2

The most famous proposed COVID-19 application is DP3T. In this app a user constantly broadcasts EphIDs generated from a secret key as follows:

$$EphID 1 || ... || EphID n = PRG( PRF(SK_t , “broadcast key”) )$$

where PRF is a pseudo-random function (e.g., HMAC-SHA256), “broadcast key” is a fixed and public string, and PRG is a stream cipher (e.g. AES in counter mode) producing $16 \cdot n$ bytes, which we split into 16-byte chunks to obtain the $n$ ephemeral Bluetooth identifiers EphID of the day.

The secret key is composed of 32 random generated bytes, and changes everyday in following manner: $ SK_t = H( SK_t-_1 ) $

As I understand, $PRF(SK_t , “broadcast key”)$ is used as keystream to AES in counter mode. But what is the purpose of this? Why isn't the secret key $SK_t$ used as keystream?

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
Ruben_G
  • 21
  • 1
  • That is simple right? To arrive at different keys for different broadcastkey? – kelalaka May 12 '20 at 18:20
  • @kelalaka I do not understand what you mean. The string "broadcastkey" is the same for every user and is not changed, it further has no purpose I think. If you use the secret key, SK_t, or you use a hmac/hash of that SK_t, what is the difference? – Ruben_G May 12 '20 at 18:42
  • It might be the same today, but it might be different in the future, See Multiple AES Key Derivation from a master key. They may ask, hey, tomorrow we will change the broadcaster? – kelalaka May 12 '20 at 18:44
  • $SK_t$ is probably also used elsewhere? It is good cryptographic practice to derive a distinct key for each use-case to avoid unexpected interactions. – SEJPM May 13 '20 at 10:26
  • @SEJPM I understand what you mean. Thx for that explanation. But no, $SK_t$ is not used anywhere else. – Ruben_G May 13 '20 at 11:34

0 Answers0