Better Privacy for Trusted Computing Platforms

The trusted computing group (TCG) specified two protocols that allow a trusted hardware device to remotely convince a communication partner that it is indeed a trusted hardware device. In turn, This enables two communication partners to establish that the other end is a secure computing platform and hence it is safe exchange data. Both these remote identification protocols provide some degree of privacy to users of the platforms. That is, the communication partners can only establish that the other end uses some trusted hardware device but not which particular one. The first protocol achieves this property by involving trusted third party called Privacy CA in each transaction. This party must be fully trusted by all other parties. In practice, however, this is a strong requirement that is hard to fulfill. Therefore, TCG proposed a second protocol called direct anonymous attestation that overcomes this drawback using techniques known from group signature schemes. However, it offers less privacy than the one involving the Privacy CA. The reason for this is that the protocol needs to allow the verifier to detect rogue hardware devices while before this detection was done by the Privacy CA. In this paper we show how to extend the direct anonymous attestation protocols such that if offers the same degree of privacy as the first solution but still allows the verifier to rogue devices.