A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes

Direct Anonymous Attestation (DAA) is an anonymous signature scheme designed for anonymous attestation of a Trusted Platform Module (TPM) while preserving the privacy of the device owner. In 2004, Brickell, Camenisch, and Chen provided the first DAA scheme based on the strong RSA assumption and decisional Diffie-Hellman assumption. This scheme was adopted by the Trusted Computing Group in the TPM 1.2 Specification and has been implemented in hundreds of millions of computer platforms. Since then, multiple DAA schemes have been developed, many of which are based on bilinear maps. In this paper, we discover that in a large number of DAA schemes, including the original one adopted in TPM 1.2, a malicious user can treat a TPM as a static Diffie-Hellman (DH) oracle, therefore security of these schemes are based on the hardness of the static DH problem. However, this security feature has not been analyzed in the security proofs of most of these schemes. Brown and Gallant showed that one can break the Static DH problem in a group of order ρ with only O(ρ 1/3) oracle queries and O(ρ 1/3) group operations. Our discovery means that the security level of these DAA schemes can be significantly weaken, only roughly 2/3 of the claimed security level. We discuss the impact of our discovery and present how to patch the affected DAA schemes to avoid this attack.

[1]  Xiaofeng Chen,et al.  Direct Anonymous Attestation for Next Generation TPM , 2008, J. Comput..

[2]  Jean-Louis Lanet,et al.  Smart Card Research and Advanced Application, 9th IFIP WG 8.8/11.2 International Conference, CARDIS 2010, Passau, Germany, April 14-16, 2010. Proceedings , 2010, CARDIS.

[3]  Aggelos Kiayias,et al.  BiTR: Built-in Tamper Resilience , 2011, IACR Cryptol. ePrint Arch..

[4]  Jiangtao Li,et al.  A Pairing-Based DAA Scheme Further Reducing TPM Resources , 2010, TRUST.

[5]  Steven D. Galbraith,et al.  Pairing-Based Cryptography - Pairing 2008, Second International Conference, Egham, UK, September 1-3, 2008. Proceedings , 2008, Pairing.

[6]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[7]  Jiangtao Li,et al.  A New Direct Anonymous Attestation Scheme from Bilinear Maps , 2008, TRUST.

[8]  Liqun Chen,et al.  DAA: Fixing the pairing based protocols , 2009, IACR Cryptol. ePrint Arch..

[9]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[10]  Liqun Chen,et al.  A DAA Scheme Requiring Less TPM Resources , 2009, Inscrypt.

[11]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[12]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[13]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[14]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2007, IEEE Transactions on Dependable and Secure Computing.

[15]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[16]  Jiangtao Li,et al.  A (Corrected) DAA Scheme Using Batch Proof and Verification , 2011, INTRUST.

[17]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[18]  Amit Sahai,et al.  Pseudonym Systems (Extended Abstract) , 2000 .

[19]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[20]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[21]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[22]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[23]  Liqun Chen,et al.  On the Design and Implementation of an Efficient DAA Scheme , 2010, IACR Cryptol. ePrint Arch..

[24]  Daniel R. L. Brown,et al.  The Static Diffie-Hellman Problem , 2004, IACR Cryptology ePrint Archive.

[25]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[26]  Burton S. Kaliski,et al.  Server-assisted generation of a strong secret from a password , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[27]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[28]  Tatsuaki Okamoto,et al.  Public Key Cryptography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, April 16-20, 2007, Proceedings , 2007, Public Key Cryptography.

[29]  Liqun Chen,et al.  A DAA Scheme Using Batch Proof and Verification , 2010, TRUST.

[30]  Liqun Chen,et al.  Pairings in Trusted Computing , 2008, Pairing.

[31]  P. L. Montgomery,et al.  A survey of modern integer factorization algorithms , 1994 .

[32]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[33]  Ahmad-Reza Sadeghi,et al.  Trusted Computing - Challenges and Applications, First International Conference on Trusted Computing and Trust in Information Technologies, Trust 2008, Villach, Austria, March 11-12, 2008, Proceedings , 2008, TRUST.

[34]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[35]  Jiangtao Li,et al.  Simplified security notions of direct anonymous attestation and a concrete scheme from pairings , 2009, International Journal of Information Security.

[36]  Stephen R. Tate,et al.  A Direct Anonymous Attestation Scheme for Embedded Devices , 2007, Public Key Cryptography.

[37]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[38]  Jiangtao Li,et al.  Enhanced Privacy ID from Bilinear Pairing for Hardware Authentication and Attestation , 2010, 2010 IEEE Second International Conference on Social Computing.