Universally Composable Direct Anonymous Attestation
Direct Anonymous Attestation (DAA) is one of the most complex cryptographic algorithms that has been deployed in practice. In spite of this and the long body of work on the subject, there is still no fully satisfactory security definition for DAA. This was already acknowledged by Bernard et al. (IJIC’13) who showed that in existing models insecure protocols can be proved secure. Bernard et al. therefore proposed an extensive set of security games which, however, aim only at a simplified setting termed pre-DAA. In pre-DAA, the host platform that runs the TPM is assumed to be trusted. Consequently, their notion does not guarantee any security if the TPM is embedded in a potentially corrupt host which is a significant restriction. In this paper, we give a comprehensive security definition for full DAA in the form of an ideal functionality in the Universal Composability model. Our definition considers the host and TPM to be separate entities that can be in different corruption states. None of the existing DAA schemes satisfy our strong security notion. We therefore propose a realization that is based on a DAA scheme supported by the TPM 2.0 standard and prove it secure in our model.
This work was supported by the European Commission through the Seventh Framework Programme, under grant agreements #321310 for the PERCY grant and #318424 for the project FutureID.
- 2.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM CCS (1993)Google Scholar
- 5.Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: ACM CCS (2004)Google Scholar
- 11.Camenisch, J.L., Stadler, M.A.: Efficient group signature schemes for large groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)Google Scholar
- 12.Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. ePrint Archive Report 2000/067 (2000)Google Scholar
- 13.Canetti, R.: Universally composable signatures, certification and authentication. ePrint Archive, Report 2003/239 (2003)Google Scholar
- 14.Chen, L., Morrissey, P., Smart, N.: DAA: fixing the pairing based protocols. ePrint Archive, Report 2009/198 (2009)Google Scholar
- 16.Chen, L., Morrissey, P., Smart, N.P.: Pairings in trusted computing (invited talk). PAIRING (2008)Google Scholar
- 20.International Organization for Standardization: ISO/IEC 20008–2: Information technology - Security techniques - Anonymous digital signatures - Part 2: Mechanisms using a group public key (2013)Google Scholar
- 23.Trusted Computing Group: TPM main specification version 1.2 (2004)Google Scholar
- 24.Trusted Computing Group: Trusted platform module library specification, family “2.0” (2014)Google Scholar
- 25.Xi, L., Yang, K., Zhang, Z., Feng, D.: DAA-related APIs in TPM 2.0 revisited. In: Holz, T., Ioannidis, S. (eds.) Trust 2014. LNCS, vol. 8564, pp. 1–18. Springer, Heidelberg (2014)Google Scholar