ROBERT-specification-EN-v1_1-from-v1_0.diff.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<!-- Generated by rfcdiff 1.46: rfcdiff  --> 
<!-- <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional" > -->
<!-- System: Darwin mbp-de-vincent.home 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64 x86_64 --> 
<!-- Using awk: /usr/local/bin/gawk: GNU Awk 4.1.4, API: 1.1 --> 
<!-- Using diff: /usr/bin/diff: diff (GNU diffutils) 2.8.1 --> 
<!-- Using wdiff: /usr/local/bin/wdiff: wdiff (GNU wdiff) 1.2.2 --> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 
  <meta http-equiv="Content-Style-Type" content="text/css" /> 
  <title>Diff: ROBERT-specification-EN-v1_0.txt - ROBERT-specification-EN-v1_1.txt</title> 
  <style type="text/css"> 
    body    { margin: 0.4ex; margin-right: auto; } 
    tr      { } 
    td      { white-space: pre; font-family: monospace; vertical-align: top; font-size: 0.86em;} 
    th      { font-size: 0.86em; } 
    .small  { font-size: 0.6em; font-style: italic; font-family: Verdana, Helvetica, sans-serif; } 
    .left   { background-color: #EEE; } 
    .right  { background-color: #FFF; } 
    .diff   { background-color: #CCF; } 
    .lblock { background-color: #BFB; } 
    .rblock { background-color: #FF8; } 
    .insert { background-color: #8FF; } 
    .delete { background-color: #ACF; } 
    .void   { background-color: #FFB; } 
    .cont   { background-color: #EEE; } 
    .linebr { background-color: #AAA; } 
    .lineno { color: red; background-color: #FFF; font-size: 0.7em; text-align: right; padding: 0 2px; } 
    .elipsis{ background-color: #AAA; } 
    .left .cont { background-color: #DDD; } 
    .right .cont { background-color: #EEE; } 
    .lblock .cont { background-color: #9D9; } 
    .rblock .cont { background-color: #DD6; } 
    .insert .cont { background-color: #0DD; } 
    .delete .cont { background-color: #8AD; } 
    .stats, .stats td, .stats th { background-color: #EEE; padding: 2px 0; } 
    span.hide { display: none; color: #aaa;}    a:hover span { display: inline; }    tr.change { background-color: gray; } 
    tr.change a { text-decoration: none; color: black } 
  </style> 
     <script>
var chunk_index = 0;
var old_chunk = null;

function format_chunk(index) {
    var prefix = "diff";
    var str = index.toString();
    for (x=0; x<(4-str.length); ++x) {
        prefix+='0';
    }
    return prefix + str;
}

function find_chunk(n){
    return document.querySelector('tr[id$="' + n + '"]');
}

function change_chunk(offset) {
    var index = chunk_index + offset;
    var new_str;
    var new_chunk;

    new_str = format_chunk(index);
    new_chunk = find_chunk(new_str);
    if (!new_chunk) {
        return;
    }
    if (old_chunk) {
        old_chunk.style.outline = "";
    }
    old_chunk = new_chunk;
    old_chunk.style.outline = "1px solid red";
    window.location.replace("#" + new_str)
    window.scrollBy(0,-100);
    chunk_index = index;
}

document.onkeydown = function(e) {
    switch (e.keyCode) {
    case 78:
        change_chunk(1);
        break;
    case 80:
        change_chunk(-1);
        break;
    }
};
   </script> 
</head> 
<body > 

<h1>About this file and how it was produced</h1>
This file lists the differences between the v1.0 and v1.1 of the ROBERT protocol specification document in a (hopefully) readable manner. It has been automatically produced as follows:
<ul>
<li> automatic conversion from latex to text, using:<br>
	<code>pandoc -s ROBERT-specification-EN-v1_0.tex -o ROBERT-specification-EN-v1_0.txt </code>(as well as for version 1.1)<br>
	Note that this automatic conversion from latex to text using pandoc has some limits (e.g., the "(sk_S, pk_s)("Registration key-pair")" and similar are missing from section 3.1).</li>
<li> automatic diff generation using:<br>
	<code>rfcdiff --html --width 80 robert-specifications-v1.0.txt robert-specifications-v1.1.txt</code><br>
This diff is based on the <a href="https://tools.ietf.org/tools/rfcdiff/">IETF rfcdiff tool</a>.
</ul>
We hope this difference file will be of help to the interested reader.
<p>
Cheers.    The authors
<p>

<h1>Diff: ROBERT-specification-EN-v1_0.txt - ROBERT-specification-EN-v1_1.txt</h1> 
  <table border="0" cellpadding="0" cellspacing="0"> 
  <tr id="part-1" bgcolor="orange"><th></th><th>&nbsp;ROBERT-specification-EN-v1_0.txt&nbsp;</th><th> </th><th>&nbsp;ROBERT-specification-EN-v1_1.txt&nbsp;</th><th></th></tr> 
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-1" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-1"><em> line 161<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-1"><em> line 161<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">  $EBID_{A,i}$             Ephemeral Bluetooth IDentifier of user $U_A$ at epoch
 $i$</td><td> </td><td class="right">  $EBID_{A,i}$             Ephemeral Bluetooth IDentifier of user $U_A$ at epoch
 $i$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $ECC$                    Encrypted Country Code</td><td> </td><td class="right">  $ECC$                    Encrypted Country Code</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $ECC_{A,i}$              Encrypted Country Code used by $U_A$ at epoch $i$</td><td> </td><td class="right">  $ECC_{A,i}$              Encrypted Country Code used by $U_A$ at epoch $i$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $epoch\_duration\_sec$   Duration of an epoch in seconds</td><td> </td><td class="right">  $epoch\_duration\_sec$   Duration of an epoch in seconds</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $ESR\_REQUEST$           Request sent by the $App$ to query the user status</td><td> </td><td class="right">  $ESR\_REQUEST$           Request sent by the $App$ to query the user status</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $ESR\_REPLY$             Answer sent by the server to users to notify their st
atus</td><td> </td><td class="right">  $ESR\_REPLY$             Answer sent by the server to users to notify their st
atus</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $HELLO$                  Message broadcast by an $App$ via its Bluetooth Low E
nergy interface</td><td> </td><td class="right">  $HELLO$                  Message broadcast by an $App$ via its Bluetooth Low E
nergy interface</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $ID$                     Permanent and anonymous identifier associated to each
 registered user</td><td> </td><td class="right">  $ID$                     Permanent and anonymous identifier associated to each
 registered user</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $ID_A$                   Permanent and anonymous identifier of user $U_A$, sto
red by the server</td><td> </td><td class="right">  $ID_A$                   Permanent and anonymous identifier of user $U_A$, sto
red by the server</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $IDTable$                Database maintained by the back-end server</td><td> </td><td class="right">  $IDTable$                Database maintained by the back-end server</td><td class="lineno"></td></tr>
      <tr id="diff0001"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">  <span class="delete">$K_A$</span>                    Shared key between the server and the $App_A$</td><td> </td><td class="rblock">  <span class="insert">$K^{enc}_A$</span>              Shared key between the server and the <span class="insert">$App_A$, used f</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">or encryption of sensitive information.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">  $K^{auth}_A$             Shared key between the server and the $App_A$, used f</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">or authentication of</span> $App_A$ <span class="insert">messages.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $K_G$                    Federation Key (shared between the servers of all cou
ntries with a federation agreement)</td><td> </td><td class="right">  $K_G$                    Federation Key (shared between the servers of all cou
ntries with a federation agreement)</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $K_S$                    Server Key (used by a server to generate $EBIDs$), st
ored by the server</td><td> </td><td class="right">  $K_S$                    Server Key (used by a server to generate $EBIDs$), st
ored by the server</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $LEE_A$                  List of exposed epochs of user $U_A$, stored in $IDTa
ble$</td><td> </td><td class="right">  $LEE_A$                  List of exposed epochs of user $U_A$, stored in $IDTa
ble$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $LocalProximityList$     Local list on an $App$ where the $HELLO$ messages rec
eived by nearby devices are stored</td><td> </td><td class="right">  $LocalProximityList$     Local list on an $App$ where the $HELLO$ messages rec
eived by nearby devices are stored</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $M$                      Number of epochs between 2 consecutive requests by an
 App to the back-end server to obtain its list of $(EBID, ECC)$ pairs for the fo
llowing epochs</td><td> </td><td class="right">  $M$                      Number of epochs between 2 consecutive requests by an
 App to the back-end server to obtain its list of $(EBID, ECC)$ pairs for the fo
llowing epochs</td><td class="lineno"></td></tr>
      <tr id="diff0002"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">  $(sk_S, pk_S)$           Registration key-pair, an asymmetric key-pair of the 
server, used during registration.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $Srv$                    The back-end server</td><td> </td><td class="right">  $Srv$                    The back-end server</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $SRE_A$                  Variable that indicates the last epoch when $U_A$ has
 sent a "Status Request" to the server, stored in $IDTable$</td><td> </td><td class="right">  $SRE_A$                  Variable that indicates the last epoch when $U_A$ has
 sent a "Status Request" to the server, stored in $IDTable$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $T$                      The minimum number of epochs between 2 consecutive $E
SR\_REQUEST$</td><td> </td><td class="right">  $T$                      The minimum number of epochs between 2 consecutive $E
SR\_REQUEST$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $Tpststart$              The time when the proximity tracing service has been 
started</td><td> </td><td class="right">  $Tpststart$              The time when the proximity tracing service has been 
started</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  $UN_A$                   Flag indicating if $U_A$ has already been notified to
 be at risk of exposure. $UN_A$ is stored in the $IDTable$</td><td> </td><td class="right">  $UN_A$                   Flag indicating if $U_A$ has already been notified to
 be at risk of exposure. $UN_A$ is stored in the $IDTable$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  : Glossary of terms and variables used in this</td><td> </td><td class="right">  : Glossary of terms and variables used in this</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">  paper[]{label="tab:notations"}</td><td> </td><td class="right">  paper[]{label="tab:notations"}</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">High-Level Description and Assumptions</td><td> </td><td class="right">High-Level Description and Assumptions</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-2" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-2"><em> line 241<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-2"><em> line 243<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">be used by the health authority. In fact, the algorithm will probably be</td><td> </td><td class="right">be used by the health authority. In fact, the algorithm will probably be</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">different if the App is used to notify users that need to get tested in</td><td> </td><td class="right">different if the App is used to notify users that need to get tested in</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">priority or if it is used to decide who should stay/go into confinement.</td><td> </td><td class="right">priority or if it is used to decide who should stay/go into confinement.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">System Overview</td><td> </td><td class="right">System Overview</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">---------------</td><td> </td><td class="right">---------------</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">All the notations used in this paper are summarized in</td><td> </td><td class="right">All the notations used in this paper are summarized in</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Table [\[tab:notations\]](#tab:notations){reference-type="ref"</td><td> </td><td class="right">Table [\[tab:notations\]](#tab:notations){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">reference="tab:notations"}. The proposed system is composed of users who</td><td> </td><td class="right">reference="tab:notations"}. The proposed system is composed of users who</td><td class="lineno"></td></tr>
      <tr id="diff0003"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">install the Proximity Tracing Application, $App$, and a back-end <span class="delete">server,</span></td><td> </td><td class="rblock">install the Proximity Tracing Application, $App$, and a back-end <span class="insert">server</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">$Srv$,</span> under the control of the authority. We assume that <span class="delete">$Srv$</span> is</td><td> </td><td class="rblock">under the control of the authority. We assume that <span class="insert">the back-end server</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">configured with a well-known domain name, certificate and is highly</td><td> </td><td class="rblock">is configured with a well-known domain name, certificate and is highly</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">secured.</td><td> </td><td class="right">secured.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Apps interact with the system through the four following procedures:</td><td> </td><td class="right">Apps interact with the system through the four following procedures:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   **Initialization:** When a user wants to use the service, she</td><td> </td><td class="right">-   **Initialization:** When a user wants to use the service, she</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    installs the application, $App$, from an official App store (Apple</td><td> </td><td class="right">    installs the application, $App$, from an official App store (Apple</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    or Google). $App$ then registers to the server that generates a</td><td> </td><td class="right">    or Google). $App$ then registers to the server that generates a</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    permanent identifier (ID) and several Ephemeral Bluetooth</td><td> </td><td class="right">    permanent identifier (ID) and several Ephemeral Bluetooth</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    Identifiers ($EBIDs$). The back-end maintains a table, , that keeps</td><td> </td><td class="right">    Identifiers ($EBIDs$). The back-end maintains a table, , that keeps</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    an entry for each registered ID. The stored information are</td><td> </td><td class="right">    an entry for each registered ID. The stored information are</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-3" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-3"><em> line 353<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-3"><em> line 355<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">trivial to identify infected users [@cryptoeprint:2020:399]. The</td><td> </td><td class="right">trivial to identify infected users [@cryptoeprint:2020:399]. The</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">system's design would be based on the fact that all users which at any</td><td> </td><td class="right">system's design would be based on the fact that all users which at any</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">point ever saw an infected user's *HELLO* can now use contextual</td><td> </td><td class="right">point ever saw an infected user's *HELLO* can now use contextual</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">metadata (such as a meeting date and time) to identify the infected</td><td> </td><td class="right">metadata (such as a meeting date and time) to identify the infected</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">users.</td><td> </td><td class="right">users.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Initialisation</td><td> </td><td class="right">Initialisation</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">==============</td><td> </td><td class="right">==============</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">This section describes the initialisation process on the server and the</td><td> </td><td class="right">This section describes the initialisation process on the server and the</td><td class="lineno"></td></tr>
      <tr id="diff0004"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">application</span></td><td> </td><td class="rblock"><span class="insert">application.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">(Figure [\[fig:initialisation\]](#fig:initialisation){reference-type="ref"</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">reference="fig:initialisation"}).</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">\centering</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">![Initialisation of the system: server set up and application</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">registration.[]{label="fig:initialisation"}](figures/init-1node-DE.png){width="1</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">1cm"}</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Server Set Up {#sec:serv-init}</td><td> </td><td class="right">Server Set Up {#sec:serv-init}</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-------------</td><td> </td><td class="right">-------------</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">The back-end server is initialized at the beginning of the proximity</td><td> </td><td class="right">The back-end server is initialized at the beginning of the proximity</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">tracing official period under the control of the Authority. In order to</td><td> </td><td class="right">tracing official period under the control of the Authority. In order to</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">be able to determine in which period and epoch the system is, the server</td><td> </td><td class="right">be able to determine in which period and epoch the system is, the server</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">stores $T_{ptsstart}$, the time when the proximity tracing service has</td><td> </td><td class="right">stores $T_{ptsstart}$, the time when the proximity tracing service has</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">been started in the country. From this timestamp, the server maintains a</td><td> </td><td class="right">been started in the country. From this timestamp, the server maintains a</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">counter $i$, initialized to 0, representing the current epoch number</td><td> </td><td class="right">counter $i$, initialized to 0, representing the current epoch number</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-4" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-4"><em> line 382<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-4"><em> line 378<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">We also assume that the server is configured with:</td><td> </td><td class="right">We also assume that the server is configured with:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">a $L$-bit long key, with $L&gt;=128$ to be defined, only known by the</td><td> </td><td class="right">a $L$-bit long key, with $L&gt;=128$ to be defined, only known by the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">server[^5].</td><td> </td><td class="right">server[^5].</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">a $L$-bit long key, with $L&gt;=128$ to be defined, shared between all</td><td> </td><td class="right">a $L$-bit long key, with $L&gt;=128$ to be defined, shared between all</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">servers in Europe (used for federation, see</td><td> </td><td class="right">servers in Europe (used for federation, see</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Section [8](#sec:federation){reference-type="ref"</td><td> </td><td class="right">Section [8](#sec:federation){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">reference="sec:federation"}).</td><td> </td><td class="right">reference="sec:federation"}).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0005"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">an asymmetric-key pair, whose private key $sk_S$ is known only from the</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">server, and public key part is known to every App. This key-pair is</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">defined over the elliptic curve NIST-P256, with $pk_S = sk_S.G$, where</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">$G$ is the base point of prime order on the curve defined by the</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">specifications[^6].</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                                </td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">a 8-bit long value that codes the country where the server provides</td><td> </td><td class="right">a 8-bit long value that codes the country where the server provides</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">service (used for federation, see</td><td> </td><td class="right">service (used for federation, see</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Section [8](#sec:federation){reference-type="ref"</td><td> </td><td class="right">Section [8](#sec:federation){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">reference="sec:federation"}). These country codes should be known to all</td><td> </td><td class="right">reference="sec:federation"}). These country codes should be known to all</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">international systems where federation is possible. For example, France</td><td> </td><td class="right">international systems where federation is possible. For example, France</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">could use the code "33\", Germany the code \"49\", \...</td><td> </td><td class="right">could use the code "33\", Germany the code \"49\", \...</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0006"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">Note that the server relies on a security module to store and manipulate</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">its secrets and the secrets shared with mobile applications.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                                </td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">In addition, the server maintains a local database,  (see Section</td><td> </td><td class="right">In addition, the server maintains a local database,  (see Section</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">[3.2](#sec:serv-reg){reference-type="ref" reference="sec:serv-reg"} for</td><td> </td><td class="right">[3.2](#sec:serv-reg){reference-type="ref" reference="sec:serv-reg"} for</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">details).\</td><td> </td><td class="right">details).\</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Application Registration (Server Side) {#sec:serv-reg}</td><td> </td><td class="right">Application Registration (Server Side) {#sec:serv-reg}</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">--------------------------------------</td><td> </td><td class="right">--------------------------------------</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">### The $IDTable$ database</td><td> </td><td class="right">### The $IDTable$ database</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">For each registered application $App_A$, belonging to an anonymous user</td><td> </td><td class="right">For each registered application $App_A$, belonging to an anonymous user</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">$U_A$, the server $Srv$ keeps a record in a local database  with the</td><td> </td><td class="right">$U_A$, the server $Srv$ keeps a record in a local database  with the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">following information:</td><td> </td><td class="right">following information:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0007"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">a $L$-bit long key, with <span class="delete">$L&gt;=128$</span> to be defined, shared with $App_A$,</td><td> </td><td class="rblock">a $L$-bit long key, with <span class="insert">$L \geq 128$</span> to be defined, shared with</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">that is used to authenticate $App_A$ messages.</td><td> </td><td class="rblock">$App_A$, that is used to authenticate $App_A$ messages.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                                </td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">a $L$-bit long key, with $L \geq 128$ to be defined, shared with</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">$App_A$, that is used to encrypt sensitive information sent from the</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">server to $A$.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">a 40-bit identifier that is unique for each registered App, and</td><td> </td><td class="right">a 40-bit identifier that is unique for each registered App, and</td><td class="lineno"></td></tr>
      <tr id="diff0008"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">generated randomly (random <span class="delete">draw</span> process without replacement to avoid</td><td> </td><td class="rblock">generated randomly (random <span class="insert">drawing</span> process without replacement to avoid</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">collision).</span> This permanent ID is only known to the server.</td><td> </td><td class="rblock"><span class="insert">collisions).</span> This permanent ID is only known to the server.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">this flag indicates if the associated user has already been notified to</td><td> </td><td class="right">this flag indicates if the associated user has already been notified to</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">be  ("true\") or not ("false\"). It is initialized with value "false\".</td><td> </td><td class="right">be  ("true\") or not ("false\"). It is initialized with value "false\".</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Once set to "true\", the user is not allowed to make any additional</td><td> </td><td class="right">Once set to "true\", the user is not allowed to make any additional</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">status request. The flag can be reset if the user can prove that she is</td><td> </td><td class="right">status request. The flag can be reset if the user can prove that she is</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">not at risk anymore (for example by proving that she got a test and the</td><td> </td><td class="right">not at risk anymore (for example by proving that she got a test and the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">result was negative).</td><td> </td><td class="right">result was negative).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">a 24-bit value that indicates the last epoch when $U_A$ has sent a</td><td> </td><td class="right">a 24-bit value that indicates the last epoch when $U_A$ has sent a</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">"Status Request\".</td><td> </td><td class="right">"Status Request\".</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">each time one of A's EBID appears in the proximity list of an infected</td><td> </td><td class="right">each time one of A's EBID appears in the proximity list of an infected</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">user, the epoch $j$ when the encounter happened between the infected</td><td> </td><td class="right">user, the epoch $j$ when the encounter happened between the infected</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">user and $U_{A}$ is added to this list. This list of epochs reflects the</td><td> </td><td class="right">user and $U_{A}$ is added to this list. This list of epochs reflects the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">exposure of the user (temporal and frequency information) and is used,</td><td> </td><td class="right">exposure of the user (temporal and frequency information) and is used,</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">together with other information (e.g. the duration and proximity of a</td><td> </td><td class="right">together with other information (e.g. the duration and proximity of a</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">contact to an infected person), to compute the risk score. Note that a</td><td> </td><td class="right">contact to an infected person), to compute the risk score. Note that a</td><td class="lineno"></td></tr>
      <tr id="diff0009"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">given epoch $i$ can appear several times in this list if <span class="delete">$App_A$</span></td><td> </td><td class="rblock">given epoch $i$ can appear several times in this list if several *HELLO*</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">received</span> several *HELLO* messages <span class="delete">from</span> infected users during that epoch.</td><td> </td><td class="rblock">messages <span class="insert">sent by $App_A$ appeared in the proximity list(s) of one of</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">several</span> infected users during that epoch.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Application Registration (Application Side)</td><td> </td><td class="right">Application Registration (Application Side)</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-------------------------------------------</td><td> </td><td class="right">-------------------------------------------</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">A user $U_A$ who wants to install the application on his device must</td><td> </td><td class="right">A user $U_A$ who wants to install the application on his device must</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">download it from the official Apple or Android stores. After installing</td><td> </td><td class="right">download it from the official Apple or Android stores. After installing</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">the application $App_A$, $U_A$ needs to register to the back-end server.</td><td> </td><td class="right">the application $App_A$, $U_A$ needs to register to the back-end server.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">During this registration phase:</td><td> </td><td class="right">During this registration phase:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   A proof-of-work (PoW) system (like a CAPCHA) is implemented in order</td><td> </td><td class="right">-   A proof-of-work (PoW) system (like a CAPCHA) is implemented in order</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-5" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-5"><em> line 452<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-5"><em> line 462<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">    (over a TLS channel) with:</td><td> </td><td class="right">    (over a TLS channel) with:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    -   The current epoch value, $i$.</td><td> </td><td class="right">    -   The current epoch value, $i$.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    -   The duration of an epoch, $epoch\_duration\_sec$.</td><td> </td><td class="right">    -   The duration of an epoch, $epoch\_duration\_sec$.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    -   The starting time of the following epoch,</td><td> </td><td class="right">    -   The starting time of the following epoch,</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">        $T_{ptsstart} + (i+1)*epoch\_duration\_sec$ (This is required</td><td> </td><td class="right">        $T_{ptsstart} + (i+1)*epoch\_duration\_sec$ (This is required</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">        for synchronization with the server).</td><td> </td><td class="right">        for synchronization with the server).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0010"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    -   The <span class="delete">$\mbox{K}_A$ key</span>, shared with the server.</td><td> </td><td class="rblock">    -   The <span class="insert">keys $K^{auth}_A$ and $K^{enc}_A$</span>, shared with the server.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    -   An initial list of $T$ $(EBID_{A,i},ECC_{A,i})$ pairs (see</td><td> </td><td class="right">    -   An initial list of $T$ $(EBID_{A,i},ECC_{A,i})$ pairs (see</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">        Section [4](#sec:EBID){reference-type="ref"</td><td> </td><td class="right">        Section [4](#sec:EBID){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">        reference="sec:EBID"} for more details).</td><td> </td><td class="right">        reference="sec:EBID"} for more details).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0011"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">The keys $K^{auth}_A$ and $K^{enc}_A$ are exchanged by means of a key</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">establishment procedure:</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">-   $App_A$ generates an ephemeral key pair $(ske_A, pke_A=ske_A.G)$ and</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    transmits the value $pke_A$ to the server in its registration</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    message</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">-   A shared secret $SharedSecret$, the x-coordinate of the point</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    $(ske_A.sk_S).G$, is obtained by $App_A$ and the server as follows:</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    -   $App_A$ computes $ske_A.pk_S$</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    -   The server computes $sk_S.pke_A$</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">-   $App_A$ and the server derive $K^{auth}_A$ as</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    $K^{auth}_A = HMAC\_SHA256(SharedSecret,$ \"authentication key\"$)$</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">-   $App_A$ and the server derive $K^{enc}_A$ as</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    $K^{enc}_A = HMAC\_SHA256(SharedSecret,$ \"encryption key\"$)$</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                                </td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Generation of the Ephemeral Bluetooth Identifiers {#sec:EBID}</td><td> </td><td class="right">Generation of the Ephemeral Bluetooth Identifiers {#sec:EBID}</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">=================================================</td><td> </td><td class="right">=================================================</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">During registration and then regularly, i.e. every $M$ epochs (value to</td><td> </td><td class="right">During registration and then regularly, i.e. every $M$ epochs (value to</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">be defined), each registered user $U_A$ connects to the server in order</td><td> </td><td class="right">be defined), each registered user $U_A$ connects to the server in order</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">to obtain a list of the $M$ $(EBID_{A,i},ECC_{A,i})$ pairs for the $M$</td><td> </td><td class="right">to obtain a list of the $M$ $(EBID_{A,i},ECC_{A,i})$ pairs for the $M$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">following epochs. For efficiency, this request can be performed together</td><td> </td><td class="right">following epochs. For efficiency, this request can be performed together</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">with an *Exposure Status Request* (see Section</td><td> </td><td class="right">with an *Exposure Status Request* (see Section</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">[6.2](#sec:request-server){reference-type="ref"</td><td> </td><td class="right">[6.2](#sec:request-server){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">reference="sec:request-server"}).</td><td> </td><td class="right">reference="sec:request-server"}).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Upon receiving such a request, the server generates and sends to $App_A$</td><td> </td><td class="right">Upon receiving such a request, the server generates and sends to $App_A$</td><td class="lineno"></td></tr>
      <tr id="diff0012"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">a</span> list of $T$ $(EBID_{A,i},ECC_{A,i})$ pairs for the upcoming $T$</td><td> </td><td class="rblock"><span class="insert">an encrypted</span> list of $T$ $(EBID_{A,i},ECC_{A,i})$ pairs for the upcoming</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">epochs[^6],</span> where:</td><td> </td><td class="rblock">$T$ <span class="insert">epochs[^7],</span> where:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-$\textrm{EBID}_{A,i}$ (\"Ephemeral Bluetooth IDentifier for A\"):</td><td> </td><td class="right">-$\textrm{EBID}_{A,i}$ (\"Ephemeral Bluetooth IDentifier for A\"):</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">:   a 64-bit identifier generated for the epoch $i$ as:</td><td> </td><td class="right">:   a 64-bit identifier generated for the epoch $i$ as:</td><td class="lineno"></td></tr>
      <tr id="diff0013"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    $$EBID_{A,i} = ENC({K}_{S}, i~|~ID_{A})$$ where $ENC$ is a</td><td> </td><td class="rblock">    $$EBID_{A,i} = ENC({K}_{S}, i~|~ID_{A})$$ where $ENC$ is a 64-bit</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    <span class="delete">block-cipher with</span> 64-bit block <span class="delete">size,</span> for <span class="delete">example 3-key TripleDES.</span></td><td> </td><td class="rblock">    block <span class="insert">cipher,</span> for <span class="insert">example, $SKINNY-64/192$ (a block cipher of block</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    size 64 bits and key size 192 bits) [@skinny].</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-$\textrm{ECC}_{A,i}$ (\"Encrypted Country Code\"):</td><td> </td><td class="right">-$\textrm{ECC}_{A,i}$ (\"Encrypted Country Code\"):</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">:   an 8-bit code that indicates, in an encrypted form, the country code</td><td> </td><td class="right">:   an 8-bit code that indicates, in an encrypted form, the country code</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    of ${EBID}_{A,i}$. This field is used for federation purposes and</td><td> </td><td class="right">    of ${EBID}_{A,i}$. This field is used for federation purposes and</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    can only be decrypted by back-end servers that have federation</td><td> </td><td class="right">    can only be decrypted by back-end servers that have federation</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    agreements. More specifically. $ECC_{A,i}$ is the country code</td><td> </td><td class="right">    agreements. More specifically. $ECC_{A,i}$ is the country code</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $CC_A$ encrypted using $AES-OFB$ with key $K_G$ and $IV$</td><td> </td><td class="right">    $CC_A$ encrypted using $AES-OFB$ with key $K_G$ and $IV$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $EBID_{A,i}$, i.e.,</td><td> </td><td class="right">    $EBID_{A,i}$, i.e.,</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $$ECC_{A,i} = MSB(AES({K_G},EBID_{A,i}~|~0^{64})) \oplus CC_A$$</td><td> </td><td class="right">    $$ECC_{A,i} = MSB(AES({K_G},EBID_{A,i}~|~0^{64})) \oplus CC_A$$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0014"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">The encryption of the list is performed with the authenticated</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">encryption algorithm $AES-GCM$, using key $K^{enc}_A$ with a random</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">96-bit IV and a 128-bit tag.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                                </td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Proximity Discovery</td><td> </td><td class="right">Proximity Discovery</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">===================</td><td> </td><td class="right">===================</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">In this phase, $App_A$ performs two operations simultaneously:</td><td> </td><td class="right">In this phase, $App_A$ performs two operations simultaneously:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   ***HELLO* Message Broadcasting** and,</td><td> </td><td class="right">-   ***HELLO* Message Broadcasting** and,</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   ***HELLO* Message Collection**.</td><td> </td><td class="right">-   ***HELLO* Message Collection**.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">\centering</td><td> </td><td class="right">\centering</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-6" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-6"><em> line 540<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-6"><em> line 575<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">:   16-bit timestamp (to encode the fine-grain emission time). It</td><td> </td><td class="right">:   16-bit timestamp (to encode the fine-grain emission time). It</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    contains the 16 less significant bits of the current NTP \"Seconds\"</td><td> </td><td class="right">    contains the 16 less significant bits of the current NTP \"Seconds\"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    timestamp of $App_A$ (which represents, for era 0, the number of</td><td> </td><td class="right">    timestamp of $App_A$ (which represents, for era 0, the number of</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    seconds since 0h January 1st, 1900 UTC). Since it is truncated to 16</td><td> </td><td class="right">    seconds since 0h January 1st, 1900 UTC). Since it is truncated to 16</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    bits, it covers a bit more than 18 hours, what is much larger than</td><td> </td><td class="right">    bits, it covers a bit more than 18 hours, what is much larger than</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    the epoch duration. This field is used to mitigate replay attacks.</td><td> </td><td class="right">    the epoch duration. This field is used to mitigate replay attacks.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-$\textrm{MAC}_{A,i}$:</td><td> </td><td class="right">-$\textrm{MAC}_{A,i}$:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0015"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">:   a <span class="delete">$HMAC-SHA256(K_A,</span> c_1~|~M_{A,i})$ truncated to 40 bits ($c_1$ is</td><td> </td><td class="rblock">:   a <span class="insert">$HMAC-SHA256(K^{auth}_A,</span> c_1~|~M_{A,i})$ truncated to 40 bits</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    the 8-bit prefix \"01\"). This field is used to prevent integrity</td><td> </td><td class="rblock">    ($c_1$ is the 8-bit prefix \"01\"). This field is used to prevent</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    attacks on the *HELLO* messages.</td><td> </td><td class="rblock">    integrity attacks on the *HELLO* messages.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">**Note:** The *HELLO* contains a \"country code\" that is encrypted and</td><td> </td><td class="right">**Note:** The *HELLO* contains a \"country code\" that is encrypted and</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">is therefore not visible by other devices. It is used in case of</td><td> </td><td class="right">is therefore not visible by other devices. It is used in case of</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">federation by the foreign back-end servers (see</td><td> </td><td class="right">federation by the foreign back-end servers (see</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Section [8](#sec:federation){reference-type="ref"</td><td> </td><td class="right">Section [8](#sec:federation){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">reference="sec:federation"} for more details).</td><td> </td><td class="right">reference="sec:federation"} for more details).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"> *HELLO* Message Collection</td><td> </td><td class="right"> *HELLO* Message Collection</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">---------------------------</td><td> </td><td class="right">---------------------------</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">$App_A$ continuously collects *HELLO* messages sent by nearby devices</td><td> </td><td class="right">$App_A$ continuously collects *HELLO* messages sent by nearby devices</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">running the same application.</td><td> </td><td class="right">running the same application.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Upon receiving $HELLO_{A,i}$, $App_A$:</td><td> </td><td class="right">Upon receiving $HELLO_{A,i}$, $App_A$:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0016"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">1.  parses[^<span class="delete">7</span>] $HELLO_{A,i}$ to retrieve $ecc_A$ (8 bits), $ebid_A$ (64</td><td> </td><td class="rblock">1.  parses[^<span class="insert">8</span>] $HELLO_{A,i}$ to retrieve $ecc_A$ (8 bits), $ebid_A$ (64</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    bits), $time_A$ (16 bits) and $mac_A$ (40 bits).</td><td> </td><td class="right">    bits), $time_A$ (16 bits) and $mac_A$ (40 bits).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">2.  obtains a 32-bit NTP "Seconds" timestamp, $time'_A$.</td><td> </td><td class="right">2.  obtains a 32-bit NTP "Seconds" timestamp, $time'_A$.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">3.  checks that: $$|time_A - {TRUNC}_{16}(time'_A)|&lt;\delta$$ where</td><td> </td><td class="right">3.  checks that: $$|time_A - {TRUNC}_{16}(time'_A)|&lt;\delta$$ where</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $\delta$ is a configurable time tolerance (typically a few seconds,</td><td> </td><td class="right">    $\delta$ is a configurable time tolerance (typically a few seconds,</td><td class="lineno"></td></tr>
      <tr id="diff0017"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    value to be defined)[^<span class="delete">8</span>].</td><td> </td><td class="rblock">    value to be defined)[^<span class="insert">9</span>].</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0018"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">4.  stores, in its   the following pair[^<span class="delete">9</span>]: $$(HELLO_{A,i}, time'_A)$$</td><td> </td><td class="rblock">4.  stores, in its   the following pair[^<span class="insert">10</span>]: $$(HELLO_{A,i}, time'_A)$$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">**Note:** Entries in  are automatically deleted after $CT$ Days (the</td><td> </td><td class="right">**Note:** Entries in  are automatically deleted after $CT$ Days (the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">value $CT$ needs to be defined with the health authority).</td><td> </td><td class="right">value $CT$ needs to be defined with the health authority).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Infected User Declaration {#sec:infected_app_registration}</td><td> </td><td class="right">Infected User Declaration {#sec:infected_app_registration}</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">=========================</td><td> </td><td class="right">=========================</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">\centering</td><td> </td><td class="right">\centering</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">![Infected Node Declaration: upon agreement, a user tested uploads her</td><td> </td><td class="right">![Infected Node Declaration: upon agreement, a user tested uploads her</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"> to the</td><td> </td><td class="right"> to the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-7" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-7"><em> line 593<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-7"><em> line 628<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">####  Upload Authorization Procedure:</td><td> </td><td class="right">####  Upload Authorization Procedure:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">If user $U_C$ is tested and diagnosed at a hospital or medical office</td><td> </td><td class="right">If user $U_C$ is tested and diagnosed at a hospital or medical office</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">and it is estimated that she was contagious from $ContStart_{C}$ to</td><td> </td><td class="right">and it is estimated that she was contagious from $ContStart_{C}$ to</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">$ContEnd_{C}$ (expressed in seconds using the standard NTP \"Seconds\"</td><td> </td><td class="right">$ContEnd_{C}$ (expressed in seconds using the standard NTP \"Seconds\"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">system), she is proposed to upload to the server each $(HELLO, Time)$</td><td> </td><td class="right">system), she is proposed to upload to the server each $(HELLO, Time)$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">pair of her  that satisfies: $$ContStart_{C} &lt; Time &lt; ContEnd_{C}$$ In</td><td> </td><td class="right">pair of her  that satisfies: $$ContStart_{C} &lt; Time &lt; ContEnd_{C}$$ In</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">this document, we do not detail the interactions between $App_C$ and the</td><td> </td><td class="right">this document, we do not detail the interactions between $App_C$ and the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">health authority. In particular, we do not present the</td><td> </td><td class="right">health authority. In particular, we do not present the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">security/authorization procedure that verifies that only authorized and</td><td> </td><td class="right">security/authorization procedure that verifies that only authorized and</td><td class="lineno"></td></tr>
      <tr id="diff0019"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">positively-tested users are allowed to upload their [^1<span class="delete">0</span>] (note that</td><td> </td><td class="rblock">positively-tested users are allowed to upload their [^1<span class="insert">1</span>] (note that</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">during this upload, $App_C$ does not reveal any of its $EBIDs$ to the</td><td> </td><td class="right">during this upload, $App_C$ does not reveal any of its $EBIDs$ to the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">server).</td><td> </td><td class="right">server).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">#### Upload Mechanism:</td><td> </td><td class="right">#### Upload Mechanism:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">A  contains the $EBIDs$ of the devices that the infected user has</td><td> </td><td class="right">A  contains the $EBIDs$ of the devices that the infected user has</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">encountered in the last $CT$ days. This information together with the</td><td> </td><td class="right">encountered in the last $CT$ days. This information together with the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">timing information associated with each *HELLO* message could be used to</td><td> </td><td class="right">timing information associated with each *HELLO* message could be used to</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">build the de-identified social/proximity graph of the infected user. The</td><td> </td><td class="right">build the de-identified social/proximity graph of the infected user. The</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">aggregation of many such social/proximity graphs may lead, under some</td><td> </td><td class="right">aggregation of many such social/proximity graphs may lead, under some</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-8" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-8"><em> line 615<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-8"><em> line 650<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">social graphs of the users.</td><td> </td><td class="right">social graphs of the users.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Would that be a concern, it is necessary to \"break\" the link between</td><td> </td><td class="right">Would that be a concern, it is necessary to \"break\" the link between</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">any two $EBIDs$ contained in the  to prevent the server from getting get</td><td> </td><td class="right">any two $EBIDs$ contained in the  to prevent the server from getting get</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">this information. Therefore, instead of uploading the   our scheme</td><td> </td><td class="right">this information. Therefore, instead of uploading the   our scheme</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">uploads each of its elements independently.</td><td> </td><td class="right">uploads each of its elements independently.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Different solutions can be envisioned to achieve this goal:</td><td> </td><td class="right">Different solutions can be envisioned to achieve this goal:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   The $(HELLO, Time)$ pairs of the  are sent to the server one by one</td><td> </td><td class="right">-   The $(HELLO, Time)$ pairs of the  are sent to the server one by one</td><td class="lineno"></td></tr>
      <tr id="diff0020"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    using a $Mixnet$[^1<span class="delete">1</span>]. Upon reception of these messages, the server</td><td> </td><td class="rblock">    using a $Mixnet$[^1<span class="insert">2</span>]. Upon reception of these messages, the server</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    won't be able to associate them with a  if the upload is spread over</td><td> </td><td class="right">    won't be able to associate them with a  if the upload is spread over</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    a long period of time.</td><td> </td><td class="right">    a long period of time.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   The  is uploaded on a trusted server (for example at a hospital or</td><td> </td><td class="right">-   The  is uploaded on a trusted server (for example at a hospital or</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    health organization) that mixes all the $(HELLO, Time)$ pairs of all</td><td> </td><td class="right">    health organization) that mixes all the $(HELLO, Time)$ pairs of all</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    infected users' . The back-end server has only access to the exposed</td><td> </td><td class="right">    infected users' . The back-end server has only access to the exposed</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    entries via a specific API provided by the trusted server.</td><td> </td><td class="right">    entries via a specific API provided by the trusted server.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   The back-end server is equipped with some secure hardware component</td><td> </td><td class="right">-   The back-end server is equipped with some secure hardware component</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    that processes the uploads of the . The back-end server has only</td><td> </td><td class="right">    that processes the uploads of the . The back-end server has only</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    access to the exposed entries via a specific API provided by the</td><td> </td><td class="right">    access to the exposed entries via a specific API provided by the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    secure hardware module.</td><td> </td><td class="right">    secure hardware module.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"> Server Operations {#sec:request-server}</td><td> </td><td class="right"> Server Operations {#sec:request-server}</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">------------------</td><td> </td><td class="right">------------------</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Upon reception of a $h_A=(HELLO_A, Time_A)$, the server:</td><td> </td><td class="right">Upon reception of a $h_A=(HELLO_A, Time_A)$, the server:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">1.  parses $h_A$ to retrieve $ecc_A$ (8 bits), $ebid_A$ (64 bits), $t_A$</td><td> </td><td class="right">1.  parses $h_A$ to retrieve $ecc_A$ (8 bits), $ebid_A$ (64 bits), $t_A$</td><td class="lineno"></td></tr>
      <tr id="diff0021"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    (16 bits), $mac_A$ (40 bits) and $<span class="delete">time'</span>_A$ (32 bits).</td><td> </td><td class="rblock">    (16 bits), $mac_A$ (40 bits) and $<span class="insert">Time</span>_A$ (32 bits).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0022"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">2.  decrypts $ecc_A$, using $K_G$, to recover the message country code,</td><td> </td><td class="rblock">2.  <span class="insert">checks that: $$|t_A - {TRUNC}_{16}(Time_A)|&lt;\delta$$ where $\delta$</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    is a configurable time tolerance (typically a few seconds, value to</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    be defined). $h_A$ is rejected if this test is not satisfied.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">3.</span>  decrypts $ecc_A$, using $K_G$, to recover the message country code,</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $cc_A$. If $cc_A$ is different from the server's country code,</td><td> </td><td class="right">    $cc_A$. If $cc_A$ is different from the server's country code,</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $CC_S$, and corresponds to a valid country code, $h_A$ is forwarded</td><td> </td><td class="right">    $CC_S$, and corresponds to a valid country code, $h_A$ is forwarded</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    to the back-end server managing this country using the federation</td><td> </td><td class="right">    to the back-end server managing this country using the federation</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    procedure in place (See</td><td> </td><td class="right">    procedure in place (See</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    Section [8](#sec:federation){reference-type="ref"</td><td> </td><td class="right">    Section [8](#sec:federation){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    reference="sec:federation"}). Otherwise it continues.</td><td> </td><td class="right">    reference="sec:federation"}). Otherwise it continues.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0023"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">3</span>.  computes $ENC^{-1}(K_S, ebid_A)$ to retrieve $i_A~|~id_A$, where</td><td> </td><td class="rblock"><span class="insert">4</span>.  computes $ENC^{-1}(K_S, ebid_A)$ to retrieve $i_A~|~id_A$, where</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $i_A$ is the epoch number corresponding to $ebid_A$ and $id_A$ is</td><td> </td><td class="right">    $i_A$ is the epoch number corresponding to $ebid_A$ and $id_A$ is</td><td class="lineno"></td></tr>
      <tr id="diff0024"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    the permanent <span class="delete">identifier.</span></td><td> </td><td class="rblock">    the permanent <span class="insert">identifier[^13].</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">4.  verifies that $id_A$ corresponds to the ID of a registered user,</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">    otherwise $h_A$ is rejected silently.</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0025"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">5.  <span class="delete">checks that: $$|t_A - {TRUNC}_{16}(time'_A)|&lt;\delta$$ where $\delta$</span></td><td> </td><td class="rblock">5.  <span class="insert">verifies that $id_A$ corresponds</span> to <span class="insert">the ID of a registered user,</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">    is a configurable time tolerance (typically a few seconds, value</span> to</td><td> </td><td class="rblock"><span class="insert">    otherwise</span> $h_A$ is rejected <span class="insert">silently[^14].</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    <span class="delete">be defined).</span> $h_A$ is rejected <span class="delete">if this test is not satisfied.</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0026"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">6.  checks that $<span class="delete">time'_A$ corresponds to epoch $i_A$</span>:</td><td> </td><td class="rblock">6.  checks that $<span class="insert">Time_A$ corresponds to epoch $i_A$[^15]</span>:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $$|(Time_A - T_{tpsstart})/\textrm{epoch}\_\textrm{duration}\_\textrm{sec} -
 i_A|\leq 1$$</td><td> </td><td class="right">    $$|(Time_A - T_{tpsstart})/\textrm{epoch}\_\textrm{duration}\_\textrm{sec} -
 i_A|\leq 1$$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    (note that a difference of 1 may happen if the *HELLO* message is</td><td> </td><td class="right">    (note that a difference of 1 may happen if the *HELLO* message is</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    sent at the very end of the epoch due to transmission and processing</td><td> </td><td class="right">    sent at the very end of the epoch due to transmission and processing</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    times). $h_A$ is rejected if this test is not satisfied.</td><td> </td><td class="right">    times). $h_A$ is rejected if this test is not satisfied.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">7.  retrieves from , $K_A$, the key associated with $id_A$.</td><td> </td><td class="right">7.  retrieves from , $K_A$, the key associated with $id_A$.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">8.  verifies if the MAC, $mac_A$, is valid as follows:</td><td> </td><td class="right">8.  verifies if the MAC, $mac_A$, is valid as follows:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $$mac_A == HMAC-SHA256(K_A, c_1~|~ecc_A~|~ebid_A~|~t_A)$$ If $mac_A$</td><td> </td><td class="right">    $$mac_A == HMAC-SHA256(K_A, c_1~|~ecc_A~|~ebid_A~|~t_A)$$ If $mac_A$</td><td class="lineno"></td></tr>
      <tr id="diff0027"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    is invalid, $h_A$ is rejected silently.</td><td> </td><td class="rblock">    is invalid, $h_A$ is rejected silently<span class="insert">[^16]</span>.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0028"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">9.  adds $i_A$ in $LEE_A$[^1<span class="delete">2</span>].</td><td> </td><td class="rblock">9.  adds $i_A$ in $LEE_A$[^1<span class="insert">7</span>].</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0029"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">10. <span class="delete">securely </span>erases $(HELLO_A, Time_A)$.</td><td> </td><td class="rblock">10. erases $(HELLO_A, Time_A)$.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Exposure Status Request (ESR) {#sec:status_request}</td><td> </td><td class="right">Exposure Status Request (ESR) {#sec:status_request}</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">=============================</td><td> </td><td class="right">=============================</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">\centering</td><td> </td><td class="right">\centering</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">![Exposure Status Request: the App regularly requests the server to know</td><td> </td><td class="right">![Exposure Status Request: the App regularly requests the server to know</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">if any of its EBID appeared in any *HELLO* messages collected by an</td><td> </td><td class="right">if any of its EBID appeared in any *HELLO* messages collected by an</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">infected users.[]{label="fig:query"}](figures/query.png){width="10cm"}</td><td> </td><td class="right">infected users.[]{label="fig:query"}](figures/query.png){width="10cm"}</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">In order to check whether user $U_A$ is \"at risk\", i.e. if she has</td><td> </td><td class="right">In order to check whether user $U_A$ is \"at risk\", i.e. if she has</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">encountered infected and contagious users in the last $CT$ days,</td><td> </td><td class="right">encountered infected and contagious users in the last $CT$ days,</td><td class="lineno"></td></tr>
      <tr id="diff0030"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">application $App_A$ regularly[^1<span class="delete">3</span>] sends \"Exposure Status\" Requests</td><td> </td><td class="rblock">application $App_A$ regularly[^1<span class="insert">8</span>] sends \"Exposure Status\" Requests</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">($ESR\_REQUEST$) to the server $Srv$ for $ID_A$. The server then</td><td> </td><td class="right">($ESR\_REQUEST$) to the server $Srv$ for $ID_A$. The server then</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">computes a \"risk score\" value, derived in part from the list $LEE_A$</td><td> </td><td class="right">computes a \"risk score\" value, derived in part from the list $LEE_A$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">corresponding to $ID_A$. The server replies with a $ESR\_REPLY$ message</td><td> </td><td class="right">corresponding to $ID_A$. The server replies with a $ESR\_REPLY$ message</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">that is set to \"1\" when the user is \"at risk\" (i.e. if the \"risk</td><td> </td><td class="right">that is set to \"1\" when the user is \"at risk\" (i.e. if the \"risk</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">score\" is larger than a threshold value) or to \"0\" otherwise.</td><td> </td><td class="right">score\" is larger than a threshold value) or to \"0\" otherwise.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">#### Application processing:</td><td> </td><td class="right">#### Application processing:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">$App_A$ queries the server by sending the following request over an TLS</td><td> </td><td class="right">$App_A$ queries the server by sending the following request over an TLS</td><td class="lineno"></td></tr>
      <tr id="diff0031"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">channel: <span class="delete">$$ESR\_REQUEST_{A,i}=[EBID_{A,i}</span> ~|~ Time ~|~ <span class="delete">MAC_{A,i}]$$</span> with</td><td> </td><td class="rblock">channel:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">$$MAC_{A,i}= HMAC-SHA256(K_A,</span> c2 ~|~ EBID_{A,i} ~|~ <span class="delete">Time )]$$</span> where:</td><td> </td><td class="rblock">                                                                                </td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">$$ESR\_REQUEST_{A,i} = [EBID_{A,i} ~|~ i</span> ~|~ Time ~|~ <span class="insert">MAC_A]$$</span> with</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">$$MAC_{A,i} = HMAC-SHA256(K^{auth}_A,</span> c2 ~|~ EBID_{A,i} ~|~ <span class="insert">i ~|~ Time)$$</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock">                                                                                </td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock">where:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   $c_2$: Fixed prefix \"02\" (8 bits).</td><td> </td><td class="right">-   $c_2$: Fixed prefix \"02\" (8 bits).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0032"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">-   $EBID_{A,i}$: Ephemeral Bluetooth ID of the <span class="delete">current</span> epoch $i$ (64</td><td> </td><td class="rblock">-   $EBID_{A,i}$: Ephemeral Bluetooth ID of the epoch $i$ (64 bits).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    bits).</td><td> </td><td class="rblock">                                                                                </td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">-   $i$: epoch of validity of $EBID_{A,i}$, either the current epoch if</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    $App_A$ has an $EBID$ for the current epoch, or the latest epoch for</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    which $App_A$ has an $EBID$ (24 bits).</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   $Time$: 32-bit timestamp in seconds, corresponding to the</td><td> </td><td class="right">-   $Time$: 32-bit timestamp in seconds, corresponding to the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    transmission time.</td><td> </td><td class="right">    transmission time.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">#### Server processing:</td><td> </td><td class="right">#### Server processing:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Upon the reception of a request, $ESR\_REQUEST_{A,i}$, at epoch $i$, the</td><td> </td><td class="right">Upon the reception of a request, $ESR\_REQUEST_{A,i}$, at epoch $i$, the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">server:</td><td> </td><td class="right">server:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0033"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">1.  parses $ESR\_REQUEST_{A,i}$ to retrieve $ebid_A$, $time_A$ and</td><td> </td><td class="rblock">1.  parses $ESR\_REQUEST_{A,i}$ to retrieve $ebid_A$, <span class="insert">$i_A$,</span> $time_A$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    $mac_A$.</td><td> </td><td class="rblock">    and $mac_A$.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">2.  verifies that $time_A$ is close to its current time.</td><td> </td><td class="right">2.  verifies that $time_A$ is close to its current time.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0034"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">3.  retrieves the permanent identifier $id_A$ and epoch <span class="delete">$i_A$</span> by</td><td> </td><td class="rblock">3.  retrieves the permanent identifier $id_A$ and epoch <span class="insert">$i'_A$</span> by</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">    decrypting $ebid_A$, as <span class="delete">$$i_A~|~id_A=ENC^{-1}(K_S,</span> ebid_A)$$</td><td> </td><td class="rblock">    decrypting $ebid_A$, as <span class="insert">$$i'_A~|~id_A=ENC^{-1}(K_S,</span> ebid_A)$$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0035"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">4.  <span class="delete">uses $id_A$ to retrieve from Â</span> the <span class="delete">associated entries: $K_A$, $UN_A$,</span></td><td> </td><td class="rblock">4.  <span class="insert">verifies that $i_A == i'_A$, otherwise</span> the <span class="insert">message is rejected.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">    $SRE_A$, $LEE_A$.</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0036"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">5.  verifies that <span class="delete">$$mac_A=={HMAC-SHA256}(K_A,</span> c2 ~|~ ebid_A ~|~ t_A )$$</td><td> </td><td class="rblock">5.  <span class="insert">uses $id_A$ to retrieve from  the associated entries: $K^{auth}_A$,</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    $UN_A$, $SRE_A$, $LEE_A$.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">6.</span>  verifies that</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock">    <span class="insert">$$mac_{A,i}== {HMAC-SHA256}(K^{auth}_A,</span> c2 ~|~ ebid_A ~|~ <span class="insert">i_A ~|~</span> t_A )$$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    If $mac_A$ is incorrect, the message is silently rejected;</td><td> </td><td class="right">    If $mac_A$ is incorrect, the message is silently rejected;</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0037"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">6</span>.  verifies that $UN_A$ is $"false"$ (User Notified) in order to check</td><td> </td><td class="rblock"><span class="insert">7</span>.  verifies that $UN_A$ is $"false"$ (User Notified) in order to check</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    that the user has not already received a \"At Risk\" notification.</td><td> </td><td class="right">    that the user has not already received a \"At Risk\" notification.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    If the user has already been notified, the message is silently</td><td> </td><td class="right">    If the user has already been notified, the message is silently</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    rejected.</td><td> </td><td class="right">    rejected.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0038"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">7.  verifies that $(i - SRE_A)&gt;=</span>T$, where $T$ is minimum number of</td><td> </td><td class="rblock"><span class="insert">8.  verifies that $(i - SRE_A) \geq </span>T$, where $T$ is minimum number of</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    epochs between two consecutive $ESR\_REQUEST$. Otherwise, the</td><td> </td><td class="right">    epochs between two consecutive $ESR\_REQUEST$. Otherwise, the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    message is silently rejected.</td><td> </td><td class="right">    message is silently rejected.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">####</td><td> </td><td class="right">####</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">If the $ESR\_REQUEST_{A,i}$ is valid, the server:</td><td> </td><td class="right">If the $ESR\_REQUEST_{A,i}$ is valid, the server:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">1.  updates $SRE_A$ with the current epoch number, $i$, in .</td><td> </td><td class="right">1.  updates $SRE_A$ with the current epoch number, $i$, in .</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">2.  computes a \"risk score\" value, derived in part from the list</td><td> </td><td class="right">2.  computes a \"risk score\" value, derived in part from the list</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-9" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-9"><em> line 782<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-9"><em> line 827<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">neighboring states. This is especially true in the case of Europe, where</td><td> </td><td class="right">neighboring states. This is especially true in the case of Europe, where</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">freedom of movement is a core value.</td><td> </td><td class="right">freedom of movement is a core value.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">We therefore propose the use of a distributed, federated architecture</td><td> </td><td class="right">We therefore propose the use of a distributed, federated architecture</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">where countries may operate their own back-ends and develop their own</td><td> </td><td class="right">where countries may operate their own back-ends and develop their own</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Apps. This is also practical as we can expect each instance to require</td><td> </td><td class="right">Apps. This is also practical as we can expect each instance to require</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">country-specific options with respect to health system integration and</td><td> </td><td class="right">country-specific options with respect to health system integration and</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">localization.</td><td> </td><td class="right">localization.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">A detailed specification of a federation protocol remains to be defined</td><td> </td><td class="right">A detailed specification of a federation protocol remains to be defined</td><td class="lineno"></td></tr>
      <tr id="diff0039"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">in agreement with all other partners of the PEPP-PT initiative[^1<span class="delete">4</span>].</td><td> </td><td class="rblock">in agreement with all other partners of the PEPP-PT initiative[^1<span class="insert">9</span>].</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">However, the proposed structure of the *HELLO* message allows some</td><td> </td><td class="right">However, the proposed structure of the *HELLO* message allows some</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">elegant solutions. We propose a standard format for all *HELLO* messages</td><td> </td><td class="right">elegant solutions. We propose a standard format for all *HELLO* messages</td><td class="lineno"></td></tr>
      <tr id="diff0040"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">as follows[^<span class="delete">15</span>]:</td><td> </td><td class="rblock">as follows[^<span class="insert">20</span>]:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">$ECC_{Country} (8 bits) ~|~ EBID (64 bits) ~|~ t (16 bits) ~|~ MAC (40 bits)$</td><td> </td><td class="right">$ECC_{Country} (8 bits) ~|~ EBID (64 bits) ~|~ t (16 bits) ~|~ MAC (40 bits)$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Given this simple definition, a User $Bernard$ from a given country,</td><td> </td><td class="right">Given this simple definition, a User $Bernard$ from a given country,</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">let's say France, could visit another country, let's say Germany, and</td><td> </td><td class="right">let's say France, could visit another country, let's say Germany, and</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">still be able to use his national application. The protocol works as</td><td> </td><td class="right">still be able to use his national application. The protocol works as</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">follows:</td><td> </td><td class="right">follows:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   When $Bernard$ goes to Germany, his App broadcasts, at each epoch</td><td> </td><td class="right">-   When $Bernard$ goes to Germany, his App broadcasts, at each epoch</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $j$, $HELLO_{FR,j}$ messages as defined in Section</td><td> </td><td class="right">    $j$, $HELLO_{FR,j}$ messages as defined in Section</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-10" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-10"><em> line 855<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-10"><em> line 900<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">potentially different EBID schemes. It further allows us to improve upon</td><td> </td><td class="right">potentially different EBID schemes. It further allows us to improve upon</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">the format without requiring changes to the federation protocols.</td><td> </td><td class="right">the format without requiring changes to the federation protocols.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">\appendix</td><td> </td><td class="right">\appendix</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Towards Probabilistic Notifications {#sec:proba}</td><td> </td><td class="right">Towards Probabilistic Notifications {#sec:proba}</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">===================================</td><td> </td><td class="right">===================================</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">As described in previous work</td><td> </td><td class="right">As described in previous work</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">[@canetti2020anonymous; @cryptoeprint:2020:399], all proximity-tracking</td><td> </td><td class="right">[@canetti2020anonymous; @cryptoeprint:2020:399], all proximity-tracking</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">schemes are vulnerable to the \"one entry\" attack. In this attack, the</td><td> </td><td class="right">schemes are vulnerable to the \"one entry\" attack. In this attack, the</td><td class="lineno"></td></tr>
      <tr id="diff0041"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">adversary has only one entry, corresponding to $User_T$, in her [^<span class="delete">16</span>].</td><td> </td><td class="rblock">adversary has only one entry, corresponding to $User_T$, in her [^<span class="insert">21</span>].</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">When the adversary is notified \"at risk\", she learns that $User_T$ was</td><td> </td><td class="right">When the adversary is notified \"at risk\", she learns that $User_T$ was</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">diagnosed COVID-positive. The $ROBERT$ scheme, however, mitigates this</td><td> </td><td class="right">diagnosed COVID-positive. The $ROBERT$ scheme, however, mitigates this</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">attack by:</td><td> </td><td class="right">attack by:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   \(1) Requiring to all users to register (anonymously) to the server.</td><td> </td><td class="right">-   \(1) Requiring to all users to register (anonymously) to the server.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   \(2) Not allowing a user that receives an $ESR\_REPLY$ message set to 1</td><td> </td><td class="right">-   \(2) Not allowing a user that receives an $ESR\_REPLY$ message set to 1</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    to query the server anymore.</td><td> </td><td class="right">    to query the server anymore.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">As a result, a registered user can only perform the attack once and then</td><td> </td><td class="right">As a result, a registered user can only perform the attack once and then</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-11" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-11"><em> line 905<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-11"><em> line 950<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">question. First, we need to acknowledge that proximity tracing is not</td><td> </td><td class="right">question. First, we need to acknowledge that proximity tracing is not</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">perfect, and that there will be anyway false positives or false</td><td> </td><td class="right">perfect, and that there will be anyway false positives or false</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">negatives. In this context, is it really problematic to add $5\%$ or</td><td> </td><td class="right">negatives. In this context, is it really problematic to add $5\%$ or</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">$10\%$ more false positives? Second, the answer to this question may</td><td> </td><td class="right">$10\%$ more false positives? Second, the answer to this question may</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">also depend on what the application is used for. If the App is used to</td><td> </td><td class="right">also depend on what the application is used for. If the App is used to</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">target users that should get tested, we believe that testing 5 or 10%</td><td> </td><td class="right">target users that should get tested, we believe that testing 5 or 10%</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">more users randomly should be quite acceptable. If the App is used to</td><td> </td><td class="right">more users randomly should be quite acceptable. If the App is used to</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">notify users to go in quarantine, false positives could be more</td><td> </td><td class="right">notify users to go in quarantine, false positives could be more</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">problematic\...</td><td> </td><td class="right">problematic\...</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0042"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">A Note on Current PEPP-PT Deployment</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">====================================</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">The protocols of the PEPP-PT App and service currently scheduled for</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">release in Germany diverge from the protocols proposed in this paper.</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">This is due to the fact the the PEPP-PT initiative originated from a</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">national project which was the driving force behind the current German</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">App release. However, efficient and successful containment through</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">proximity tracing can only happen internationally. As such, the</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">scheduled release is only a first step and plans to migrate towards this</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">protocol that supports federation between countries are already in</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">place.</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">The major differences between the protocols proposed in this paper and</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">the current state in Germany, as of today, are:</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">-   **EBID format**: The current $EBIDs$ issued by the back-end do not</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">    contain the $ECC$. They also do not contain a $MAC$ or timestamp.</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">-   **Upload authorization**: The current App and back-end already</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">    include methods and protocols for upload authorization after</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">    infection; protocols which are specifically tailored to the German</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">    health system. Those methods will likely change from country to</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">    country.</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete"></span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">The migration path is clear and the systems and protocols will be</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">harmonized soon.</span></td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock">                                                                                </td><td> </td><td class="rblock"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Server Security Considerations</td><td> </td><td class="right">Server Security Considerations</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">==============================</td><td> </td><td class="right">==============================</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">This proposal assumes that the back-end server is correctly secured,</td><td> </td><td class="right">This proposal assumes that the back-end server is correctly secured,</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">implementing the best state-of the art counter-measures and deploying</td><td> </td><td class="right">implementing the best state-of the art counter-measures and deploying</td><td class="lineno"></td></tr>
      <tr id="diff0043"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">the required security measures to prevent intrusions [^<span class="delete">17</span>].</td><td> </td><td class="rblock">the required security measures to prevent intrusions [^<span class="insert">22</span>].</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">Its security will be audited, tested and validated by the competent</td><td> </td><td class="right">Its security will be audited, tested and validated by the competent</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">national bodies. Different measures are already considered like:</td><td> </td><td class="right">national bodies. Different measures are already considered like:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   A secured logging systems (in order to allow regular audits of the</td><td> </td><td class="right">-   A secured logging systems (in order to allow regular audits of the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    operations for secured or privacy checks).</td><td> </td><td class="right">    operations for secured or privacy checks).</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">-   The use of hardware or at least software security modules for secure</td><td> </td><td class="right">-   The use of hardware or at least software security modules for secure</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    cryptographic processing, key generation and protection.</td><td> </td><td class="right">    cryptographic processing, key generation and protection.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0044"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">Furthermore,</span> an <span class="delete">extension of $ROBERT$ that uses a secret sharing scheme</span></td><td> </td><td class="rblock"><span class="insert">Authenticated Requests</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">to split the secret keys between</span> the server <span class="delete">and</span> the <span class="delete">applications is</span></td><td> </td><td class="rblock"><span class="insert">======================</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">under consideration</span> for a <span class="delete">future version</span> of <span class="delete">this document.</span></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">ESR Request is</span> an <span class="insert">authenticated request, enabling $App_A$ to make</span> the</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock">server <span class="insert">perform an operation on</span> the <span class="insert">data associated to user $A$. Other</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">types of authenticated requests can be defined in a similar manner to</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">trigger other operations,</span> for <span class="insert">example to unregister</span> a <span class="insert">user.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">Any type of authenticated request is built in the same manner as an</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">$ESR$ request (see Section [7](#sec:status_request){reference-type="ref"</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">reference="sec:status_request"}), with the exception that the constant</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">$c$ used in the MAC computation must be different.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">For example, the following values</span> of <span class="insert">$c$ could be used:</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">  Code   Request Type</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">  ------ ---------------</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">  1      Hello message</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">  2      ESR Request</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">  3      Unregister</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">  4      DeleteHistory</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">The server processing part is identical up to step 6 (included). These</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">steps validate the request. In following steps the operations specific</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">to the request are implemented.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">[^1]: For simplicity, we consider that $CT$ is fixed and the same for</td><td> </td><td class="right">[^1]: For simplicity, we consider that $CT$ is fixed and the same for</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    all users. In practice, this value could be adapted to each infected</td><td> </td><td class="right">    all users. In practice, this value could be adapted to each infected</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    user by doctors.</td><td> </td><td class="right">    user by doctors.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">[^2]: Federation is also considered for users who are traveling abroad.</td><td> </td><td class="right">[^2]: Federation is also considered for users who are traveling abroad.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    See Section [8](#sec:federation){reference-type="ref"</td><td> </td><td class="right">    See Section [8](#sec:federation){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    reference="sec:federation"}.</td><td> </td><td class="right">    reference="sec:federation"}.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">[^3]: &lt;https://en.wikipedia.org/wiki/Network_Time_Protocol&gt;</td><td> </td><td class="right">[^3]: &lt;https://en.wikipedia.org/wiki/Network_Time_Protocol&gt;</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="part-12" class="change" ><td></td><th><small>skipping to change at</small><a href="#part-12"><em> line 974<span class="hide"> &para;</span></em></a></th><th> </th><th><small>skipping to change at</small><a href="#part-12"><em> line 1013<span class="hide"> &para;</span></em></a></th><td></td></tr>
      <tr><td class="lineno"></td><td class="left">    recommended in the Bluetooth v5.1</td><td> </td><td class="right">    recommended in the Bluetooth v5.1</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    specification [@bluetooth_core_specification5.1 Vol 3, Part C, App.</td><td> </td><td class="right">    specification [@bluetooth_core_specification5.1 Vol 3, Part C, App.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    A]). We assume that these epochs and rotation periods are</td><td> </td><td class="right">    A]). We assume that these epochs and rotation periods are</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    synchronized.</td><td> </td><td class="right">    synchronized.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">[^5]: Note that this key can be renewed every few epochs for better</td><td> </td><td class="right">[^5]: Note that this key can be renewed every few epochs for better</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    security. In this case, the server needs to store all the keys that</td><td> </td><td class="right">    security. In this case, the server needs to store all the keys that</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    were generated during the last $CTK$ epochs, where</td><td> </td><td class="right">    were generated during the last $CTK$ epochs, where</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $CTK= 86400*CT/ epoch\_duration\_sec$.</td><td> </td><td class="right">    $CTK= 86400*CT/ epoch\_duration\_sec$.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0045"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^6]: <span class="delete">Note that the server does not store these pairs.</span></td><td> </td><td class="rblock">[^6]: <span class="insert">See Annex D.1 of NIST FIPS186-4,</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    &lt;https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf&gt;</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0046"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^7]: In this paper, we use lowercase for variables that result from a</td><td> </td><td class="rblock">[^7]: <span class="insert">Note that the server does not store these pairs.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">[^8]:</span> In this paper, we use lowercase for variables that result from a</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    parsing operation.</td><td> </td><td class="right">    parsing operation.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0047"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^<span class="delete">8</span>]: Note that since $time_A$ is only 16-bit long, this check is not</td><td> </td><td class="rblock">[^<span class="insert">9</span>]: Note that since $time_A$ is only 16-bit long, this check is not</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    enough to detect replay attacks of *HELLO* messages that were</td><td> </td><td class="right">    enough to detect replay attacks of *HELLO* messages that were</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    generated more than $2^{16}$ seconds (i.e., a bit more than 18</td><td> </td><td class="right">    generated more than $2^{16}$ seconds (i.e., a bit more than 18</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    hours) before $time'_A$. In case $U_A$ is diagnosed positive on</td><td> </td><td class="right">    hours) before $time'_A$. In case $U_A$ is diagnosed positive on</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    COVID-19, an additional test is performed by the server (Section</td><td> </td><td class="right">    COVID-19, an additional test is performed by the server (Section</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    [7](#sec:status_request){reference-type="ref"</td><td> </td><td class="right">    [7](#sec:status_request){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    reference="sec:status_request"}) to further detect these attacks.</td><td> </td><td class="right">    reference="sec:status_request"}) to further detect these attacks.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0048"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^<span class="delete">9</span>]: Other information that could be useful to compute the risk score,</td><td> </td><td class="rblock">[^<span class="insert">10</span>]: Other information that could be useful to compute the risk score,</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    such as the message's reception power or the user's</td><td> </td><td class="right">    such as the message's reception power or the user's</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    speed/acceleration during the contact, could be added.</td><td> </td><td class="right">    speed/acceleration during the contact, could be added.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0049"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^1<span class="delete">0</span>]: One solution under study is to consider that the user obtains an</td><td> </td><td class="rblock">[^1<span class="insert">1</span>]: One solution under study is to consider that the user obtains an</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    authorization token from the hospital or the medical office when it</td><td> </td><td class="right">    authorization token from the hospital or the medical office when it</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    is diagnosed . The User can then use this authorization token to</td><td> </td><td class="right">    is diagnosed . The User can then use this authorization token to</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    validate its  upload.</td><td> </td><td class="right">    validate its  upload.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0050"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^1<span class="delete">1</span>]: Since all mobile telecom operators are using NAT, it should be</td><td> </td><td class="rblock">[^1<span class="insert">2</span>]: Since all mobile telecom operators are using NAT, it should be</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    studied whether the use of a Mixnet or proxy is really needed.</td><td> </td><td class="right">    studied whether the use of a Mixnet or proxy is really needed.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0051"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock"><span class="delete">[^12]:</span> Note that at each epoch $i$, the server cleans up the ${LEE}_A$</td><td> </td><td class="rblock"><span class="insert">[^13]: In the case where $K_S$ renewal is implemented, $K_S$ is selected</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    based on $Time_A$. In case the procedure fails, and if $Time_A$ is</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    close to a boundary between the validity period of two $K_S$ values,</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    the step 4 is performed again with the previous/next value of $K_S$</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    [\[fnlabel\]]{#fnlabel label="fnlabel"}.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">[^14]: In the case where two $K_S$ values are possible (see footnote</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    [\[fnlabel\]](#fnlabel){reference-type="ref" reference="fnlabel"})</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    and $h_A$ is rejected, the other key should be tested in Step 4.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">[^15]: In the case where two $K_S$ values are possible (see footnote</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    [\[fnlabel\]](#fnlabel){reference-type="ref" reference="fnlabel"})</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    and the following test fails, goto step 4 to test the other key</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    value.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">[^16]: In the case where two $K_S$ values are possible (see footnote</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    [\[fnlabel\]](#fnlabel){reference-type="ref" reference="fnlabel"})</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">    and $mac_A$ is incorrect, goto step 4 to test the other key value.</span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert"></span></td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="lblock"></td><td> </td><td class="rblock"><span class="insert">[^17]:</span> Note that at each epoch $i$, the server cleans up the ${LEE}_A$</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    list of each registered $ID_A$ by removing the \"expired\" entries.</td><td> </td><td class="right">    list of each registered $ID_A$ by removing the \"expired\" entries.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    More precisely, all epochs $j$ of ${LEE}_A$ such that</td><td> </td><td class="right">    More precisely, all epochs $j$ of ${LEE}_A$ such that</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $(i-j) &gt;= (ct*24*3600/epoch\_duration\_sec)$ are deleted.</td><td> </td><td class="right">    $(i-j) &gt;= (ct*24*3600/epoch\_duration\_sec)$ are deleted.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0052"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^1<span class="delete">3</span>]: The queries are sent regularly and at most every $T$ epochs. If a</td><td> </td><td class="rblock">[^1<span class="insert">8</span>]: The queries are sent regularly and at most every $T$ epochs. If a</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    user is allowed to perform N queries per day, $T$ is defined as</td><td> </td><td class="right">    user is allowed to perform N queries per day, $T$ is defined as</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    $T= 86400/(N * epoch\_duration\_sec )$.</td><td> </td><td class="right">    $T= 86400/(N * epoch\_duration\_sec )$.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0053"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^1<span class="delete">4</span>]: &lt;https://www.pepp-pt.org&gt;</td><td> </td><td class="rblock">[^1<span class="insert">9</span>]: &lt;https://www.pepp-pt.org&gt;</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0054"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^<span class="delete">15</span>]: Actually the adopting countries should only agree to use the 8</td><td> </td><td class="rblock">[^<span class="insert">20</span>]: Actually the adopting countries should only agree to use the 8</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    first bits of the *HELLO* message as the \"Encrypted Country Code\"</td><td> </td><td class="right">    first bits of the *HELLO* message as the \"Encrypted Country Code\"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    that is encrypted using the following 64 bits as an IV of a stream</td><td> </td><td class="right">    that is encrypted using the following 64 bits as an IV of a stream</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    cipher, as detailed in Section [4](#sec:EBID){reference-type="ref"</td><td> </td><td class="right">    cipher, as detailed in Section [4](#sec:EBID){reference-type="ref"</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    reference="sec:EBID"}.</td><td> </td><td class="right">    reference="sec:EBID"}.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0055"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^<span class="delete">16</span>]: This attack can easily be achieved by keeping the Bluetooth</td><td> </td><td class="rblock">[^<span class="insert">21</span>]: This attack can easily be achieved by keeping the Bluetooth</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    interface off, switching it on when the adversary is next her victim</td><td> </td><td class="right">    interface off, switching it on when the adversary is next her victim</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    and then switching it off again.</td><td> </td><td class="right">    and then switching it off again.</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left"></td><td> </td><td class="right"></td><td class="lineno"></td></tr>
      <tr id="diff0056"><td></td></tr>
      <tr><td class="lineno"></td><td class="lblock">[^<span class="delete">17</span>]: See for example:</td><td> </td><td class="rblock">[^<span class="insert">22</span>]: See for example:</td><td class="lineno"></td></tr>
      <tr><td class="lineno"></td><td class="left">    &lt;https://www.ssi.gouv.fr/entreprise/bonnes-pratiques/poste-de-travail-et-ser
veurs/&gt;</td><td> </td><td class="right">    &lt;https://www.ssi.gouv.fr/entreprise/bonnes-pratiques/poste-de-travail-et-ser
veurs/&gt;</td><td class="lineno"></td></tr>

     <tr><td></td><td class="left"></td><td> </td><td class="right"></td><td></td></tr>
     <tr id="end" bgcolor="gray"><th colspan="5" align="center">&nbsp;End of changes. 56 change blocks.&nbsp;</th></tr>
     <tr class="stats"><td></td><th><i>106 lines changed or deleted</i></th><th><i> </i></th><th><i>168 lines changed or added</i></th><td></td></tr>
     <tr><td colspan="5" align="center" class="small"><br/>This html diff was produced by rfcdiff 1.46. The latest version is available from <a href="http://www.tools.ietf.org/tools/rfcdiff/" >http://tools.ietf.org/tools/rfcdiff/</a> </td></tr>
   </table>
   </body>
   </html>