ABSTRACT
Direct Anonymous Attestation (DAA) is a scheme that enables the remote authentication of a Trusted Platform Module (TPM) while preserving the user's privacy. A TPM can prove to a remote party that it is a valid TPM without revealing its identity and without linkability. In the DAA scheme, a TPM can be revoked only if the DAA private key in the hardware has been extracted and published widely so that verifiers obtain the corrupted private key. If the unlinkability requirement is relaxed, a TPM suspected of being compromised can be revoked even if the private key is not known. However, with the full unlinkability requirement intact, if a TPM has been compromised but its private key has not been distributed to verifiers, the TPM cannot be revoked. Furthermore, a TPM cannot be revoked from the issuer, if the TPM is found to be compromised after the DAA issuing has occurred. In this paper, we present a new DAA scheme called Enhanced Privacy ID (EPID) scheme that addresses the above limitations. While still providing unlinkability, our scheme provides a method to revoke a TPM even if the TPM private key is unknown. This expanded revocation property makes the scheme useful for other applications such as for driver's license. Our EPID scheme is efficient and secure in the same security model as DAA, i.e. in the random oracle model under the strong RSA assumption and the decisional Diffie-Hellman assumption.
- G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Advances in Cryptology ¿ CRYPTO ¿00, volume 1880 of LNCS, pages 255-¿270. Springer, 2000. Google ScholarDigital Library
- G. Ateniese, D. X. Song, and G. Tsudik. Quasi-efficient revocation in group signatures. In Proceedings of the 6th International Conference on Financial Cryptography, volume 2357 of LNCS, pages 183-¿197. Springer, 2002.Google Scholar
- M. Bellare, J. A. Garay, and T. Rabin. Fast batch verification for modular exponentiation and digital signatures. In Advances in Cryptology ¿ EUROCRYPT ¿98, volume 1403 of LNCS, pages 236-¿250. Springer, 1998.Google Scholar
- D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In Advances in Cryptology ¿ CRYPTO ¿04, volume 3152 of LNCS, pages 41¿-55. Springer, 2004. 29Google Scholar
- D. Boneh and H. Shacham. Group signatures with verifier-local revocation. In Proceedings of 11th ACM Conference on Computer and Communications Security, pages 168¿-177, Oct. 2004. Google ScholarDigital Library
- S. A. Brands. Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Aug. 2000. Google ScholarDigital Library
- E. Bresson and J. Stern. Efficient revocation in group signatures. In Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography, pages 190-¿206. Springer, 2001. Google ScholarDigital Library
- E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 132-¿145. ACM Press, 2004. Google ScholarDigital Library
- E. Brickell and J. Li. Enhanced Privacy ID: A direct anonymous attestation scheme with enhanced revocation capabilities. Cryptology ePrint Archive, Report 2007/194, 2007. http://eprint.iacr.org/.Google Scholar
- E. F. Brickell, D. Chaum, I. Damgård, and J. van de Graaf. Gradual and verifiable release of a secret. In Advances in Cryptology ¿ CRYPTO ¿87, volume 293 of LNCS, pages 156-¿166. Springer, 1987. Google ScholarDigital Library
- J. Camenisch and A. Lysyanskaya. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In Advances in Cryptology ¿ EUROCRYPT ¿01, volume 2045 of LNCS, pages 93-¿118. Springer, 2001. Google ScholarDigital Library
- J. Camenisch and A. Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. In Advances in Cryptology ¿ CRYPTO ¿02, volume 2442 of LNCS, pages 61-¿76. Springer, 2002. Google ScholarDigital Library
- J. Camenisch and A. Lysyanskaya. A signature scheme with efficient protocols. In Proceedings of the 3rd Conference on Security in Communication Networks, volume 2576 of LNCS, pages 268¿-289. Springer, 2002.Google Scholar
- J. Camenisch and M. Michels. Proving in zero-knowledge that a number is the product of two safe primes. In In Advances in Cryptology ¿ EUROCRYPT ¿99, volume 1592 of LNCS, pages 106-¿121. Springer, 1999.Google Scholar
- J. Camenisch and M. Michels. Separability and efficiency for generic group signature schemes. In In Advances in Cryptology ¿ CRYPTO ¿99, volume 1666 of LNCS, pages 413-¿430. Springer, 1999. Google ScholarDigital Library
- J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In Advances in Cryptology ¿ CRYPTO ¿97, volume 1296 of LNCS, pages 410-¿424. Springer, 1997. Google ScholarDigital Library
- R. Canetti. Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute of Science, Rehovot, Israel, 1995.Google Scholar
- R. Canetti. Security and composition of multiparty cryptographic protocols. Journal of Cryptology, 13(1):143¿-202, 2000.Google ScholarDigital Library
- D. Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10):1030¿-1044, 1985. Google ScholarDigital Library
- D. Chaum. Zero-knowledge undeniable signatures. In Advances in Cryptology ¿ EUROCRYPT ¿90, volume 473 of LNCS, pages 458¿-464. Springer, 1990. Google ScholarDigital Library
- D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In Advances in Cryptology ¿ EUROCRYPT ¿87, volume 304 of LNCS, pages 127¿-141. Springer, 1987.Google Scholar
- D. Chaum and T. P. Pedersen. Wallet databases with observers. In Advances in Cryptology ¿ CRYPTO ¿92, volume 740 of LNCS, pages 89¿-105. Springer, 1992. Google ScholarDigital Library
- D. Chaum and E. van Heyst. Group signatures. In Advances in Cryptology ¿ EUROCRYPT ¿91, volume 547 of LNCS, pages 257¿-265. Springer, 1991.Google Scholar
- I. Damgård and E. Fujisaki. An integer commitment scheme based on groups with hidden order. In Advances in Cryptology ¿ ASIACRYPT ¿02, volume 2501 of LNCS, pages 125-¿142. Springer, Dec. 2002.Google Scholar
- A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology ¿ CRYPTO ¿86, volume 263 of LNCS, pages 186¿-194. Springer, 1987. Google ScholarDigital Library
- E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In Advances in Cryptology ¿ CRYPTO ¿97, volume 1294 of LNCS, pages 16¿-30. Springer, 1997. Google ScholarDigital Library
- J. Kilian and E. Petrank. Identity escrow. In Advances in Cryptology ¿ CRYPTO ¿98, volume 1642 of LNCS, pages 169-¿185. Springer, 1998. Google ScholarDigital Library
- A. K. Lenstra and E. R. Verheul. Selecting cryptographic key sizes. Journal of Cryptology, 14(4):255¿-293, 2001.Google ScholarDigital Library
- B. Pfitzmann and M. Waidner. Composition and integrity preservation of secure reactive systems. In Proceedings of 7th ACM Conference on Computer and Communications Security, pages 245-¿254, Nov. 2000. Google ScholarDigital Library
- B. Pfitzmann and M. Waidner. A model for asynchronous reactive systems and its application to secure message transmission. In Proceedings of the IEEE Symposium on Security and Privacy, pages 184-¿200. IEEE Computer Society Press, 2001. Google ScholarDigital Library
- D. Pointcheval and J. Stern. Security proofs for signature schemes. In Advances in Cryptology ¿ EUROCRYPT ¿96, volume 1070 of LNCS, pages 387¿-398. Springer, 1996Google Scholar
- C. P. Schnorr. Efficient identification and signatures for smart cards. Journal of Cryptology, 4(3):161-¿174, 1991.Google ScholarDigital Library
- D. X. Song. Practical forward secure group signature schemes. In Proceedings of the 8th ACM Conference on Computer and Communications Security, pages 225¿-234. ACM Press, 2001. Google ScholarDigital Library
- Trusted Computing Group. TCG TPM specification 1.2, 2003. Available at http://www.trustedcomputinggroup.org.Google Scholar
- Trusted Computing Group website. http://www.trustedcomputinggroup.org.Google Scholar
Index Terms
- Enhanced privacy id: a direct anonymous attestation scheme with enhanced revocation capabilities
Recommendations
Direct anonymous attestation
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityThis paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group (TCG) as the method for remote authentication of a hardware module, called Trusted Platform Module (TPM), while preserving the ...
Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities
Direct Anonymous Attestation (DAA) is a scheme that enables the remote authentication of a Trusted Platform Module (TPM) while preserving the user's privacy. A TPM can prove to a remote party that it is a valid TPM without revealing its identity and ...
Privacy-preserving multireceiver ID-based encryption with provable security
Multireceiver identity ID based encryption and ID-based broadcast encryption allow a sender to use the public identities of multiple receivers to encrypt messages so that only the selected receivers or a privileged set of users can decrypt the messages. ...
Comments