Anonymous attestation with user-controlled linkability

  • D. Bernhard
  • G. Fuchsbauer
  • E. Ghadafi
  • N. P. Smart
  • B. Warinschi
Regular Contribution


This paper is motivated by the observation that existing security models for direct anonymous attestation (DAA) have problems to the extent that insecure protocols may be deemed secure when analysed under these models. This is particularly disturbing as DAA is one of the few complex cryptographic protocols resulting from recent theoretical advances actually deployed in real life. Moreover, standardization bodies are currently looking into designing the next generation of such protocols. Our first contribution is to identify issues in existing models for DAA and explain how these errors allow for proving security of insecure protocols. These issues are exhibited in all deployed and proposed DAA protocols (although they can often be easily fixed). Our second contribution is a new security model for a class of “pre-DAA scheme”, that is, DAA schemes where the computation on the user side takes place entirely on the trusted platform. Our model captures more accurately than any previous model the security properties demanded from DAA by the trusted computing group (TCG), the group that maintains the DAA standard. Extending the model from pre-DAA to full DAA is only a matter of refining the trust models on the parties involved. Finally, we present a generic construction of a DAA protocol from new building blocks tailored for anonymous attestation. Some of them are new variations on established ideas and may be of independent interest. We give instantiations for these building blocks that yield a DAA scheme more efficient than the one currently deployed, and as efficient as the one about to be standardized by the TCG which has no valid security proof.


DAA protocol Group signatures  Security models 



This work has been supported in part by the European Commission through the ICT Programme under Contract ICT-2007-216676 ECRYPT II, by an European Research Council Advanced Grant ERC-2010-AdG-267188-CRIPTO and by the Engineering and Physcial Sciences Research Council via grant EP/H043454/1. The fourth author has also been supported in part by a Royal Society Wolfson Merit Award.


  1. 1.
    Abe, M., Chow, S.S.M., Haralambiev, K., Ohkubo, M.: Double-Trapdoor Anonymous Tags for Traceable Signatures. Applied Cryptography and Network Security–ACNS 2011, LNCS 6715, pp. 183–200. Springer, Berlin (2011)Google Scholar
  2. 2.
    Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical Group Signatures Without Random Oracles. Cryptology ePrint Archive. Report 2005/385, available at
  3. 3.
    Ateniese, G., Camenisch, J., de Medeiros, B.: Untraceable RFID Tags Via Insubvertible Encryption. Computer and Communications Security–CCS 2005, pp. 92–101. ACM Press, New york (2005)Google Scholar
  4. 4.
    Brickell, E., Camenisch, J., Chen, L.: Direct Anonymous Attestation. Computer and Communications Security–CCS 2004, pp. 132–145. ACM Press, New york (2004)Google Scholar
  5. 5.
    Brickell, E., Chen, L., Li, J.: A New Direct Anonymous Attestation Scheme from Bilinear Maps. Trusted Computing-Challenges and Applications–TRUST 2008, LNCS 4968, pp. 166–178. Springer, Berlin (2008)Google Scholar
  6. 6.
    Brickell, E., Chen, L., Li, J.: Simplified security notions for direct anonymous attestation and a concrete scheme from pairings. Int. J. Inf. Secur. 8, 315–330 (2009)CrossRefGoogle Scholar
  7. 7.
    Brickell, E., Li, J.: Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities. Privacy in the Electronic Society–WPES 2007, pp. 21–30. ACM Press, New york (2007)Google Scholar
  8. 8.
    Brickell, E., Li, J.: Enhanced Privacy ID from Bilinear Pairing. Cryptology ePrint Archive. Report 2009/095, available at
  9. 9.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  10. 10.
    Bellare, M., Micciancio, D., Warinschi, B.: Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions. Advances in Cryptology-Eurocrypt 2003, LNCS 2656, pp. 614–629. Springer, Berlin (2003)Google Scholar
  11. 11.
    Boneh, D., Shacham, H.: Group Signatures with Verifier-Local Revocation. Computer and Communications Security–CCS 2004, pp. 168–177. ACM Press, New york (2004)Google Scholar
  12. 12.
    Bellare, M., Shi, H., Zhang, C.: Foundations of Group Signatures: The Case of Dynamic Groups. Topics in Cryptology–CT-RSA 2005, LNCS 3376, pp. 136–153. Springer, Berlin (2005)Google Scholar
  13. 13.
    Camenisch, J., Lysyanskaya, A.: Signature Schemes and Anonymous Credentials from Bilinear Maps. Advances in Cryptology–CRYPTO 2004, LNCS 3152, pp. 56–72. Springer, Berlin (2004)Google Scholar
  14. 14.
    Canetti, R.: Universally Composable Signatures, Certification and Authentication. Cryptology ePrint Archive. Report 2003/239, available at
  15. 15.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols (revised version of December 2005). Cryptology ePrint Archive. Report 2000/067, available at
  16. 16.
    Chase, M., Lysyanskaya, A.: On Signatures of Knowledge. Advances in Cryptology–CRYPTO 2006, LNCS 4117, pp. 78–96. Springer, Berlin (2006)Google Scholar
  17. 17.
    Chen, X., Feng, D.: Direct anonymous attestation for next generation TPM. J. Comput. 3, 43–50 (2008)MathSciNetGoogle Scholar
  18. 18.
    Chen, L.: A DAA scheme requiring less TPM resources. In: International Conference on Information Security and Cryptology–Inscrypt (2009)Google Scholar
  19. 19.
    Chen, L., Morrissey, P., Smart, N.P.: On proofs of Security of DAA Schemes. Provable Security–ProvSec 2008, LNCS 5324, pp. 167–175. Springer, Berlin (2008)Google Scholar
  20. 20.
    Chen, L., Morrissey, P., Smart, N.P.: Pairings in Trusted Computing. Pairings in Cryptography-Pairing 2008, LNCS 5209, pp. 1–17. Springer, Berlin (2008)Google Scholar
  21. 21.
    Chen, L., Morrissey, P., Smart, N.P.: DAA: Fixing the Pairing Based Protocols. Cryptology ePrint Archive. Report 2009/198, available at
  22. 22.
    Chen, L., Page, D., Smart, N.P.: On the Design and Implementation of an Efficient DAA Scheme. Smart Card Research and Advanced Application–CARDIS 2010, LNCS 6035, pp. 223–237. Springer, Berlin (2010)Google Scholar
  23. 23.
    Chen, L., Warinschi, B.: Security of the TCG Privacy-CA solution. Trusted Computing and Cmomunications–TrustCom 2010, pp. 609–616. IEEE (2010)Google Scholar
  24. 24.
    Chow, S.S.M.: Real Traceable Signatures. Selected Areas in Cryptography–SAC 2009, LNCS 5867, pp. 92–107. Springer, Berlin (2009)Google Scholar
  25. 25.
    Datta, A., Derek, A., Mitchell, J.C., Ramanathan, A., Scedrov, A.: Games and the Impossibility of Realizable Ideal Functionality. Theory of Cryptography Conference–TCC 2006, LNCS 3876, pp. 360–379. Springer, Berlin (2006) Google Scholar
  26. 26.
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. Advances in Cryptology–CRYPTO 1986, LNCS 263, pp. 186–194. Springer, Berlin (1986)Google Scholar
  27. 27.
    Galbraith, S., Paterson, K., Smart, N.P.: Pairings for cryptographers. Discret. Appl. Math. 156, 3113–3121 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  28. 28.
    Ghadafi, E., Smart, N.P.: Efficient Two-Move Blind Signatures in the Common Reference String Model. Information Security–ISC 2012, LNCS 7483, pp. 274–289. Springer, Berlin (2012)Google Scholar
  29. 29.
    Green, M., Hohenberger, S.: Universally Composable Adaptive Oblivious Transfer. Advances in Cryptology–ASIACRYPT 2008, LNCS 5350, pp. 179–197. Springer, Berlin (2008)Google Scholar
  30. 30.
    Groth, J.: Fully Anonymous Group Signatures Without Random Oracles. Advances in Cryptology–ASIACRYPT 2007, LNCS 4833, pp. 164–180. Springer, Berlin (2007)Google Scholar
  31. 31.
    Juels, A., Luby, M., Ostrovsky, R.: Security of Blind Digital Signatures. Advances in Cryptology–CRYPTO ’97, LNCS 1294, pp. 150–164. Springer, Berlin (1997)Google Scholar
  32. 32.
    Liu, J.K., Wei, V.K., Wong, D.S.: Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups. Information Security and Privacy–ACISP 2004, LNCS 3108, pp. 325–335. Springer, Berlin (2004)Google Scholar
  33. 33.
    Lysyanskaya, A., Rivest, R., Sahai, A., Wolf, S.: Pseudonym Systems. Selected Areas in Cryptography–SAC 99, LNCS 1758, pp. 184–199. Springer, Berlin (1999)Google Scholar
  34. 34.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)zbMATHCrossRefGoogle Scholar
  35. 35.
    Tsang, P.P., Au, M.H., Kapadia, A., Smith, S.W.: Blacklistable Anonymous Credentials: Blocking Misbehaving Users without ttps. Computer and Communications Security–CCS 2007, pp. 72–81. ACM Press, New york (2007)Google Scholar
  36. 36.
    Trusted Computing Group (TCG): TPM Specification 1.2. Available at (2003)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • D. Bernhard
    • 1
  • G. Fuchsbauer
    • 1
  • E. Ghadafi
    • 1
  • N. P. Smart
    • 1
  • B. Warinschi
    • 1
  1. 1.Department of Computer ScienceUniversity of BristolBristolUnited Kingdom

Personalised recommendations