Universally Composable Direct Anonymous Attestation

Direct Anonymous Attestation DAA is one of the most complex cryptographic algorithms that has been deployed in practice. In spite of this and the long body of work on the subject, there is still no fully satisfactory security definition for DAA. This was already acknowledged by Bernard et al. IJIC'13 who showed that in existing models insecure protocols can be proved secure. Bernard et al. therefore proposed an extensive set of security games which, however, aim only at a simplified setting termed pre-DAA. In pre-DAA, the host platform that runs the TPM is assumed to be trusted. Consequently, their notion does not guarantee any security if the TPM is embedded in a potentially corrupt host which is a significant restriction. In this paper, we give a comprehensive security definition for full DAA in the form of an ideal functionality in the Universal Composability model. Our definition considers the host and TPM to be separate entities that can be in different corruption states. None of the existing DAA schemes satisfy our strong security notion. We therefore propose a realization that is based on a DAA scheme supported by the TPMi¾?2.0 standard and prove it secure in our model.

[1]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[2]  Amit Sahai,et al.  Pseudonym Systems (Extended Abstract) , 2000 .

[3]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[4]  Aggelos Kiayias,et al.  On the Portability of Generalized Schnorr Proofs , 2009, EUROCRYPT.

[5]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[6]  Georg Fuchsbauer,et al.  Anonymous attestation with user-controlled linkability , 2013, International Journal of Information Security.

[7]  Liqun Chen,et al.  A DAA Scheme Requiring Less TPM Resources , 2009, Inscrypt.

[8]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[9]  Li Xi,et al.  DAA-Related APIs in TPM 2.0 Revisited , 2014, TRUST.

[10]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[11]  Hong-hu Zhen,et al.  Bilinear Pairing Based DAA Protocol , 2009, 2009 International Conference on Computational Intelligence and Natural Computing.

[12]  Liqun Chen,et al.  Pairings in Trusted Computing , 2008, Pairing.

[13]  Michael Backes,et al.  How to Break and Repair a Universally Composable Signature Functionality , 2004, ISC.

[14]  Jiangtao Li,et al.  Simplified security notions of direct anonymous attestation and a concrete scheme from pairings , 2009, International Journal of Information Security.

[15]  Liqun Chen,et al.  DAA: Fixing the pairing based protocols , 2009, IACR Cryptol. ePrint Arch..

[16]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[17]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[18]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[19]  Liqun Chen,et al.  On Proofs of Security for DAA Schemes , 2008, ProvSec.

[20]  Jiangtao Li,et al.  A New Direct Anonymous Attestation Scheme from Bilinear Maps , 2008, TRUST.

[21]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[22]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[23]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[24]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[25]  Liqun Chen,et al.  On the Design and Implementation of an Efficient DAA Scheme , 2010, IACR Cryptol. ePrint Arch..