Professional Documents
Culture Documents
Direct Anonymous Attestation: Cse, 7th Sem
Direct Anonymous Attestation: Cse, 7th Sem
7th
Sem
Direct Anonymous
Attestation
Assignment: Information Security
Abstract: Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic
building blocks of many practical cryptographic applications such as
identification schemes, group signatures, and secure multiparty computation.
This paper describes the direct anonymous attestation scheme (DAA) which is
an implementation of ZKP.
This scheme was adopted by the Trusted Computing Group as the method for
remote authentication of a hardware module, called trusted platform module
(TPM), while preserving the privacy of the user of the platform that contains
the module. The scheme is provably secure in the random oracle model under
the strong RSA and the decisional Diffie-Hellman assumption.
2
NP is a special case of interactive proofs, We speak of perfect zero-
where the interaction is trivial and the knowledge if the distributions
verifier tosses no coins. produced by the simulator and the
proof protocol are distributed
We can say that (P, V ) (for which exactly the same. This is for
condition 1 holds) is an interactive proof- instance the case in the first
system for L. example above.
3
Based on the TPM, a trusted computing
platform can implement many security
DIRECT ANONYMOUS related features, such as secure boot,
sealed storage, and software integrity
ATTESTATION attestation.
BACKGROUND:
The Trusted Computing Group(TCG) is an
industry consortium formed to develop
standards for Trusted Computing
Platforms. A trusted computing platform
is a computing device integrated with a
cryptographic chip called a trusted
platform module (TPM), which is
designed and manufactured in a way such
that all parties can trust cryptographic
computing results from this TPM.
4
MOTIVATION: PROTOCOL DESCRIPTION
(SUMMARY):
The deployment and use of TPMs
introduces privacy concerns. If the
The Direct Anonymous Attestation
authentication of a TPM is directly based
scheme involves three principals.
on its EK, all transactions by the same
TPM can be linked through the public part
TPM and its host platform. (There
of the EK. Furthermore, if the TPM is
is a division of labor between the
associated with a user’s identity, the user
TPM and its platform, with the
may suffer a loss of privacy. To protect
platform handling any
the privacy of a TPM owner, two solutions
computations that do not require
have been proposed in the TPM
TPM secrets.)
specifications.
A DAA Issuer
A Verifier
Privacy in the TPM v1.1 specification is
based on a trusted third party, called a
DAA is composed of two protocols: the
Privacy CA. A TPM generates a second
Join protocol and the Sign protocol.
RSA keypair called an Attestation Identity
Key (AIK). The TPM sends an AIK to the
The Join protocol results in a TPM
Privacy CA, applying for a certificate on
receiving a DAA credential so it can
the AIK. After the TPM proves its
authenticate its Quote signatures to
ownership using a valid EK, the Privacy
Verifiers. This protocol occurs once for a
CA issues a certificate for this AIK. Later,
TPM and has to happen before that TPM
the TPM sends the certificate for this AIK
can meaningfully interact with Verifiers.
to a verifier, and proves it owns this AIK.
Without an AIC or DAA credential to
This way, the TPM hides its identity
authenticate a TPM, a Verifier doesn't
during the transaction. Obviously, this is
know whether a Quote came from a real,
not a completely satisfactory solution,
compliant TPM or an impostor. The fact
since each AIK creation needs the
that this protocol occurs once eliminates
involvement of the Privacy CA, and
the need for a reliably online third party
compromise of the Privacy CA (or a
as in the Privacy CA case.
dishonest Privacy CA) can destroy all
privacy guarantees.
Before Join can take place, the Issuer must
set up a DAA key pair. This key pair is
An alternate solution was added in TPM
generated according to the Camenisch-
v1.2 which was labeled Direct
Lysyanskaya scheme. This type of key is
Anonymous Attestation (DAA) which is
chosen because its structure allows for
the topic of discussion of the current
efficient discrete logarithm applications.
whitepaper.
The Issuer's public DAA key is published
and authenticated by a long term RSA key.
5
commitment, U, to that secret. The TPM needed every time a TPM wishes to use a
sends U, and other information including new AIK.
an Endorsement Credential (EC) signed
by the TPM manufacturer to the Issuer. If DAA should satisfy the following
the Issuer is satisfied with the signature properties:
on the EC, it will send the TPM a nonce
encrypted with the TPM Endorsement 1. Correctness: Any
Key (EK) that relates to that EC. The valid signature can
ability of the TPM to decrypt the nonce be correctly verified
proves ability to use the secret EK. An
by the Verify
adversary could not successfully use a
stolen EC because it would not be able to protocol.
decrypt the Issuer's nonce. The TPM 2. Forgery-Resistance:
sends the decrypted nonce back along A valid group
with other information in the form of a membership
Fiat-Shamir signature as well as a value NI certificate can only
that is used for rogue detection by the be created by a TPM
Issuer. If everything checks out, the Issuer
and the issuer
will issue a DAA credential with respect to
the value U for the TPM. through the Join
protocol.
The Sign protocol allows a Verifier to 3. Anonymity: It is
come to conclusions about the state of the infeasible to identify
TPM and its platform. Unlike with the AIC, the real TPM of a
the Verifier doesn't get to see the TPM's signature unless this
DAA credential; the Verifier gets a Zero-
TPM is on the
knowledge proof of the existence of the
credential. When a Verifier requests a revocation list.
Quote, the TPM returns a Quote signed 4. Unlinkability: It is
with an AIK as well as a proof that the infeasible to link two
TPM with the private AIK also has some different signatures
DAA credential from a specific DAA of the same TPM.
Issuer.
5. Non-framing: No one
Note that the TPM can use the same DAA (including the
credential for every different AIK because issuer) can sign a
the credential is never revealed. Also, message in such a
since the Issuer doesn't know which TPM way that it appears
has which DAA Credential, it can't collude to come from
with Verifiers to undermine anonymity. another TPM.
To prevent Verifiers from colluding with
one another, the TPM must simply use a
different AIK for each Verifier. This is
similar to the Privacy CA scheme with the
exception that a new credential not
6
PROTOCOL DESCRIPTION with identity id i , a host Hi that has TPM
Mi “built in,” the rogue detection oracle O
(DETAILED): announcing which TPMs are rogue, and
In the real system there are a number of verifiers Vj . The ideal system all-trusted
players, who run some cryptographic
party T supports the following
protocols with each other, an adversary A
operations:
, who controls some of the players, and an
environment E that 1) provides the player Setup: Each player indicates to T whether
Ui with inputs and 2) arbitrarily interacts or not it is corrupted. Each TPM Mi sends
with A . its unique identity id i to T who forwards
it to the respective host Hi.
The environment provides the inputs to
the honest players and receives their Join: The host Hi contacts T and requests
outputs and interacts arbitrarily with the to become a member w.r.t. to a counter
adversary. The dishonest players are value cnt. Thus T sends the corresponding
subsumed into the adversary. TPM Mi the counter value cnt and asks it
whether it wants to become a member
In the ideal system, we have the same
w.r.t. counter value cnt. Then, T asks the
players. However, they do not run any
issuer I whether the platform with
cryptographic protocol but send all their
identity id and counter value cnt can
inputs to and receive all their outputs
become a member. If M i was tagged
from an ideal all-trusted party T. This
rogue w.r.t. some counter value, Talso tell
party computes the output of the players
I this. If the issuer agrees, T notifies Hi
from their inputs, i.e., applies the
that it has become a member.
functionality that the cryptographic
protocols are supposed to realize. DAA-Sign/Verify: A host Hi wants to sign
a message m with respect to some
A cryptographic protocol is said to
basename bsn ∈ { 0, 1 }∗ ∪ {⊥} and some
implement securely a functionality if for counter value cnt for some verifier V j . So
every adversary A and every environment
Hi sends m, bsn and cnt to T . If Hi/ Mi are
E there exists a simulator S controlling
not a member w.r.t. cnt, then T denies the
the same parties in the ideal system as A
request. Otherwise, T forwards m and cnt
does in the real system such that the
to the corresponding Mi and asks it
environment cannot distinguish whether whether it wants to sign. If it does, T tells
it is run in the real system and interacts
Hi that Mi agrees and asks it w.r.t. which
with A or whether it is run in the ideal
basename bsn it wants to sign (or
system and interacts with the simulator S.
whether it wants to abort). If H i does not
We now specify the functionality of direct abort, T proceeds as follows
anonymous attestation. We distinguish
the following kinds of players: the issuer
I, a trusted platform module (TPM) Mi
7
• If Mi has been tagged rogue w.r.t. cnt, T indistinguishable from the distribution {
lets Vj know that a rogue TPM has signed (δ, δa, δb, δc ) } , where δ is a random
m. element from h γ i , and a, b, and c are
random elements from [0, ρ − 1]
• If bsn = ⊥ then T informs V j that m has
been signed w.r.t. bsn. PERFORMANCE ANALYSIS:
• If bsn 6 = ⊥ then T checks whether Hi/ Let us consider the amount of
Mi have already signed a message w.r.t. computations the individual parties have
bsn and cnt. If this is the case, T looks up to perform in the “join”, “DAA-sign”, and
the corresponding pseudonym P in its “verify” procedures. The computations in
database; otherwise T chooses a new all these procedure are dominated by the
random pseudonym P ∈ R { 0, 1 } `σ (the exponentiations, so it is sufficient to
quantity `σ is a security parameter). consider only these. We thus count multi-
Finally, T informs Vj that the platform based exponentiation that have to be
with pseudonym P has signed m. performed by the TPM as the multiple
Rogue Tagging: O tells T to tag of the single-base exponentiation and for all
platform with identity id w.r.t. cnt as a other parties as a single single-base
rogue. If the TPM with identity id is not exponentiation.
corrupted, T denies the request. On a IBM Thinkpad T41 with a 1.7 GHz
Otherwise, T marks the TPM with identity Intel Mobile Pentium M processor and 1
id as rogue w.r.t. counter value cnt. GByte of RAM, running Linux and IBM
Java Runtime Environment 1.4.2, we have
ASSUMPTIONS: made the following measurements. The
Assumption 1 (Strong RSA Assumption). join protocol required 2.4 seconds of
The strong RSA (SRSA) assumption states running time in total (excluding
that it is computational infeasible, on communication time), about 25% of the
input a random RSA modulus n and a time was used by the TPM, about 25%
random element u ∈ Z∗ n , to compute was used by the host, and about 50% was
values e > 1 and v such that ve ≡ u (mod used by the issuer. The sign protocol
n). The tuple (n, u) generated as above is required 4.4 seconds of running time in
called an instance of the flexible RSA total (excluding communication time),
problem. about 8% of the time was used by the
TPM, about 47% was used by the host,
Assumption 2 (DDH Assumption). Let Γ be and about 45% was used by the verifier.
an `Γ -bit prime and ρ is an `ρ -bit prime
such that ρ | Γ − 1. Let γ ∈ Z∗ Γ be an
element of order ρ. Then,for sufficiently
large values of `Γ and `ρ , the distribution
{ (δ, δa, δb, δab ) } is computationally