Simplified security notions of direct anonymous attestation and a concrete scheme from pairings

Direct Anonymous Attestation (DAA) is a cryptographic mechanism that enables remote authentication of a user while preserving privacy under the user’s control. The DAA scheme developed by Brickell, Camenisch, and Chen has been adopted by the Trust Computing Group for remote anonymous attestation of Trusted Platform Module, which is a small hardware device with limited storage space and communication capability. In this paper, we provide two contributions to DAA. We first introduce simplified security notions of DAA including the formal definitions of user controlled anonymity and traceability. We then propose a new DAA scheme from elliptic curve cryptography and bilinear maps. The lengths of private keys and signatures in our scheme are much shorter than the lengths in the original DAA scheme, with a similar level of security and computational complexity. Our scheme builds upon the Camenisch–Lysyanskaya signature scheme and is efficient and provably secure in the random oracle model under the LRSW (stands for Lysyanskaya, Rivest, Sahai and Wolf) assumption and the decisional Bilinear Diffie–Hellman assumption.

[1]  Ernest F. Brickell,et al.  Gradual and Verifiable Release of a Secret , 1987, CRYPTO.

[2]  Liqun Chen,et al.  On Proofs of Security for DAA Schemes , 2008, ProvSec.

[3]  Jiangtao Li,et al.  A New Direct Anonymous Attestation Scheme from Bilinear Maps , 2008, TRUST.

[4]  Carsten Rudolph,et al.  Covert Identity Information in Direct Anonymous Attestation (DAA) , 2007, SEC.

[5]  Chris J. Mitchell,et al.  Single sign-on using TCG-conformant platforms , 2005 .

[6]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[7]  Kenneth G. Paterson,et al.  Trusted computing: providing security for peer-to-peer networks , 2005, Fifth IEEE International Conference on Peer-to-Peer Computing (P2P'05).

[8]  Chris J. Mitchell,et al.  On a Possible Privacy Flaw in Direct Anonymous Attestation (DAA) , 2008, TRUST.

[9]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[10]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[11]  Ivan Damgård,et al.  An Integer Commitment Scheme based on Groups with Hidden Order , 2001, IACR Cryptol. ePrint Arch..

[12]  Liqun Chen,et al.  Pairings in Trusted Computing , 2008, Pairing.

[13]  Jan Camenisch,et al.  Group Signatures: Better Efficiency and New Theoretical Aspects , 2004, SCN.

[14]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[15]  Ben Lynn,et al.  On the implementation of pairing-based cryptosystems , 2007 .

[16]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[17]  Jan Camenisch,et al.  The DAA scheme in context , 2005 .

[18]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[19]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[20]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[21]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[22]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[23]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[24]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[25]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[26]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[27]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[28]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[29]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[30]  Chris J. Mitchell,et al.  Ninja: Non Identity Based, Privacy Preserving Authentication for Ubiquitous Environments , 2007, UbiComp.

[31]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[32]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[33]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[34]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[35]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[36]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[37]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[38]  Jan Camenisch,et al.  Separability and Efficiency for Generic Group Signature Schemes , 1999, CRYPTO.

[39]  Mark Ryan,et al.  Direct Anonymous Attestation (DAA): Ensuring Privacy with Corrupt Administrators , 2007, ESAS.

[40]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[41]  Stephen R. Tate,et al.  A Direct Anonymous Attestation Scheme for Embedded Devices , 2007, Public Key Cryptography.