Skip to main content
Log in

Anonymous attestation with user-controlled linkability

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript


This paper is motivated by the observation that existing security models for direct anonymous attestation (DAA) have problems to the extent that insecure protocols may be deemed secure when analysed under these models. This is particularly disturbing as DAA is one of the few complex cryptographic protocols resulting from recent theoretical advances actually deployed in real life. Moreover, standardization bodies are currently looking into designing the next generation of such protocols. Our first contribution is to identify issues in existing models for DAA and explain how these errors allow for proving security of insecure protocols. These issues are exhibited in all deployed and proposed DAA protocols (although they can often be easily fixed). Our second contribution is a new security model for a class of “pre-DAA scheme”, that is, DAA schemes where the computation on the user side takes place entirely on the trusted platform. Our model captures more accurately than any previous model the security properties demanded from DAA by the trusted computing group (TCG), the group that maintains the DAA standard. Extending the model from pre-DAA to full DAA is only a matter of refining the trust models on the parties involved. Finally, we present a generic construction of a DAA protocol from new building blocks tailored for anonymous attestation. Some of them are new variations on established ideas and may be of independent interest. We give instantiations for these building blocks that yield a DAA scheme more efficient than the one currently deployed, and as efficient as the one about to be standardized by the TCG which has no valid security proof.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others


  1. Note that repairing [4] to avoid our problem is trivial, and whether one considers our observation to be an “attack” depends on one’s view as to what a DAA protocol is meant to achieve. The motivation of the work in this paper is to clarify misunderstandings as to what the goals are.

  2. Interestingly, most of the added complication is due to the TCG’s requirement that holders of secret keys should be able to revoke their key by publishing it on a list. Despite this being a requirement of the TCG, we are unsure how in practice a user would obtain the key (embedded in the TPM) so as to be able to revoke it.


  1. Abe, M., Chow, S.S.M., Haralambiev, K., Ohkubo, M.: Double-Trapdoor Anonymous Tags for Traceable Signatures. Applied Cryptography and Network Security–ACNS 2011, LNCS 6715, pp. 183–200. Springer, Berlin (2011)

  2. Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical Group Signatures Without Random Oracles. Cryptology ePrint Archive. Report 2005/385, available at

  3. Ateniese, G., Camenisch, J., de Medeiros, B.: Untraceable RFID Tags Via Insubvertible Encryption. Computer and Communications Security–CCS 2005, pp. 92–101. ACM Press, New york (2005)

  4. Brickell, E., Camenisch, J., Chen, L.: Direct Anonymous Attestation. Computer and Communications Security–CCS 2004, pp. 132–145. ACM Press, New york (2004)

  5. Brickell, E., Chen, L., Li, J.: A New Direct Anonymous Attestation Scheme from Bilinear Maps. Trusted Computing-Challenges and Applications–TRUST 2008, LNCS 4968, pp. 166–178. Springer, Berlin (2008)

  6. Brickell, E., Chen, L., Li, J.: Simplified security notions for direct anonymous attestation and a concrete scheme from pairings. Int. J. Inf. Secur. 8, 315–330 (2009)

    Article  Google Scholar 

  7. Brickell, E., Li, J.: Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities. Privacy in the Electronic Society–WPES 2007, pp. 21–30. ACM Press, New york (2007)

  8. Brickell, E., Li, J.: Enhanced Privacy ID from Bilinear Pairing. Cryptology ePrint Archive. Report 2009/095, available at

  9. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  10. Bellare, M., Micciancio, D., Warinschi, B.: Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions. Advances in Cryptology-Eurocrypt 2003, LNCS 2656, pp. 614–629. Springer, Berlin (2003)

  11. Boneh, D., Shacham, H.: Group Signatures with Verifier-Local Revocation. Computer and Communications Security–CCS 2004, pp. 168–177. ACM Press, New york (2004)

  12. Bellare, M., Shi, H., Zhang, C.: Foundations of Group Signatures: The Case of Dynamic Groups. Topics in Cryptology–CT-RSA 2005, LNCS 3376, pp. 136–153. Springer, Berlin (2005)

  13. Camenisch, J., Lysyanskaya, A.: Signature Schemes and Anonymous Credentials from Bilinear Maps. Advances in Cryptology–CRYPTO 2004, LNCS 3152, pp. 56–72. Springer, Berlin (2004)

  14. Canetti, R.: Universally Composable Signatures, Certification and Authentication. Cryptology ePrint Archive. Report 2003/239, available at

  15. Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols (revised version of December 2005). Cryptology ePrint Archive. Report 2000/067, available at

  16. Chase, M., Lysyanskaya, A.: On Signatures of Knowledge. Advances in Cryptology–CRYPTO 2006, LNCS 4117, pp. 78–96. Springer, Berlin (2006)

  17. Chen, X., Feng, D.: Direct anonymous attestation for next generation TPM. J. Comput. 3, 43–50 (2008)

    MathSciNet  Google Scholar 

  18. Chen, L.: A DAA scheme requiring less TPM resources. In: International Conference on Information Security and Cryptology–Inscrypt (2009)

  19. Chen, L., Morrissey, P., Smart, N.P.: On proofs of Security of DAA Schemes. Provable Security–ProvSec 2008, LNCS 5324, pp. 167–175. Springer, Berlin (2008)

  20. Chen, L., Morrissey, P., Smart, N.P.: Pairings in Trusted Computing. Pairings in Cryptography-Pairing 2008, LNCS 5209, pp. 1–17. Springer, Berlin (2008)

  21. Chen, L., Morrissey, P., Smart, N.P.: DAA: Fixing the Pairing Based Protocols. Cryptology ePrint Archive. Report 2009/198, available at

  22. Chen, L., Page, D., Smart, N.P.: On the Design and Implementation of an Efficient DAA Scheme. Smart Card Research and Advanced Application–CARDIS 2010, LNCS 6035, pp. 223–237. Springer, Berlin (2010)

  23. Chen, L., Warinschi, B.: Security of the TCG Privacy-CA solution. Trusted Computing and Cmomunications–TrustCom 2010, pp. 609–616. IEEE (2010)

  24. Chow, S.S.M.: Real Traceable Signatures. Selected Areas in Cryptography–SAC 2009, LNCS 5867, pp. 92–107. Springer, Berlin (2009)

  25. Datta, A., Derek, A., Mitchell, J.C., Ramanathan, A., Scedrov, A.: Games and the Impossibility of Realizable Ideal Functionality. Theory of Cryptography Conference–TCC 2006, LNCS 3876, pp. 360–379. Springer, Berlin (2006)

  26. Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. Advances in Cryptology–CRYPTO 1986, LNCS 263, pp. 186–194. Springer, Berlin (1986)

  27. Galbraith, S., Paterson, K., Smart, N.P.: Pairings for cryptographers. Discret. Appl. Math. 156, 3113–3121 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  28. Ghadafi, E., Smart, N.P.: Efficient Two-Move Blind Signatures in the Common Reference String Model. Information Security–ISC 2012, LNCS 7483, pp. 274–289. Springer, Berlin (2012)

  29. Green, M., Hohenberger, S.: Universally Composable Adaptive Oblivious Transfer. Advances in Cryptology–ASIACRYPT 2008, LNCS 5350, pp. 179–197. Springer, Berlin (2008)

  30. Groth, J.: Fully Anonymous Group Signatures Without Random Oracles. Advances in Cryptology–ASIACRYPT 2007, LNCS 4833, pp. 164–180. Springer, Berlin (2007)

  31. Juels, A., Luby, M., Ostrovsky, R.: Security of Blind Digital Signatures. Advances in Cryptology–CRYPTO ’97, LNCS 1294, pp. 150–164. Springer, Berlin (1997)

  32. Liu, J.K., Wei, V.K., Wong, D.S.: Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups. Information Security and Privacy–ACISP 2004, LNCS 3108, pp. 325–335. Springer, Berlin (2004)

  33. Lysyanskaya, A., Rivest, R., Sahai, A., Wolf, S.: Pseudonym Systems. Selected Areas in Cryptography–SAC 99, LNCS 1758, pp. 184–199. Springer, Berlin (1999)

  34. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)

    Article  MATH  Google Scholar 

  35. Tsang, P.P., Au, M.H., Kapadia, A., Smith, S.W.: Blacklistable Anonymous Credentials: Blocking Misbehaving Users without ttps. Computer and Communications Security–CCS 2007, pp. 72–81. ACM Press, New york (2007)

  36. Trusted Computing Group (TCG): TPM Specification 1.2. Available at (2003)

Download references


This work has been supported in part by the European Commission through the ICT Programme under Contract ICT-2007-216676 ECRYPT II, by an European Research Council Advanced Grant ERC-2010-AdG-267188-CRIPTO and by the Engineering and Physcial Sciences Research Council via grant EP/H043454/1. The fourth author has also been supported in part by a Royal Society Wolfson Merit Award.

Author information

Authors and Affiliations


Corresponding author

Correspondence to N. P. Smart.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bernhard, D., Fuchsbauer, G., Ghadafi, E. et al. Anonymous attestation with user-controlled linkability. Int. J. Inf. Secur. 12, 219–249 (2013).

Download citation

  • Published:

  • Issue Date:

  • DOI: