DAA Slides

Direct Anonymous Attestation
(DAA)
Liqun Chen
Trusted Systems Laboratory
Hewlett Packard Laboratories, Bristol
12 October 2005
The slides presented here were made for a DAA

seminar last year
outline
• what is DAA?
• what is DAA for?
• why DAA?
• how does DAA work?
12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 2

outline
• what is DAA?
• why DAA?

DAA is a signature scheme
• DAA is a signature scheme designed for TCG

– signer: TPM (trusted platform module)
– verifier: an external partner
• the name of DAA is from

– Direct proof – without a TTP involvement
– Anonymous – do not disclose the identity of the signer
– Attestation – statement/claim from a TPM
• DAA was adopted by TCG and specified in TCG TPM

Specification Version 1.2, available at
www.trustcomputinggroup.org
• designers: Ernie Brickell of Intel, Jan Camenisch of IBM and

Liqun Chen of HP
category of signature schemes
– from a verifier’s point of view
• 1–out–1 signatures: ordinary signatures

– a verifier is given an authenticated public key of a
signer
• 1–out–n signatures: ring signatures, designated-
verifier signatures, concurrent signatures, ……
– a verifier is given authenticated public keys of all
potential signers
• 1–out–group signatures: group signatures, DAA
– a verifier is given an authenticated group public key

group signatures and DAA
• a group signature has fixed-traceability and unlinkability

– a group member certificate indicates an identity-disclosure
authority
– the authority can recover the identity of the real signer
from a group signature
• a DAA signature has flexible-traceability and flexible-
linkability
– there is no identity-disclosure authority (a DAA signature
cannot be opened by any TTP)
– a DAA signature provides the user-control link that can be
used to link some selected signatures from the same
signer for the same verifier

outline
• what is DAA?
• what is DAA for? – for TCG
• why DAA?

goals of the TCG architecture
ensure user’s
protect
user’s choice on use of
information security
mechanism
protect user’s protect

computing user’s
environment privacy

obstacle to achieving
the goals of the TCG architecture
security might be fundamentally incompatible with privacy

high security
&
low privacy

high security high privacy

& &
low privacy low security

high security high privacy

& &
low privacy a nd low security
u r ity
r s ec cy
e ri va
d e liv f p
a nt: tr ol o
ew c o n
w
h at u ser
w ide
v
pro

TPM (trusted platform module)
the TPM is the root of trust for reporting -

– it offers smartcard-like security capability embedded into the
platform
– it is trusted to operate as expected (conforms to the TCG spec)
– it is uniquely bound to a single platform
– its functions and storage are isolated from all other components
of the platform (e.g., the CPU)

TPM (trusted platform module)
the TPM is the root of trust for reporting -

– it offers smartcard-like security capability embedded into the
platform
– it is trusted to operate as expected (conforms to the TCG spec)
– it is uniquely bound to a single platform
– its functions and storage are isolated from all other components
of the platform (e.g., the CPU)
random number Non-volatile

generation Memory
Processor Memory
I/O hash asymmetric

signing and
key
HMAC generation encryption
clock/timer power detection

platform attestation
• TCG requires a TPM to have an embedded “endorsement

key (EK)”, to prove that a TPM is a particular genuine TPM
• EK is not a platform identity
• TCG lets a TPM control “multiple pseudonymous attestation

identities” by using “attestation identity key (AIK)”
• AIK is a platform identity, to attest to platform properties
we need a link between EK and AIK

privacy issue
I want to know I don’t want to

that AIK came disclose which
from a TPM TPM the AIK is
from
AIK
an external partner
a user
TPM – trusted platform module

EK – endorsement key
AIK – attestation identity key

privacy issue
I want to know I don’t want to

that AIK came disclose which
from a TPM TPM the AIK is
from
AIK
an external partner
a user
we seek a solution to convince an TPM – trusted platform module

external party that an AIK is held in a EK – endorsement key
TPM without identifying the TPM AIK – attestation identity key

outline
• what is DAA?
• why DAA?

previous solution is not good enough
the previous solution (before TCG TPM spec. v1.2) -
• involves a TTP to issue certificates
• allows choice of any (different) certification authorities

(privacy-CA) to certify each TPM identity
• can help prevent correlation, however

anonymity is dependent upon the private-CA

our goal and solution
• our goal: a solution provides

– anonymity without a TTP
– authentication without a certificate
• our solution:
– direct anonymous attestation (DAA)
direct proof replaces the TTP

a simple picture of DAA
TPM
EK AIK #1
DAA AIK #2

stock broker medical clinic

verifier verifier
TPM
EK AIK #1
DAA AIK #2


verifier verifier
a DAA a DAA
signature of signature of
AIK #1 TPM AIK #2
EK AIK #1
DAA AIK #2

I know that AIK #1 I know that AIK #2

came from a TPM, came from a TPM,
but I don’t know but I don’t know
which one. which one.

verifier verifier
a DAA a DAA
AIK #1 TPM AIK #2
EK AIK #1
DAA AIK #2

Wewe can’t
can’t tell
tell if if
AIK
Key #1 and Key#2
#1 and AIK
I know that AIK #1 #2came
camefrom
fromthe the I know that AIK #2
same
same TPM or
TPM or not.
not.

verifier verifier
a DAA a DAA
AIK #1 TPM AIK #2
EK AIK #1
DAA AIK #2

Wewe can’t
can’t tell
tell if if
AIK
Key #1 and Key#2
#1 and AIK
I know that AIK #1 #2came
camefrom
fromthe the I know that AIK #2
same
same TPM or
TPM or not.
not.
but
verifier
if the client behaves verifier
badly, I can stop him
to use my service
a DAA a DAA
AIK #1 TPM AIK #2
EK AIK #1
DAA AIK #2

outline
• what is DAA?
• why DAA?

the DAA scheme outline
• entities
– DAA issuer: a DAA certificate issuer (e.g., a manufacturer
of TCG platforms)
– DAA signer: a trusted platform module (TPM) with help
from a host platform
– DAA verifier: an external partner (e.g.,a service provider)
• primitives
– system and issuer setup
– join protocol
– signing algorithm
– verifying algorithm
– solution of restricted link
– solution of revocation
setup
• Issuer public key: PKI = (hk, n, g’, g, h, S, Z, R0, R1, γ, Γ, ρ)

– RSA parameters with
n – an RSA modulus
g’ ∈ QRn
g, h ∈ 〈g’ 〉 a non-interactive
S, Z ∈ 〈h 〉 proof of
R0, R1 ∈ 〈S 〉 correctness of
– a group of prime order with key generation
Γ - modulus (prime) (using the Fiat-
ρ - order (prime, s.t. ρ|Γ - 1) Shamir heuristic)
γ - generator (γ ρ = 1 mod Γ )
– a hash function
Hhk - a hash function of length hk
• private key: factorisation of n

join
entities: TPM, Host and Issuer
• DAA signing key (created by TPM):

– f0, f1 (104-bit)
• DAA certificate (created with Issuer):
– v (2536-bit)
– A (2048-bit)
– e (prime ∈R [2367, 2367 + 2119])
R0 R S v A e = Z (mod n )
f0 f1
1
values R0, R1, S, Z, n are part of PKI

• TPM stores f0, f1, v, H(A||e||PKI)
• Host stores A and e

join
entities: TPM, Host and Issuer an authentic channel

between TPM and
• DAA signing key (created by TPM): Issuer using the
– f0, f1 (104-bit) endorsement key (EK)
• DAA certificate (created with Issuer): of TPM
– v (2536-bit) v is contributed by
– A (2048-bit) both TPM and Issuer
– e (prime ∈R [2367, 2367 + 2119]) TPM proves to Issuer
knowledge of f0, f1 and
f0 f1
1 its contribution on v
values R0, R1, S, Z, n are part of PKI Issuer proves to Host
• TPM stores f0, f1, v, H(A||e||PKI) correctness of
certificate generation

join
entities: TPM, Host and Issuer an authentic channel

R1f R2f S
between
0 1 v
TPM
1
andIssuer
TPM
• DAA signing key (created by TPM): Issuer using the
– f0, f1 (104-bit) endorsement
A, e, v2 key (EK)
– v (2536-bit) with v is contributed
message by
authentication
– A (2048-bit) both TPM and
and correctness Issuer
checking

f0 f1

join
the Camenisch-
Lysyanskaya signature
entities: TPM, Host and Issuer
scheme and based an on authentic channel
R1f R2f S
between v
TPM andIssuer 0 1 1
TPM
the strong
• DAA signing key (created RSA problem
by TPM): Issuer using the
– f0, f1 (104-bit) given n and z endorsement
A, e, v2 key (EK)
find a and e
– v (2536-bit) e = z (mod with v is contributed
message by
authentication
– A (2048-bit)
s.t. a n) both TPM and
and correctness Issuer
checking

f0 f1

sign
Schnorr DAA signature

signature
private key : f0 , f1
private/public key
(x, y = gx) certificate : v,A,e, satisfying R f0 R f1S v Ae = Z (mod n )
public key : PK I = (hk , n, g ' , g, h, R0 , R1, S, Z, γ , Γ, ρ )
signature
msg - message
commitment
r ∈R {0,1}l
t=gr w , r ∈R {0,1} l ζ − the base name
c = H(t||msg) T1 = Ahw (mod n ) T2 = g w h e ( g ' )r (mod n )
s = r + xc Nv = ζ f0 +f1 2 (mod Γ )
104
σ = (c, s)
verification signature
c ≡ H(gsy-c||msg) msg, r, t, c, s, σ

sign
a DAA signature is presented by
msg, r, t, c, s, σ

sign
msg = b||m DAA signature

b ∈ {0,1}
m ∈ {AIK, other
string}
if b = 0,
m = AIK - RSA key
if b = 1
m = other string
msg, r, t, c, s, σ
sign

b ∈ {0,1} r = { rv , rv , rf , rf ,
1 2 0 1
m ∈ {AIK, other re , ree , rw , rr , rew , rer }

string} rv , rv , rf , rf
1 2 0 1
if b = 0,
m = AIK - RSA keyare chosen by TPM
if b = 1 re , ree , rw , rr , rew , rer
m = other string are chosen by Host
msg, r, t, c, s, σ
sign

b ∈ {0,1} r = { rv , rv , rf t,=rf{T~,,T~ ,T~' ,N~ }
1
~
2 0 1
1 2 2 v
m ∈ {AIK, other T = R R S S T h (mod n ) rf0 rf1 rv1 rv 2 re − rew

1 0 1 1
re , ree , rw , rrT~, r=ewg ,hrer }
g ' (mod n ),
2
rw re rr
string} ~
rv , rv , rf , rf T~' = T g h g ' (mod n) 2 2
− re rew ree rer
1 2 0 1
if b = 0, N =ζ (mod Γ )
v
rf0 + rf1 2104
m = AIK - RSA keyare chosen TPM by computes

TPM R R S S rf0 rf1 rv1 rv 2
0 1
~
and N
if b = 1 re , ree , rw , rr , rewHost
, rcomputes
er others
v
m = other string are chosen by Host
msg, r, t, c, s, σ
sign

b ∈ {0,1} r = { rv , rv , rf t,=rf{T~,,T~ ,T~' ,N~ }
1
~
2 0 1
1 2 2 v
m ∈ {AIK, other T = R R S S T h (mod n ) rf0 rf1 rv1 rv 2 re − rew

1 0 1 1
re , ree , rw , rcrT~,=r=ew
{PK, rg||ζ||
g h Ier
}
' (mod n ),
2
rw re rr
string} rv , rv , rf , rf T~'commitment||
~
= T g h g ' (mod n )
2 2
− re rew ree rer
1 2 0 1
if b = 0, N t||n= ζ v||nt||msg}
(mod Γ )
v
rf0 + rf1 2104
m = AIK - RSA keyare chosenwhere by computes

TPMnv and R RnS rf0 rf1 rv1 rv 2
TPM t S 0 1
~
are
and N
re , ree , rw , rr , rewHost nonce
, rcomputes v
if b = 1 er
chosen by others
m = other string are chosenverifier by Host & TPM
respectively
msg, r, t, c, s, σ
sign

s f = rf + cf 0
b ∈ {0,1}
0 0
r = { rv , rv , rf t,=rf{T,,T ,T ' ,sNf } = rf + cf 1

1
~ ~ ~ ~
2 0 1
1 2 2 v
~
m ∈ {AIK, other
1 1
T = R R S S T h (mod n ) rf0 rf1 rv1 rv 2 re − rew
s}v =nr),v + cv
1 0 1 1
{PK , rg||ζ||
g h Ier ' (mod 2
rw re rr
string} rv , rv , rf , rf ~ T
~ commitment||
' = T g s
h eg =
' r
(mod
2e + nc) ( e2
− 2
− re367
) rew ree rer
1 2 0 1
if b = 0, N t||n= ζ v||nt||msg}
ee = r ee + ce
s(mod Γ)
v
2 rf0 + rf1 2104

TPM t +S c
~ s w = r w w
0 1
are
and N
re , ree , rw , rr , rewHost nonce
, rcomputes v
if b = 1 er s = r + cew
chosen byewothers ew
m = other string are chosenverifier by Host r = r r + cr
& sTPM
s er = rer + cer
respectively
msg, r, t, c, s, σ
sign

s f = rf + cf 0
b ∈ {0,1}
0 0
r = { rv , rv , rf t,=rf{T,,T ,T ' s,Nf }= rf + cf1

1
~ ~ ~ ~
2 0 1
1 2 2 v
~
m ∈ {AIK, other
1 1
T = R R S S Tsignature h (mod n ) : rf0 rf1 rv1 rv 2 re − rew
s}v = nrv), + cv
1 0 1 1
{PK , rg||ζ||
g h Ier
σ = (ζ , commitment
rw re rr
' (mod
string}
2
, c, nt , s )
rv , rv , rf , rf ~ T
~ commitment||
' = T g s
h e g=' r
(mod
e 2
+ c
n )( e −
2
2 367
− re ) rew ree rer
(mod=Γ )r= (ζ ,T1,2T2 , Nv , c, nt ,

1 2 0 1
if b = 0, N t||n= ζ v||nts ||msg} ee + ce
rf0 + rf1 2104
v
ee

TPM t +Sscvw, sf , sf , se , see ,
~ s w = r w
0 1
0 1
if b = 1 re , ree , rw , rr , rare
ew
and N
, nonce
r er s = r s+ cew
v
,s ,s ,s )
Host computes
chosen byewothers ew w ew r er
m = other string are chosenverifier by Host &sTPMr = rr + cr
s er = rer + cer
respectively
msg, r, t, c, s, σ
verify
input - message, signature and public key of Issuer

b || m, σ = (ζ ,T1,T2 , N v , c, n t , sv , s f0 , s f1 , s e , s ee , sw , s ew , s r , s er )
PK I = ( hk , n, g , g ' , h, R 0 , R1, S, Z , γ , Γ, ρ )
compute -
Tˆ1 = Z −cT1se + c 2 R 0sf0 R1sf1 S sv h −sew (mod n )
367
Tˆ2 = T2−c g sw h se + c 2 ( g ' )s r (mod n )

367
Tˆ '2 = T2−( se + c 2 )g sew h see ( g ' )ser (mod n )

367
Nˆ v = N v−c ζ sf0 + sf1 2 (mod Γ )

104
verify -
c ≡ H hk (PK I || ζ || T1 || T2 || N v || Tˆ1 || Tˆ2 || Tˆ ' 2 || Nˆ v || nt || nv || b || m )
N v ,ζ ∈R γ ζ = (H Γ (1 || bsn ))( Γ −1) / ρ (mod Γ )
s f0 , s f1 ∈ {0,1} 345 s e ∈ {0,1} 361

restricted link for a verifier
– named/random base in a DAA signature
high security low security

& &
low privacy high privacy
sensitivity
sensitivity
security
privacy
high security low security

& &
low privacy high privacy
named base random base

sensitivity
sensitivity
security
privacy
combined base

a base: ζ∈R 〈γ〉 or ζ = (H(1||bsn))(Γ-1)/ρ (mod Γ)

Nv = ζ f0 +f1 2 (mod Γ )
104
high security named base – verifier can link low security

& two signatures from the same &
low privacy TPM signed for the verifier high privacy
random base – no link
named base random base

sensitivity
sensitivity
security
privacy
combined base

revoking a certificate
• if f0 and f1 are known

– put f0 and f1 on a certificate revocation list and check
the list in each verification process
• if f0 and f1 are not known
– the name base solution can help a verifier to create
his own certificate revocation list with
N v = ζ f0 +f1 2 (mod Γ )
104
ζ = (H(1||bsn))(Γ-1)/ρ (mod Γ)

security proof
• we prove the above DAA scheme is secure in the random oracle

model under
– the strong RSA assumption
– the DDH assumption in QRn and
– the DDH assumption in 〈γ〉
• By “the scheme is secure”, we mean

– there exists no adversary that can adaptively run the join
protocol, ask for signature by other (i.e., honest) members, and
then output a signature containing a value Nv such that for all f0
and f1 extracted from the adversary in the join protocol Nv does
not match
Nv = ζ f0 +f1 2 (mod Γ )
104

summary
DAA -
§ is a signature scheme
§ offers a zero knowledge proof of a key certificate
§ provides a variety of balances between security and
privacy by choosing
• random base – for privacy sensitive cases
• named base – for non privacy-sensitive cases
• combinations
§ has a security proof in the random oracle model based on:
• the strong RSA assumption
• the DDH assumption

future work
• more flexible privacy solutions

• more flexible revocation solutions

further information
• TCG initiatives:
http://www.trustedcomputing.org
• E. Brickell, J. Camenisch and L. Chen. Direct

anonymous attestation. In Proc. 11th ACM Conference
on Computer and Communications Security, pages
132-145, ACM press, 2004
• B. Balacheff, L. Chen, S. Pearson, D. Plaquin and G.

Proudler, Trusted Computing Platforms: TCPA
technology in context, Prentice Hall PTR, 2003

HP logo

DAA Slides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DAA Slides

Uploaded by

Copyright:

Available Formats

Direct Anonymous Attestation

The slides presented here were made for a DAA

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 2

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 3

• DAA is a signature scheme designed for TCG

• the name of DAA is from

• DAA was adopted by TCG and specified in TCG TPM

• designers: Ernie Brickell of Intel, Jan Camenisch of IBM and

• 1–out–1 signatures: ordinary signatures

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 5

• a group signature has fixed-traceability and unlinkability

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 6

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 7

protect user’s protect

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 8

security might be fundamentally incompatible with privacy

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 9

security might be fundamentally incompatible with privacy

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 10

security might be fundamentally incompatible with privacy

high security high privacy

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 11

security might be fundamentally incompatible with privacy

high security high privacy

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 12

the TPM is the root of trust for reporting -

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 13

the TPM is the root of trust for reporting -

random number Non-volatile

I/O hash asymmetric

clock/timer power detection

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 14

• TCG requires a TPM to have an embedded “endorsement

• EK is not a platform identity

• TCG lets a TPM control “multiple pseudonymous attestation

• AIK is a platform identity, to attest to platform properties

we need a link between EK and AIK

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 15

I want to know I don’t want to

TPM – trusted platform module

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 16

I want to know I don’t want to

we seek a solution to convince an TPM – trusted platform module

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 17

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 18

the previous solution (before TCG TPM spec. v1.2) -

• involves a TTP to issue certificates

• allows choice of any (different) certification authorities

• can help prevent correlation, however

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 19

• our goal: a solution provides

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 20

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 21

stock broker medical clinic

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 22

stock broker medical clinic

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 23

I know that AIK #1 I know that AIK #2

stock broker medical clinic

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 24

stock broker medical clinic

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 25

12/10/2005 Direct anonymous attestation – a signature scheme for TCG page 26