A (Corrected) DAA Scheme Using Batch Proof and Verification

Direct anonymous attestation (DAA) is a cryptographic primitive for providing anonymous signatures, and is a part of trusted computing technology from the Trusted Computing Group (TCG). DAA offers a nice balance between user authentication and privacy. One active research topic in trusted computing community is to develop DAA schemes that require minimum TPM resources. In 2010, Chen introduced a new DAA scheme using batch proof and verification. In this scheme, the TPM only needs to perform one or two exponentiations to create a DAA signature, depending on whether linkability is required. In this paper, we demonstrate an attack to this DAA scheme. The attack allows any malicious host to forge linkable DAA signatures without knowing the private key. We also present a patch to this DAA scheme to mitigate the attack. Our new DAA scheme has the same computational requirement for a TPM. We formally prove the new DAA scheme is secure in the random oracle model under the blind-4 bilinear LRSW assumption, the DDH assumption, and the gap-DL assumption.

[1]  Gene Tsudik,et al.  Security and Privacy in Ad-hoc and Sensor Networks, Second European Workshop, ESAS 2005, Visegrad, Hungary, July 13-14, 2005, Revised Selected Papers , 2005, ESAS.

[2]  Jiangtao Li,et al.  A Pairing-Based DAA Scheme Further Reducing TPM Resources , 2010, TRUST.

[3]  Ahmad-Reza Sadeghi,et al.  Trusted Computing - Challenges and Applications, First International Conference on Trusted Computing and Trust in Information Technologies, Trust 2008, Villach, Austria, March 11-12, 2008, Proceedings , 2008, TRUST.

[4]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[5]  Yi Mu,et al.  Constant-Size Dynamic k-TAA , 2006, SCN.

[6]  Nigel P. Smart,et al.  On Computing Products of Pairings , 2006, IACR Cryptol. ePrint Arch..

[7]  Liqun Chen,et al.  Pairings in Trusted Computing , 2008, Pairing.

[8]  Jan Camenisch,et al.  Group Signatures: Better Efficiency and New Theoretical Aspects , 2004, SCN.

[9]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[10]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[11]  Mark Ryan,et al.  Direct Anonymous Attestation (DAA): Ensuring Privacy with Corrupt Administrators , 2007, ESAS.

[12]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[13]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[14]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[15]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[16]  Xiaofeng Chen,et al.  Direct Anonymous Attestation for Next Generation TPM , 2008, J. Comput..

[17]  Chanathip Namprempre,et al.  From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security , 2002, EUROCRYPT.

[18]  Liqun Chen,et al.  On Proofs of Security for DAA Schemes , 2008, ProvSec.

[19]  Ed Dawson,et al.  Batch zero-knowledge proof and verification and its applications , 2007, TSEC.

[20]  Jiangtao Li,et al.  A note on the Chen-Morrissey-Smart DAA scheme , 2010, Inf. Process. Lett..

[21]  Sébastien Canard,et al.  List signature schemes , 2006, Discret. Appl. Math..

[22]  Jiangtao Li,et al.  A New Direct Anonymous Attestation Scheme from Bilinear Maps , 2008, TRUST.

[23]  Liqun Chen,et al.  DAA: Fixing the pairing based protocols , 2009, IACR Cryptol. ePrint Arch..

[24]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[25]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[26]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2007, IEEE Transactions on Dependable and Secure Computing.

[27]  Carsten Rudolph,et al.  Covert Identity Information in Direct Anonymous Attestation (DAA) , 2007, SEC.

[28]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[29]  Amit Sahai,et al.  Pseudonym Systems (Extended Abstract) , 2000 .

[30]  Jiangtao Li,et al.  Enhanced Privacy ID from Bilinear Pairing for Hardware Authentication and Attestation , 2010, 2010 IEEE Second International Conference on Social Computing.

[31]  Jean-Louis Lanet,et al.  Smart Card Research and Advanced Application, 9th IFIP WG 8.8/11.2 International Conference, CARDIS 2010, Passau, Germany, April 14-16, 2010. Proceedings , 2010, CARDIS.

[32]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[33]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[34]  Kenneth G. Paterson,et al.  Securing peer-to-peer networks usingtrusted computing , 2005 .

[35]  Steven D. Galbraith,et al.  Pairing-Based Cryptography - Pairing 2008, Second International Conference, Egham, UK, September 1-3, 2008. Proceedings , 2008, Pairing.

[36]  Liqun Chen,et al.  Identity-based key agreement protocols from pairings , 2017, International Journal of Information Security.

[37]  Masayuki Abe,et al.  Lenient/Strict Batch Verification in Several Groups , 2001, ISC.

[38]  Jan Camenisch,et al.  The DAA scheme in context , 2005 .

[39]  Andrew Odlyzko,et al.  Advances in Cryptology — CRYPTO’ 86 , 2000, Lecture Notes in Computer Science.

[40]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[41]  Claus-Peter Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1990, EUROCRYPT.

[42]  Tatsuaki Okamoto,et al.  Public Key Cryptography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, April 16-20, 2007, Proceedings , 2007, Public Key Cryptography.

[43]  Liqun Chen,et al.  A DAA Scheme Using Batch Proof and Verification , 2010, TRUST.

[44]  Chris J. Mitchell,et al.  Ninja: Non Identity Based, Privacy Preserving Authentication for Ubiquitous Environments , 2007, UbiComp.

[45]  Liqun Chen,et al.  On the Design and Implementation of an Efficient DAA Scheme , 2010, IACR Cryptol. ePrint Arch..

[46]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[47]  Gregory D. Abowd,et al.  Ubicomp 2007: Ubiquitous Computing , 2008 .

[48]  Georg Fuchsbauer,et al.  Anonymous attestation with user-controlled linkability , 2013, International Journal of Information Security.

[49]  Liqun Chen,et al.  A DAA Scheme Requiring Less TPM Resources , 2009, Inscrypt.

[50]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[51]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[52]  Colin Boyd,et al.  Attacking and Repairing Batch Verification Schemes , 2000, ASIACRYPT.

[53]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[54]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[55]  Jiangtao Li,et al.  Simplified security notions of direct anonymous attestation and a concrete scheme from pairings , 2009, International Journal of Information Security.

[56]  Stephen R. Tate,et al.  A Direct Anonymous Attestation Scheme for Embedded Devices , 2007, Public Key Cryptography.

[57]  Chris J. Mitchell,et al.  Single sign-on using TCG-conformant platforms , 2005 .

[58]  Chris J. Mitchell,et al.  On a Possible Privacy Flaw in Direct Anonymous Attestation (DAA) , 2008, TRUST.

[59]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.