22 research outputs found
A DAA Scheme Requiring Less TPM Resources
Direct anonymous attestation (DAA) is a special digital signature
primitive, which provides a balance between signer authentication
and privacy. One of the most interesting properties that makes this
primitive attractive in practice is its construction of signers. The
signer role of DAA is split between two entities, a principal signer
(a trusted platform module (TPM)) with limited computational
capability and an assistant signer (a computer platform into which
the TPM is embedded) with more computational power but less security
tolerance. Our first contribution in this paper is a new DAA scheme
that requires very few TPM resources. In fact the TPM has only
to perform two exponentiations for the DAA Join algorithm and three
exponentiations for the DAA Signing algorithm. We show that
this new scheme has better performance than the
existing DAA schemes and is provable secure based on the -SDH
problem and DDH problem under the random oracle model. Our second
contribution is a modification of the DAA game-based security model to cover the property of non-frameability
On the Design and Implementation of an Efficient DAA Scheme
International audienceDirect Anonymous Attestation (DAA) is an anonymous digital signature scheme that aims to provide both signer authentication and privacy. One of the properties that makes DAA an attractive choice in practice is the split signer role. In short, a principal signer (a Trusted Platform Module (TPM)) signs messages in collaboration with an assistant signer (the Host, a standard computing platform into which the TPM is embedded). This split aims to harness the high level of security offered by the TPM, and augment it using the high level of computational and storage ability offered by the Host. Our contribution in this paper is a modification to an existing pairing-based DAA scheme that significantly improves efficiency, and a comparison with the original RSA-based DAA scheme via a concrete implementation
DAA-related APIs in TPM2.0 Revisited
In TPM2.0, a single signature primitive is proposed to support various signature schemes including Direct Anonymous Attestation (DAA), U-Prove and Schnorr signature. This signature primitive is implemented by several APIs which can be utilized as a static Diffie-Hellman oracle. In this paper, we measure the practical impact of the SDH oracle in TPM2.0 and show the security strength of these signature schemes can be weakened by 14-bit. We propose a novel property of DAA
called forward anonymity and show how to utilize these DAA-related
APIs to break forward anonymity. Then we propose new APIs which not
only remove the Static Diffie-Hellman oracle but also support the foward anonymity, thus significantly improve the security of DAA and the other signature schemes supported by TPM2.0. We prove the security of our new APIs under the discrete logarithm assumption in the random
oracle model. We prove that DAA satisfy forward anonymity using the
new APIs under the Decision Diffie-Hellman assumption. Our new APIs
are almost as efficient as the original APIs in TPM2.0 specification and can support LRSW-DAA and SDH-DAA together with U-Prove as the
original APIs
A Pairing-Based DAA Scheme Further Reducing TPM Resources
Direct Anonymous Attestation (DAA) is an anonymous signature scheme designed for anonymous attestation of a Trusted Platform Module (TPM) while preserving the privacy of the device owner. Since TPM has limited bandwidth and computational capability, one interesting feature of DAA is to split the signer role between two entities: a TPM and a host platform where the TPM is attached. Recently, Chen proposed a new DAA scheme that is more efficient than previous DAA schemes. In this paper, we construct a new DAA scheme requiring even fewer TPM resources. Our DAA scheme is about 5 times more efficient than Chen’s scheme for the TPM implementation using the Barreto-Naehrig curves. In addition, our scheme requires much smaller size of software code that needs to be implemented in the TPM. This makes our DAA scheme ideal for the TPM implementation. Our DAA scheme is efficient and provably secure in the random oracle model under the strong Diffie-Hellman assumption and the decisional Diffie-Hellman assumption.
DAA-TZ: An Efficient DAA Scheme for Mobile Devices using ARM TrustZone
Direct Anonymous Attestation (DAA) has been studied for applying to mobile devices based on ARM TrustZone. However, current solutions bring in extra performance overheads and security risks when adapting existing DAA schemes originally designed for PC platform. In this paper, we propose a complete and efficient DAA scheme (DAA-TZ) specifically designed for mobile devices using TrustZone. By considering the application scenarios, DAA-TZ extends the interactive model of original DAA and provides anonymity for a device and its user against remote service providers. The proposed scheme requires only one-time switch of TrustZone for signing phase and elaborately takes pre-computation into account. Consequently, the frequent on-line signing just needs at most three exponentiations on elliptic curve. Moreover, we present the architecture for trusted mobile devices. The issues about key derivation and sensitive data management relying on a root of trust from SRAM Physical Unclonable Function (PUF) are discussed. We implement a prototype system and execute DAA-TZ using MNT and BN curves with different security levels. The comparison result and performance evaluation indicate that our scheme meets the demanding requirement of mobile users in respects of both security and efficiency
Ring Group Signatures
In many applications of group signatures, not only a signer\u27s
identity but also which group the signer belongs to is sensitive
information regarding signer privacy. In this paper, we study these
applications and combine a group signature with a ring signature to
create a ring group signature, which specifies a set of possible
groups without revealing which member of which group produced the
signature. The main contributions of this paper are a formal
definition of a ring group signature scheme and its security model,
a generic construction and a concrete example of such a scheme. Both
the construction and concrete scheme are provably secure if the
underlying group signature and ring signature schemes are
secure
Formal analysis of privacy in Direct Anonymous Attestation schemes
This article introduces a definition of privacy for Direct Anonymous Attestation schemes. The definition is expressed as an equivalence property which is suited to automated reasoning using Blanchet's ProVerif. The practicality of the definition is demonstrated by analysing the RSA-based Direct Anonymous Attestation protocol by Brickell, Camenisch & Chen. The analysis discovers a vulnerability in the RSA-based scheme which can be exploited by a passive adversary and, under weaker assumptions, corrupt issuers and verifiers. A security fix is identified and the revised protocol is shown to satisfy our definition of privacy
Anonymous attestation with user-controlled linkability
This paper is motivated by the observation that existing security models for direct anonymous attestation (DAA) have problems to the extent that insecure protocols may be deemed secure when analysed under these models. This is particularly disturbing as DAA is one of the few complex cryptographic protocols resulting from recent theoretical advances actually deployed in real life. Moreover, standardization bodies are currently looking into designing the next generation of such protocols. Our first contribution is to identify issues in existing models for DAA and explain how these errors allow for proving security of insecure protocols. These issues are exhibited in all deployed and proposed DAA protocols (although they can often be easily fixed). Our second contribution is a new security model for a class of "pre-DAA scheme", that is, DAA schemes where the computation on the user side takes place entirely on the trusted platform. Our model captures more accurately than any previous model the security properties demanded from DAA by the trusted computing group (TCG), the group that maintains the DAA standard. Extending the model from pre-DAA to full DAA is only a matter of refining the trust models on the parties involved. Finally, we present a generic construction of a DAA protocol from new building blocks tailored for anonymous attestation. Some of them are new variations on established ideas and may be of independent interest. We give instantiations for these building blocks that yield a DAA scheme more efficient than the one currently deployed, and as efficient as the one about to be standardized by the TCG which has no valid security proof. © 2013 Springer-Verlag Berlin Heidelberg