This document provides the technical specification for CrowdNotifier. Its goal is to help implementers implement a presence tracing system based on CrowdNotifier or its variants. This document repeats some of the concepts presented in the CrowdNotifier White Paper [LGV+] but should be seen as a companion rather than as a replacement.
This document describes in technical detail three variants of CrowdNotifier:
The basic CrowdNotifier scheme is the same scheme as described in the CrowdNotifier White Paper [LGV+]. The version provides strong abuse resistance by requiring cooperation of both the Location Owner and Health Authority to trigger tracing. Records stored on the phone are private: they can only be decrypted if and only if these parties trigger tracing.
A managed version of CrowdNotifier that enables an organization to manage many locations (for example, meeting rooms) at the same time without the overhead of storing different tracing QR codes for each of them. This scheme has the same properties as the basic CrowdNotifier scheme.
A server-based version of CrowdNotifier that doesn’t require cooperation of the Location Owner to trigger notifications, and can instead send notifications based on records uploaded by index cases. As a result, abuse resistance is weaker – the health authority can trigger locations on its own. However, it is fully compatible with the basic CrowdNotifier scheme so that clients, if they want, can still enjoy full privacy protection of records on the phone.
None of these schemes reveal which Locations are notified to adversaries that didn’t visit these locations (nor colluded with somebody that did). We refer to the academic paper for a thorough analysis of requirements and security proofs [LGV+21].
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.