CSE,

7th
Sem
Direct Anonymous
Attestation
Assignment: Information Security
Abstract: Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic
building blocks of many practical cryptographic applications such as
identification schemes, group signatures, and secure multiparty computation.
This paper describes the direct anonymous attestation scheme (DAA) which is
an implementation of ZKP.
This scheme was adopted by the Trusted Computing Group as the method for
remote authentication of a hardware module, called trusted platform module
(TPM), while preserving the privacy of the user of the platform that contains
the module. The scheme is provably secure in the random oracle model under
the strong RSA and the decisional Diffie-Hellman assumption.

Submitted To: Submitted By:

Dr. Manpreet Singh Yasir Husain
CCET, Sec-26 Chandigarh C07359
CSE, 7th Sem
Zero Knowledge Proofs communication tape and vice versa. The
machines take turns in being active with
B being active first. During its active
They are used to design protocols that are
stage, the machine first performs some
“provably secure by construction”. The
internal computation based on the
key idea is to reduce the general problem
contents of its tapes, and second writes a
of two-party protocols to a simpler
string on its write-only communication
problem: How can A prove to B that x is in
tape.
a language L so that no more
Cryptography: knowledge than x ∈ L is
Either machine can terminate the
revealed. If this could be done for any L ∈
protocol, by not sending any message in
NP A could prove to B that he followed
its active stage. Machine B accepts (or
the protocol steps. We proceed to define
rejects) the input by entering an accept
the loose terms “interactive proof” (or
(or reject) state and terminating the
“proof by a protocol”) and “zero
protocol. The first member of the pair, A,
knowledge”.
is a computationally unbounded Turing
machine. The computation time of
11 Interactive Proof-Systems(IP) Before
machine B is defined as the sum of B’s
defining notion of interactive proof-
computation time during its active stages,
systems, we define the notion of
and it is bounded by a polynomial in the
interactive Turing machine.
length of the input string.
Definition 1.1.1 An interactive Turing
Definition 11.3 Let L ∈{ 0, 1 } ∗ We say
machine (ITM) is a Turing machine with a
that L has an interactive proof-system if ∃
read-only input tape, a read-only random
ITM V s.t.
tape, a read/write worktape, a read-only
communication tape, a write-only
1. ∃ IT M P s.t (P, V ) is an interactive
communication tape, and a write-only
protocol and ∀ x ∈ L s.t | x | is sufficiently
output tape. The random tape contains an
large the prob(V accepts) > 23(when
infinite sequence of bits which can be
probabilities are taken over coin tosses of
thought of as the outcome of unbiased
V and P ).
coin tosses, this tape can be scanned only
from left to right. We say that an
2. ∀ IT M P s.t (P, V ) is an interactive
interactive machine flips a coin to mean
protocol ∀ x / ∈ L s.t. | x | is sufficiently
that it reads the next bit from its random
large P rob(V accepts) >13 (when
tape. The contents of the write-only
probabilities are taken over coin tosses of
communication tape can be thought of as
V and P ’s).
messages sent by the machine; while the
contents of the read-only communication
It does not suffice to require that the
tape can be thought of as messages
verifier cannot be fooled by the
received by the machine.
predetermined prover (such a mild
condition would have presupposed that
Definition 11.2 An interactive protocol is
the “prover” is a trusted oracle).
an ordered pair of ITMs (A, B) which
share the same input tape; B’s write-only
communication tape is A’s read-only

2
NP is a special case of interactive proofs,
where the interaction is trivial and the
verifier tosses no coins.
We can say that (P, V ) (for which
condition 1 holds) is an interactive proof-
system for L.
Define IP = { L | L has interactive proof } .
A zero-knowledge proof satisfies three
properties (Derived from the definition):
1. Completeness: If the statement is
true, the honest verifier (that is,
one following the protocol
properly) will be convinced of this
fact by an honest prover.
2. Soundness: If the statement is
false, no cheating prover can
convince the honest verifier that it
is true, except with some small
probability.
3. Zero-knowledge: If the statement
is true, no cheating verifier learns
anything other than this fact. This
is formalized by showing that
every cheating verifier has some
simulator that, given only the
statement to be proven (and no
access to the prover), can produce
a transcript that "looks like" an
interaction between the honest
prover and the cheating verifier.
VARIANTS OF ZERO-KNOWLEDGE
Different variants of zero-knowledge can
be defined by formalizing the intuitive
concept of what is meant by 'the output of
the simulator “looks like” the execution of
the real proves protocol' in different
ways:
3
 We speak of perfect zero-
knowledge if the distributions
produced by the simulator and the
proof protocol are distributed
exactly the same. This is for
instance the case in the first
example above.
 Statistical zero-knowledge means
that the distributions are not
necessarily exactly the same, but
they are statistical close, meaning
that their statistical difference is
negligible function.
 We speak of computational zero-
knowledge if no efficient algorithm
can distinguish the two
distributions.
Informally, a proof system is called zero-
knowledge if whatever the verifier could
generate in probabilistic polynomial-time
after “seeing” a proof of membership, he
could also generate in probabilistic
polynomial-time when just told by a
trusted oracle that the input is indeed in
the language.
Zero-knowledge proofs have the
remarkable property of being both
convincing and yielding nothing except
that the assertion is indeed valid.
It can also demonstrated that zero-
knowledge proofs exist “outside the
domain of cryptography number theory”,
Using no assumptions.
It can be shown that both graph
isomorphism (NP-COMPLETE) and graph
nonisomorphism have zero-knowledge
interactive proofs which can be
generalized to show that we can construct
zero-knowledge proofs for every NP-
statement.

DIRECT ANONYMOUS
ATTESTATION
OVERVIEW
This scheme was adopted by the Trusted
Computing Group as the method for
remote authentication of a hardware
module, called trusted platform module
(TPM), while preserving the privacy of
the user of the platform that contains the
module. Direct anonymous attestation
can be seen as a group signature without
the feature that a signature can be
opened, i.e., the anonymity is not
revocable. Moreover, DAA allows for
pseudonyms, i.e., for each signature a user
(in agreement with the recipient of the
signature) can decide whether or not the
signature should be linkable to another
signature. DAA also allows for detection
of “known” keys: if the DAA secret keys
are extracted from a TPM and published,
a verifier can detect that a signature was
produced using these secret keys. The
scheme is provably secure in the random
oracle model under the strong RSA and
the decisional Diffie-Hellman assumption.
BACKGROUND:
The Trusted Computing Group(TCG) is an
industry consortium formed to develop
standards for Trusted Computing
Platforms. A trusted computing platform
is a computing device integrated with a
cryptographic chip called a trusted
platform module (TPM), which is
designed and manufactured in a way such
that all parties can trust cryptographic
computing results from this TPM.
4
Based on the TPM, a trusted computing
platform can implement many security
related features, such as secure boot,
sealed storage, and software integrity
attestation.
TPMs are tamper-resistant cryptographic
chips. When a TPM is manufactured, a
unique RSA keypair, called the
Endorsement Key (EK), is created and
stored in the protected area of the TPM.
The EK might be generated inside a TPM,
or imported from an outside key
generator. The public part of the EK is
authenticated by the manufacturer, while
the private part of the EK will never be
revealed to the outside. A TPM
independently performs cryptographic
computations inside itself, and even its
manufacturer cannot obtain knowledge of
these computations. TPMs are embedded
into computing devices by a device
manufacturer, and these devices are
called trusted computing platforms when
coupled with appropriate software. At the
heart of trusted computing platform is the
assumption that TPMs should
independently work as expected, and be
“trusted” by remote parties. Essentially,
trusted computing platforms are based on
trust of TPMs.
MOTIVATION: PROTOCOL DESCRIPTION
(SUMMARY):
The deployment and use of TPMs
introduces privacy concerns. If the
The Direct Anonymous Attestation
authentication of a TPM is directly based
scheme involves three principals.
on its EK, all transactions by the same
TPM can be linked through the public part
 TPM and its host platform. (There
of the EK. Furthermore, if the TPM is
is a division of labor between the
associated with a user’s identity, the user
TPM and its platform, with the
may suffer a loss of privacy. To protect
platform handling any
the privacy of a TPM owner, two solutions
computations that do not require
have been proposed in the TPM
TPM secrets.)
specifications.
 A DAA Issuer
 A Verifier
Privacy in the TPM v1.1 specification is
based on a trusted third party, called a
DAA is composed of two protocols: the
Privacy CA. A TPM generates a second
Join protocol and the Sign protocol.
RSA keypair called an Attestation Identity
Key (AIK). The TPM sends an AIK to the
The Join protocol results in a TPM
Privacy CA, applying for a certificate on
receiving a DAA credential so it can
the AIK. After the TPM proves its
authenticate its Quote signatures to
ownership using a valid EK, the Privacy
Verifiers. This protocol occurs once for a
CA issues a certificate for this AIK. Later,
TPM and has to happen before that TPM
the TPM sends the certificate for this AIK
can meaningfully interact with Verifiers.
to a verifier, and proves it owns this AIK.
Without an AIC or DAA credential to
This way, the TPM hides its identity
authenticate a TPM, a Verifier doesn't
during the transaction. Obviously, this is
know whether a Quote came from a real,
not a completely satisfactory solution,
compliant TPM or an impostor. The fact
since each AIK creation needs the
that this protocol occurs once eliminates
involvement of the Privacy CA, and
the need for a reliably online third party
compromise of the Privacy CA (or a
as in the Privacy CA case.
dishonest Privacy CA) can destroy all
privacy guarantees.
Before Join can take place, the Issuer must
set up a DAA key pair. This key pair is
An alternate solution was added in TPM
generated according to the Camenisch-
v1.2 which was labeled Direct
Lysyanskaya scheme. This type of key is
Anonymous Attestation (DAA) which is
chosen because its structure allows for
the topic of discussion of the current
efficient discrete logarithm applications.
whitepaper.
The Issuer's public DAA key is published
and authenticated by a long term RSA key.

A TPM wishing to acquire a DAA

credential will generate a secret value, f,
and use components of the Issuer's public
DAA key to compute a value that is a

5
commitment, U, to that secret. The TPM needed every time a TPM wishes to use a
sends U, and other information including new AIK.
an Endorsement Credential (EC) signed
by the TPM manufacturer to the Issuer. If DAA should satisfy the following
the Issuer is satisfied with the signature properties:
on the EC, it will send the TPM a nonce
encrypted with the TPM Endorsement 1. Correctness: Any
Key (EK) that relates to that EC. The valid signature can
ability of the TPM to decrypt the nonce be correctly verified
proves ability to use the secret EK. An
by the Verify
adversary could not successfully use a
stolen EC because it would not be able to protocol.
decrypt the Issuer's nonce. The TPM 2. Forgery-Resistance:
sends the decrypted nonce back along A valid group
with other information in the form of a membership
Fiat-Shamir signature as well as a value NI certificate can only
that is used for rogue detection by the be created by a TPM
Issuer. If everything checks out, the Issuer
and the issuer
will issue a DAA credential with respect to
the value U for the TPM. through the Join
protocol.
The Sign protocol allows a Verifier to 3. Anonymity: It is
come to conclusions about the state of the infeasible to identify
TPM and its platform. Unlike with the AIC, the real TPM of a
the Verifier doesn't get to see the TPM's signature unless this
DAA credential; the Verifier gets a Zero-
TPM is on the
knowledge proof of the existence of the
credential. When a Verifier requests a revocation list.
Quote, the TPM returns a Quote signed 4. Unlinkability: It is
with an AIK as well as a proof that the infeasible to link two
TPM with the private AIK also has some different signatures
DAA credential from a specific DAA of the same TPM.
Issuer.
5. Non-framing: No one
Note that the TPM can use the same DAA (including the
credential for every different AIK because issuer) can sign a
the credential is never revealed. Also, message in such a
since the Issuer doesn't know which TPM way that it appears
has which DAA Credential, it can't collude to come from
with Verifiers to undermine anonymity. another TPM.
To prevent Verifiers from colluding with
one another, the TPM must simply use a
different AIK for each Verifier. This is
similar to the Privacy CA scheme with the
exception that a new credential not

6
PROTOCOL DESCRIPTION
(DETAILED):
In the real system there are a number of
players, who run some cryptographic
protocols with each other, an adversary A
, who controls some of the players, and an
environment E that 1) provides the player
Ui with inputs and 2) arbitrarily interacts
with A .
The environment provides the inputs to
the honest players and receives their
outputs and interacts arbitrarily with the
adversary. The dishonest players are
subsumed into the adversary.
In the ideal system, we have the same
players. However, they do not run any
cryptographic protocol but send all their
inputs to and receive all their outputs
from an ideal all-trusted party T. This
party computes the output of the players
from their inputs, i.e., applies the
functionality that the cryptographic
protocols are supposed to realize.
A cryptographic protocol is said to
implement securely a functionality if for
every adversary A and every environment
E there exists a simulator S controlling
the same parties in the ideal system as A
does in the real system such that the
environment cannot distinguish whether
it is run in the real system and interacts
with A or whether it is run in the ideal
system and interacts with the simulator S.
We now specify the functionality of direct
anonymous attestation. We distinguish
the following kinds of players: the issuer
I, a trusted platform module (TPM) Mi
with identity id i , a host Hi that has TPM
Mi “built in,” the rogue detection oracle O
announcing which TPMs are rogue, and
verifiers Vj . The ideal system all-trusted
party T supports the following
operations:
Setup: Each player indicates to T whether
or not it is corrupted. Each TPM Mi sends
its unique identity id i to T who forwards
it to the respective host Hi.
Join: The host Hi contacts T and requests
to become a member w.r.t. to a counter
value cnt. Thus T sends the corresponding
TPM Mi the counter value cnt and asks it
whether it wants to become a member
w.r.t. counter value cnt. Then, T asks the
issuer I whether the platform with
identity id and counter value cnt can
become a member. If M i was tagged
rogue w.r.t. some counter value, Talso tell
I this. If the issuer agrees, T notifies Hi
that it has become a member.
DAA-Sign/Verify: A host Hi wants to sign
a message m with respect to some
basename bsn ∈ { 0, 1 }∗ ∪ {⊥} and some
counter value cnt for some verifier V j . So
Hi sends m, bsn and cnt to T . If Hi/ Mi are
not a member w.r.t. cnt, then T denies the
request. Otherwise, T forwards m and cnt
to the corresponding Mi and asks it
whether it wants to sign. If it does, T tells
Hi that Mi agrees and asks it w.r.t. which
basename bsn it wants to sign (or
whether it wants to abort). If H i does not
abort, T proceeds as follows

7
• If Mi has been tagged rogue w.r.t. cnt, T
lets Vj know that a rogue TPM has signed
m.
• If bsn = ⊥ then T informs V j that m has
been signed w.r.t. bsn.
• If bsn 6 = ⊥ then T checks whether Hi/
Mi have already signed a message w.r.t.
bsn and cnt. If this is the case, T looks up
the corresponding pseudonym P in its
database; otherwise T chooses a new
random pseudonym P ∈ R { 0, 1 } `σ (the
quantity `σ is a security parameter).
Finally, T informs Vj that the platform
with pseudonym P has signed m.
Rogue Tagging: O tells T to tag of the
platform with identity id w.r.t. cnt as a
rogue. If the TPM with identity id is not
corrupted, T denies the request.
Otherwise, T marks the TPM with identity
id as rogue w.r.t. counter value cnt.
ASSUMPTIONS:
Assumption 1 (Strong RSA Assumption).
The strong RSA (SRSA) assumption states
that it is computational infeasible, on
input a random RSA modulus n and a
random element u ∈ Z∗ n , to compute
values e > 1 and v such that ve ≡ u (mod
n). The tuple (n, u) generated as above is
called an instance of the flexible RSA
problem.
Assumption 2 (DDH Assumption). Let Γ be
an `Γ -bit prime and ρ is an `ρ -bit prime
such that ρ | Γ − 1. Let γ ∈ Z∗ Γ be an
element of order ρ. Then,for sufficiently
large values of `Γ and `ρ , the distribution
{ (δ, δa, δb, δab ) } is computationally
indistinguishable from the distribution {
(δ, δa, δb, δc ) } , where δ is a random
element from h γ i , and a, b, and c are
random elements from [0, ρ − 1]
PERFORMANCE ANALYSIS:
Let us consider the amount of
computations the individual parties have
to perform in the “join”, “DAA-sign”, and
“verify” procedures. The computations in
all these procedure are dominated by the
exponentiations, so it is sufficient to
consider only these. We thus count multi-
based exponentiation that have to be
performed by the TPM as the multiple
single-base exponentiation and for all
other parties as a single single-base
exponentiation.
On a IBM Thinkpad T41 with a 1.7 GHz
Intel Mobile Pentium M processor and 1
GByte of RAM, running Linux and IBM
Java Runtime Environment 1.4.2, we have
made the following measurements. The
join protocol required 2.4 seconds of
running time in total (excluding
communication time), about 25% of the
time was used by the TPM, about 25%
was used by the host, and about 50% was
used by the issuer. The sign protocol
required 4.4 seconds of running time in
total (excluding communication time),
about 8% of the time was used by the
TPM, about 47% was used by the host,
and about 45% was used by the verifier.