, and minimizing server-stored data, while maintaining effective risk management.

Contribution

It introduces Private Encounter Tokens and decentralizes encounter data generation, significantly improving privacy over previous protocols while retaining robust risk assessment capabilities.

Findings

Enhanced privacy through cryptographic encounter tokens

Reduced server-stored data minimizes breach risks

Maintains effective risk scoring and notifications

Abstract

This document presents an evolution of the ROBERT protocol that decentralizes most of its operations on the mobile devices. DESIRE is based on the same architecture than ROBERT but implements major privacy improvements. In particular, it introduces the concept of Private Encounter Tokens, that are secret and cryptographically generated, to encode encounters. In the DESIRE protocol, the temporary Identifiers that are broadcast on the Bluetooth interfaces are generated by the mobile devices providing more control to the users about which ones to disclose. The role of the server is merely to match PETs generated by diagnosed users with the PETs provided by requesting users. It stores minimal pseudonymous data. Finally, all data that are stored on the server are encrypted using keys that are stored on the mobile devices, protecting against data breach on the server. All these modifications improve the privacy of the scheme against malicious users and authority. However, as in the first version of ROBERT, risk scores and notifications are still managed and controlled by the server of the health authority, which provides high robustness, flexibility, and efficacy.