SpreadMeNot: A Provably Secure and Privacy-Preserving Contact Tracing Protocol

TL;DR

SpreadMeNot is a new contact tracing protocol that offers provable security and privacy guarantees, addressing vulnerabilities in existing protocols and ensuring protection against various passive and active attacks.

Contribution

The paper introduces SpreadMeNot, a novel contact tracing protocol with formal security proofs and practical implementation, enhancing privacy and security in contact tracing applications.

Findings

SpreadMeNot defends against most passive and active attacks.

It satisfies security, privacy, and performance requirements.

It is suitable for widespread adoption and as an open-source reference.

Abstract

A plethora of contact tracing apps have been developed and deployed in several countries around the world in the battle against Covid-19. However, people are rightfully concerned about the security and privacy risks of such applications. To this end, the contribution of this work is twofold. First, we present an in-depth analysis of the security and privacy characteristics of the most prominent contact tracing protocols, under both passive and active adversaries. The results of our study indicate that all protocols are vulnerable to a variety of attacks, mainly due to the deterministic nature of the underlying cryptographic protocols. Our second contribution is the design and implementation of SpreadMeNot, a novel contact tracing protocol that can defend against most passive and active attacks, thus providing strong (provable) security and privacy guarantees that are necessary for such a sensitive application. Our detailed analysis, both formal and experimental, shows that SpreadMeNot satisfies security, privacy, and performance requirements, hence being an ideal candidate for building a contact tracing solution that can be adopted by the majority of the general public, as well as to serve as an open-source reference for further developments in the field.