Improving the security of direct anonymous attestation under host corruptions

Abstract

Direct anonymous attestation (DAA) enables a platform including a trusted platform module (TPM) to produce a signature in order to remotely attest that it is in a certified state while preserving its anonymity. A main feature of DAA is that a TPM and a host together act as a signer, where the TPM is less powerful but trustworthy, whereas the host is more powerful but vulnerable to corruptions. Although DAA is standardized and widely implemented in various fields, current security notions for DAA have been defined ambiguously in terms of host corruptions. In this study, we redefine DAA security notions, including static and dynamic host corruptions, and formalize them as concrete security models in a game-based framework. Compared with the recent simulation-based security notions (without subverted TPMs) by Camenisch et al., the proposed notions cover a broader range of realistic attack scenarios for DAA and reach the expected level of security that DAA originally desires. Furthermore, we present a DAA instantiation with the security improvement by demonstrating that a variant of the LRSW–DAA by Camenisch et al. is provably secure in the new game-based security models.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Notes

  1. 1.

    Depending on the state of bsn, the host can be either honest or malicious. This will be mentioned in Sect. 3.

  2. 2.

    This is the symmetric discrete logarithm problem that holds in asymmetric paring-based groups.

  3. 3.

    We borrow much of the definitions regarding the view and the transcript from [17]

References

  1. 1.

    Ballard, L., Green, M., de Medeiros, B., Monrose, F.: Correlation-resistant storage. Technical report, TR-SP-BGMM-050507, Johns Hopkins University Department of Computer Science (2005)

  2. 2.

    Baric, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Advances in Cryptology—EUROCRYPT ’97. Lecture Notes in Computer Science, vol. 1233, pp. 480–494. Springer (1997)

  3. 3.

    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Selected Areas in Cryptography—SAC ’05. Lecture Notes in Computer Science, vol. 3897, pp. 319–331. Springer (2005)

  4. 4.

    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Computer and Communications Security—CCS ’93. pp. 62–73. ACM (1993)

  5. 5.

    Bernhard, D., Fischlin, M., Warinschi, B.: Adaptive proofs of knowledge in the random oracle model. Public-Key Cryptography—PKC ’15. Lecture Notes in Computer Science, vol. 9020, pp. 625–649. Springer (2015)

  6. 6.

    Bernhard, D., Fuchsbauer, G., Ghadafi, E., Smart, N.P., Warinschi, B.: Anonymous attestation with user-controlled linkability. Int. J. Inf. Sec. 12(3), 219–249 (2013)

    Article  Google Scholar 

  7. 7.

    Bichsel, P., Camenisch, J., Neven, G., Smart, N.P., Warinschi, B.: Get shorty via group signatures without encryption. In: Security and Cryptography for Networks- SCN ’10. Lecture Notes in Computer Science, vol. 6280, pp. 381–398. Springer (2010)

  8. 8.

    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Advances in Cryptology—EUROCRYPT ’04. Lecture Notes in Computer Science, vol. 3027, pp. 56–73. Springer (2004)

  9. 9.

    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Advances in Cryptology—CRYPTO ’04. Lecture Notes in Computer Science, vol. 3152, pp. 41–55. Springer (2004)

  10. 10.

    Brickell, E.F., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Computer and Communications Security—CCS ’04. pp. 132–145. ACM (2004)

  11. 11.

    Brickell, E., Chen, L., Li, J.: A new direct anonymous attestation scheme from bilinear maps. In: Trusted Computing: Challenges and Applications—TRUST ’08. Lecture Notes in Computer Science, vol. 4968, pp. 166–178. Springer (2008)

  12. 12.

    Brickell, E., Chen, L., Li, J.: Simplified security notions of direct anonymous attestation and a concrete scheme from pairings. Int. J. Inf. Sec. 8(5), 315–330 (2009)

    Article  Google Scholar 

  13. 13.

    Brickell, E., Chen, L., Li, J.: A (corrected) DAA scheme using batch proof and verification. In: Trusted Systems—INTRUST ’11. Lecture Notes in Computer Science, vol. 7222, pp. 304–337. Springer (2011)

  14. 14.

    Brickell, E., Li, J.: Enhanced privacy id: a direct anonymous attestation scheme with enhanced revocation capabilities. In: Workshop on Privacy in the Electronic Society—WPES ’07. pp. 21–30. ACM (2007)

  15. 15.

    Brickell, E., Li, J.: A pairing-based DAA scheme further reducing TPM resources. In: Trust and Trustworthy Computing—TRUST ’10. Lecture Notes in Computer Science, vol. 6101, pp. 181–195. Springer (2010)

  16. 16.

    Brickell, E., Li, J.: Enhanced privacy ID from bilinear pairing for hardware authentication and attestation. Int. J. Inf. Priv. Secur. Integr. 1(1), 3–33 (2011)

    Google Scholar 

  17. 17.

    Beimel, A., Malkin, T., Micali, S.: The All-or-nothing nature of two-party secure computation. In: Advances in Cryptology—CRYPTO ’99. Lecture Notes in Computer Science, vol. 1666, pp. 80–97. Springer (1999)

  18. 18.

    Camenisch, J., Chen, L., Drijvers, M., Lehmann, A., Novick, D., Urian, R.: One TPM to bind them all: Fixing TPM 2.0 for provably secure anonymous attestation. In: Security and Privacy—SP ’17. pp. 901–920. IEEE Computer Society (2017)

  19. 19.

    Camenisch, J., Drijvers, M., Edgington, A., Lehmann, A., Lindemann, R., Urian, R.: FIDO ECDAA algorithm (2017), https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-ecdaa-algorithm-v1.1-id-20170202.html

  20. 20.

    Camenisch, J., Drijvers, M., Lehmann, A.: Anonymous attestation using the strong diffie hellman assumption revisited. In: Trust and Trustworthy Computing—TRUST ’16. Lecture Notes in Computer Science, vol. 9824, pp. 1–20. Springer (2016)

  21. 21.

    Camenisch, J., Drijvers, M., Lehmann, A.: Universally composable direct anonymous attestation. In: Public-Key Cryptography—PKC ’16 Part II. Lecture Notes in Computer Science, vol. 9615, pp. 234–264. Springer (2016)

  22. 22.

    Camenisch, J., Drijvers, M., Lehmann, A.: Anonymous attestation with subverted tpms. In: Advances in Cryptology—CRYPTO ’17 Part III. Lecture Notes in Computer Science, vol. 10403, pp. 427–461. Springer (2017)

  23. 23.

    Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups (extended abstract). In: Advances in Cryptology—CRYPTO ’97. Lecture Notes in Computer Science, vol. 1294, pp. 410–424. Springer (1997)

  24. 24.

    Chen, L.: A DAA scheme requiring less TPM resources. In: Information Security and Cryptology—Inscrypt ’09. Lecture Notes in Computer Science, vol. 6151, pp. 350–365. Springer (2009)

  25. 25.

    Chen, L., Li, J.: Flexible and scalable digital signatures in TPM 2.0. In: Computer and Communications Security—CCS ’13. pp. 37–48. ACM (2013)

  26. 26.

    Chen, L., Morrissey, P., Smart, N.P.: On proofs of security for DAA schemes. In: Provable Security, Second International Conference—ProvSec ’08. Lecture Notes in Computer Science, vol. 5324, pp. 156–175. Springer (2008)

  27. 27.

    Chen, L., Morrissey, P., Smart, N.P.: Pairings in trusted computing. In: Pairing-Based Cryptography—Pairing ’08. Lecture Notes in Computer Science, vol. 5209, pp. 1–17. Springer (2008)

  28. 28.

    Chen, L., Page, D., Smart, N.P.: On the design and implementation of an efficient DAA scheme. In: Smart Card Research and Advanced Application—CARDIS ’10. Lecture Notes in Computer Science, vol. 6035, pp. 223–237. Springer (2010)

  29. 29.

    Chen, L., Urian, R.: DAA-A: direct anonymous attestation with attributes. In: Trust and Trustworthy Computing—TRUST ’15. Lecture Notes in Computer Science, vol. 9229, pp. 228–245. Springer (2015)

  30. 30.

    Chen, X., Feng, D.: Direct anonymous attestation for next generation TPM. J. Compt. 3(12), 43–50 (2008)

    Google Scholar 

  31. 31.

    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Advances in Cryptology—CRYPTO ’86. Lecture Notes in Computer Science, vol. 263, pp. 186–194. Springer (1986)

  32. 32.

    Fischlin, M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: Advances in Cryptology—CRYPTO ’05. Lecture Notes in Computer Science, vol. 3621, pp. 152–168. Springer (2005)

  33. 33.

    Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discret. Appl. Math. 156(16), 3113–3121 (2008)

    MathSciNet  Article  Google Scholar 

  34. 34.

    Garman, C., Green, M., Miers, I.: Decentralized anonymous credentials. In: Network and Distributed System Security Symposium—NDSS ’14. The Internet Society (2014)

  35. 35.

    Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Advances in Cryptology—ASIACRYPT ’06. Lecture Notes in Computer Science, vol. 4284, pp. 444–459. Springer (2006)

  36. 36.

    ISO: ISO/IEC 20008-2. Information technology: Security techniques—Anonymous digital signatures—Part 2: Mechanisms using a group public key approach. Standard, International Organization for Standardization (2013)

  37. 37.

    Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym systems. In: Selected Areas in Cryptography—SAC ’99. Lecture Notes in Computer Science, vol. 1758, pp. 184–199. Springer (1999)

  38. 38.

    Proudler, G., Chen, L., Dalton, C.: Trusted Computing Platforms—TPM2.0 in Context. Springer (2014)

  39. 39.

    Raj, H., Saroiu, S., Wolman, A., Aigner, R., Cox, J., England, P., Fenner, C., Kinshumann, K., Löser, J., Mattoon, D., Nyström, M., Robinson, D., Spiger, R., Thom, S., Wooten, D.: fTPM: A software-only implementation of a TPM chip. In: USENIX Security Symposium ’16. pp. 841–856. USENIX Association (2016)

  40. 40.

    Trusted Computing Group (TCG): TPM main specification version 1.2 (2004), https://trustedcomputinggroup.org

  41. 41.

    Trusted Computing Group (TCG): 2.0 Automotive Thin Profile (2014),https://trustedcomputinggroup.org

  42. 42.

    Trusted Computing Group (TCG): Trusted platform module library specification, family “2.0” (2014), https://trustedcomputinggroup.org

  43. 43.

    Whitefield, J., Chen, L., Giannetsos, T., Schneider, S., Treharne, H.: Privacy-enhanced capabilities for vanets using direct anonymous attestation. In: Vehicular Networking Conference—VNC ’17. pp. 123–130. IEEE (2017)

  44. 44.

    Xi, L., Yang, K., Zhang, Z., Feng, D.: DAA-related apis in TPM 2.0 revisited. In: Trust and Trustworthy Computing—TRUST ’14. Lecture Notes in Computer Science, vol. 8564, pp. 1–18. Springer (2014)

Download references

Acknowledgements

This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No.2016-6-00599, A Study on Functional Signature and Its Applications). Jong Hwan Park and Dong Hoon Lee are the co-corresponding authors of this paper.

Funding

This study was funded by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Jong Hwan Park.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kim, H., Lee, K., Park, J.H. et al. Improving the security of direct anonymous attestation under host corruptions. Int. J. Inf. Secur. 20, 475–492 (2021). https://doi.org/10.1007/s10207-020-00507-6

Download citation

Keywords

  • Anonymous attestation
  • DAA
  • Host corruption
  • LRSW
  • TPM