Direct Anonymous Attestation for Next Generation TPM - CiteSeerX

JOURNAL OF COMPUTERS, VOL. 3, NO. 12, DECEMBER 2008

43

Direct Anonymous Attestation for Next Generation TPM CHEN Xiaofeng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing, China Email: [email protected] FENG Dengguo State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing, China Email: [email protected]

Abstract—Trusted computing platforms have been proposed as a promising approach to enhance the security of general-purpose computing systems. Direct Anonymous Attestation(DAA) is a scheme that allows a Trusted Platform Module (TPM) which is the core component of the trusted computing platform to remotely convince a communication partner that it is indeed a Trusted Platform Module while preserving the user’s privacy. The first DAA scheme developed by Brickell which is relatively complex and time-consuming was adopted by the current TPM specification.As the ECC cryptosystem is more efficient compared to the RSA cryptosystem, more and more cryptographic device is based on the ECC cryptosystem, so it is anticipated that the TPM will be based on the ECC in near future. In this paper, we propose a new direct anonymous attestation which is suitable for the ECC-based TPM. This paper presents an efficient construction that implements all anonymous authentication features specified in DAA. The proposed scheme has the best computational performance of all the DAA schemes up to now. The new DAA scheme is provably secure in the random oracle model under the qSDH and the decisional Diffie-Hellman assumption.

Index Terms—Direct Anonymous Attestation; Trusted Computing Platform;Trusted Platform Module; ECC

I. INTRODUCTION Direct Anonymous Attestation(DAA) is a scheme developed by Brickell,Camenisch,and Chen[2] which we refer to as the BCC scheme in this paper for remote authentication of a security hardware module,called Trusted Platform Module(TPM),while preserving the privacy of the user of the platform that contains the module. The scheme was adopted by the Trusted Computing Group(TCG)[7],an non-profit standardization body that aims to develop and promote an open industry standard for trusted computing hardware and software building blocks, and was included in TPM specification version 1.2. According to the TPM specification, the current BCC implementation is based on the RSA cryptosystem whose computation is based on the modular exponentiations, modular squarings and multiplications. One limitation of the original BCC © 2008 ACADEMY PUBLISHER

scheme is that the lengths of private keys and DAA signatures are quite large for a small TPM, i.e., around 670 bytes and 2800 bytes, respectively.It is inappropriate for mobile platform adopt the BCC scheme. Unlike desktop computers, mobile devices have very stringent limitations with respect to available power, physical circuit area, and cost. So, In PKC2007 conference,He Ge and Stephen R.Tate proposed a new DAA scheme[3] which we refer to as the HS scheme for devices with low computing capabilities,such as cell phones. All the two DAA schemes are suitable for RSA-based TPM which implement the modular squaring and multiplication operations; the security of all the two DAA schemes are based on strong RSA assumption and the decisional Diffie-Hellman assumption. According to [5], Elliptic curve cryptography is more efficient than integer factorization systems and discrete logarithm systems in terms of key sizes and bandwidth for schemes of relative security. This feature make it especially attractive for next generation TPM. There are two reasons that in near future, it is necessary to design a new ECC-based TPM architecture: 1、The current encryption and decryption scheme is based on RSA-systems,compared to the ECC cryptosystem,the RSA-based system’s efficiency is relatively poor, more and more cryptosystems are based on eclipse curves, Meanwhile under the same security level, the ECC cryptosystem has shorter key length. 2 、 In current TPM implementation, the BCC scheme is adopted as the privacy solution, but the BCC scheme is so complex and time-consuming that it is very difficult to deploy the BCC scheme. Also because of the complexity of the BCC scheme. it is not proper to implement the BCC scheme in mobile computing platform, so it is necessary design a new efficient direct anonymous scheme that can be implemented also in mobile platform. In this paper, we give a new direct anonymous scheme based on bilinear maps. The new practical DAA scheme has the best performance and the shortest signature length up to now.Our construction is built up from the signature scheme due to short signature scheme[1][4]. As our DAA scheme is based on the ECC

44


cryptography, it is more efficient than the traditional DAA scheme which is based on the RSA cryptosystem like BCC scheme and HS scheme,we will demonstrate this point in Section IV when we present performance analysis. The rest of this paper is organized as follows. Firstly in section II describe the related work about DAA schemes, then we define our notations and briefly review some previously known cryptographic techniques in SectionШ. After that we describe our schemes in Section IV, Finally We conclude this paper in section V. Your goal is to simulate the usual appearance of papers in a Journal of the Academy Publisher. We are requesting that you follow these guidelines as closely as possible.

After the BCC scheme was adopted as privacy solution for trusted computing platform, there have been several different papers discussing the deficiency and extensions of the BCC scheme. In order to provide the same privacy level as Privacy CA scheme, Jan Camenisch propose a scheme based on the BCC scheme which using a two stage authorization[10]. In original BCC scheme,a TPM can be revoked only if the TPM’s private key in the hardware has been extracted and published widely.In paper[14],the authors present a new scheme which provides a method to revoke a TPM even if the TPM private key is unknown as in BCC scheme. Meanwhile, researches on application of the DAA scheme are going on. The paper [16] provides a mechanism to insure that credentials can only be used with the TPM it got issued to. In P2P systems, We can employ the functionalities provided by trusted computing technology to establish a pseudonymous authentication scheme for peers and extend this scheme to build secure channels between peers for future communications[17]. The paper [18] demonstrates how Single Sign On among disparate service providers can be achieved using TCGconformant computing platforms. Ernie Brickell proposed a direct anonymous attestation based on bilinear maps[22].This scheme which we refer to as the BCL scheme is the first DAA scheme which is based on the bilinear maps. Ш Preliminaries Bilinear Maps:We review a few concepts related to bilinear maps: 1 ． G1 and G2 are two (multiplicative) cyclic groups of prime order p ; 2． g1 is a generator of G1 and g 2 is a generator of

G2 ;

G2 to

G1 ,with ψ ( g 2 ) = g1 ; and 4． e is a computable map e : G1 × G2 → GT with the following properties: Bilinearity:

© 2008 ACADEMY PUBLISHER

Non-degeneracy: e( g1 , g 2 ) ≠ 1 The Strong Diffile-Hellman Assumption: Let G1 , G2 be cyclic groups of prime order p ， where

possibly G1 = G2 。Let g1 be a generator of G1 and g 2 a generator of G2 。Consider the following problem:

q − Strong Diffie-Hellman Problem. The q − SDH problem in (G1 , G2 ) is defined as follows: given a

(q + 2)

tuple （

g1 , g 2 , g 2γ , g 2γ ,..., g 2γ 2

1/( γ + x ) 1

input,output a pair ( g algorithm

II. RELATED WORK

3 ． ψ is a computable isomorphism from

u ∈ G1 , v ∈ G2，e(u a , v b ) = e(u , v ) ab ;

q

） as

, x) where x ∈ Z 。 An * p

A has advantabe ε in solving q − SDH in

(G1 , G2 ) if

Pr[ A( g1 , g 2γ ,..., g 2γ ) = ( g11/(γ + x ) , x)] ≥ ε q

Where the probability is over the random choice of generator g 2 in G2 (with g1 ← ψ ( g 2 ) ) ， of γ in

Z*p ，and of the random bits of A . We say that the qSDH assumption holds in (G1,G2) if there is no polynomial time algorithms solving the q-SDH problem in (G1,G2). Proofs of Knowledge of Discrete logarithms: We will use various protocols to prove knowledge of and relations among discrete logarithms. To describe these protocols, we use notation introduced by Camenisch and Stabler[21] for various proofs of knowledge of discrete logarithms and proofs of the validity of statements about discrete logarithms.For instance, denotes “zero PK{(α, β ): y = gα hβ ∧ y = gα hβ } knowledge proof of knowledge of integers α , β and

y = g α h β and y = g α h β holds” where y , g , h, y , g , h are elements of some groups

γ such that

G =< g >=< h > and G =< g >=< h > 。 In the random oracle model, such protocols can be turned into signature schemes using the Fiat-Shamir heuristic[8] We use the notation SPK ((α ) : y = g α )(m) to denote a signature obtained in this way. IV THE NEW DIRECT ANONYMOUS ATTESTATION A. The Security Model This section introduces the model for direct anonymous attestation, which is a variant of the group signature model.Both these two models support procedures KeyGen, Join,Sign and Verify, while DAA further supports mechanism such as variable linkabiliby and rogue TPM tagging. Definition 1. Direct anonymous attestation is a digital signature scheme with 5-tuple of polynomial-time algorithms(KeyGen,DAA-Join,DAA-Sign,DAAVerify,Rogue tagging):


45

s f = rf + cf , st ' = rt ' + ct '

KeyGen: A probabilistic algorithm that takes k

as input the security parameter 1 and outputs a pair of group master keys (SK,VK). SK is the user’s signing key, which is kept secret, and VK the user’s verification key, which is made public. DAA-Join: An interactive protocol between a TPM and the issuer. The TPM obtains a group membership certificate C to become a group member. DAA-Sign: Using its group membership certificate C and private key sk , the TPM creates an anonymous group signature σ for a message σ ← Signsk ,（ M）. C DAA-Verify: A signature σ is verified to make sure it originates from a legitimate TPM without knowledge of which particular one. Rogue tagging: A rogue TPM can be identified and excluded for the group. We adopt the security notions and security model in paper [22], DAA should satisfy the following properties — Unforgeability: Only trusted computing group are able to sign messages on behalf of the group,An adversary,which has corrupted a set of signers’ secret keys and their credentials, finds it hard to forge a valid signature under a secret key and credential, which is not in the set. —Anonymous: It is infeasible to identify the real TPM of a signature unless this TPM is on the revocation list. —Unlinkability:It is infeasible to link two different signatures of the same TPM if the two basenames are not same and chosen randomly. B. Key Generation for Issuer k

Given security parameters 1 , the Issuer chooses

G1 =< g1 > ,G2 =< g 2 > ,GT =< gT >, G3 =< g 3 > Such that its order p is of length k ，and there exists a pairing maps: e : G1 × G2 → GT , ψ ( g 2 ) = g1 ,chooses

r ∈R Z / pZ

?

f ∈R Z / pZ

t ' ∈R Z / pZ

i、 TPM

，

t'

selects

rf , rt ' ∈R (Z / pZ) 2 ，

compute C ' = g f h t ' r

r

4.

TPM


(1)

e( g f , g 2 ) ⋅ e( h t , g 2 ) So,The anonymous credential is secret key kept by TPM is

( A, x, t ) and the

f

D. DAA-Sign 1 ． The host selects

w∈R Z / pZ ,compute

−x

T1 = ( Ah ) , T2 = g h , T1 , T2 is the commitment of the A, x . Prove that w

w

e(T1 , Y ) / e( g1 , g 2 ) = e(h, Y ) w e(h, g 2 ) wx +t e( g , g 2 ) f / e(T1 , g 2 ) x T2 = g w h − x ， T2− x g wx h − xx = 1

(2) (3)

2 ． The trusted computing platform have the f , x, w, t ， compute δ1 = wx ， knowledge

δ 2 = − xx ， H :{0,1}* → Z p 。 ∈ Z / pZ ，

a) TPM select rf ∈ Z / pZ ， rt compute R1 ,send R1 to the host

r R1 = e( g , g 2 ) f e(h, g 2 ) rt b) The host select rx , rw , rδ1 , rδ 2 ∈ Z / pZ ，

compute r R1 = R1e(h, Y )rw e(T1 , g 2 )rx e(h, g 2 ) δ1 ,

R2 = g rw h rx ， R3 = T2rx g δ1 h δ2 r

The

r

host

compute

ch to TPM

d) The TPM selects

compute

nt ∈R Z / pZ ,computes

c = H ( H (ch || nt ) || m) e)

sx = rx + c(− x)

The host , sδ1 = rδ1 + cδ1

sδ2 = rδ2 + cδ 2 ,TPM

ii、 The issuer select c ∈R Z / pZ iii、

A, x ，send t '' to the TPM TPM compute t = t '+ t '' ，store f , t verify e( A, Yg 2x ) = e( g1 , g 2 ) ⋅

ch = H ( g || h || g1 || g 2 || gT || Y || T1 || T2 || R1 || R2 || R3 )

compute C = g h ， f

s

host. The host stores

3.

，send

,

s

1/(γ + x ) ， send A, x , t '' to the A = ( g1Cht ''）

c)

( pk , sk ) = (( p, g1 , g 2 , g3 , gT , Y , g , h), r )

−c

iv、The issuer verify C ' = C g f h t ' The issuer select x ∈R Z / pZ, t '' ∈R Z / pZ ， compute

2.

2 r ,compute Y = g 2 ，then the key pairs ( g , h) ∈R（G1）

C. DAA-Join 1. TPM Chooses

send

s f , st ' to the issuer

and

for the DAA Issuer is:

，

st = rt + c(−t )

Computes

,

computes sw = rw +cw ,

s f = rf + cf

,

46


3.The

host

compute

signature

σ = (T1 , T2 , c, nt , s f , sx , st , sw , sδ , sδ ) 1

E. DAA-Verify Given 1.

2

Y || T1 || T2 || T3 || R1' || R2' || R3' || R4' ) || nt ) || m)

the

signature

σ = (T1 , T2 , c, nt , s f , st , sx , sw , sδ , sδ ) 1

and the public key 2.

?

c = H ( H ( H (η || g || h || g1 || g 2 || g3 || gT ||

2

( p, g1 , g 2 , gT , Y , g , h)

G. Evaluation Signature Length: We assume that

that the representation of

G1 ≠ G2 such

G1 can be a 171 bit string

when | p |= 170 by using the elliptic curve defined by

Compute

[9].We also assume that the representations of GT and

R = e( g, g2 ) e(h, Y ) e(h, g2 ) sf

' 1

sw

sδ1 + st

e(T1, g2 )

sx

(e(T1, Y ) / e( g1, g2 ))−c

，

R2' = T2− c g sw h sx , R3' = T2sx g δ1 h δ2 s

3.

s

Verify ?

c = H ( H ( H ( g || h || g1 || g 2 || gT || Y || T1 || T2 || R1' || R2' || R3' ) || nt ) || m) F. Authentication with Variable Anonymity In order to achieve variable anonymity, when generating the signature, the TPM compute a commitment value T3 using the TPM’s secret f , meanwhile select a Solely Signature Identifier, or SSID as the identifier of the signature. If the two signatures have the same SSID when generating the signature, the two signature signatures are linkable, if the SSID is selected randomly, then the signature is anonymous. In order to provide variable anonymity, the TPM compute as follows:

η = H1 ( SSID) ， T3 = η f ， R4 = η R4' = T3− cη Scheme

rf

，

G3 are 1020 bits and 171 bits. The signature include 8 *

elements from Z p and 4 elements from group

G1 ,the

total signature length is 2044bits. Computational performance: We also estimate the computational cost of our scheme by the number of scalar multiplications/modular exponentiations in G1 , G2 , G3 and GT and the number of pairing operations e required for DAA-Sign and DAAthese are the most costly Verify,since computations.Here,we assume that the signer has precomputed values e( g , g 2 ) and e(h, Y ) .When generating the signature, it needs 9 modular exponentiations and 0 pairing computations.When verifying the signature,it needs 4 modular exponentiations and 1 pairing computations. Comparison with previous schemes: We evaluate the signature length and computational complexity of the proposed scheme to those of the previous schemes[2][3]and [22] We select the security parameter in BCC scheme[2] as follows:

ln = 2048, l f = 104, le = 368, le' = 120, lv = 2536, lφ = 80, lH = 160, lr = 80, lΓ = 1632, lρ = 208

sf

Signature

Total Computational Cost of

The Computational

The Computational

length

Sign Process

Cost of Join Process

Cost of Sign Process

assumpations

BCC[2]

20555 bits

8ME+0NP

4ME+0 NP

4ME+0 NP

Strong RSA

HS[3]

7614bits

3ME+0 NP

5ME+0 NP

3ME+0 NP

strong RSA

BCL[22]

4163bits

10ME+3 NP

3ME+0 NP

7ME+5 NP

LRSW,DBDH

Our Scheme

2044bits

9ME+0 NP

4ME+0 NP

4ME+1 NP

q-SDH,DDH

DDH DDH

c = H ( H ( H (η || g || h || g1 || g 2 || g3 || gT || Y || T1 || T2 || T3 || R1 || R2 || R3 || R4 ) || nt ) || m) H1 :{0,1}* → G3

.output

the

σ = (η,T1,T2 ,T3, c, nt , sf , st , sx , sw, sδ , sδ ) 1

Verify the signature as follows:


2

[3]

HS scheme as follows:

ln = 2048, α = 9 / 8, X = 2792 , Y = 2520 , ls = 540, lb = 300, lc = 160

signature

and BCL[22]scheme as follows:

l p = 512, lq = 160, lφ = 80, lH = 256 We list the assumptions required in our scheme and the previous schemes[2,3,22]. These results of estimation and required assumptions are given in Table I,Where


“ME”，“NP”are abbreviations of “the number of Modular Exponentiations” and “the Number of Pairing”. Currently, the most efficient construction which is based on the bilinear maps is the one proposed in [22]. From the above table, We can see that compare to the BCL scheme which is also based on the ECC cryptosystem, our scheme require less pairing computations,the signature length of our scheme is 49% of those of scheme in [22]. The computational cost for our scheme is also smaller than those of scheme in [22]. Finally,our scheme has the shortest signature length of all the schemes..

H. Security Analysis Theorem 1. The direct anonymous attestation is secure under the q-SDH and the decisional DiffieHellman assumption. We have to show that our scheme satisfies all the security properties listed in Definition 1. The proposed scheme meet the requirements of Unforgeability ,Anonymity and Unlinkability.We give informal discussion here.A more detailed security proof is give in Appendix A. Lemma 1(Unforgeability):Only the trusted computing platform which has successfully execute the join process are able to sign messages on behalf of the group which is composed of trusted computing platforms.This is an immediate consequence of the interactive protocol under the signature scheme is zeroknowledge under the random oracle model. Lemma 2(Anonymity): Given a valid signature σ = (T1 , T2 , c, nt , s f , s x , st , sw , sδ1 , sδ 2 ) identifying the actual signer is computationally hard for everyone.Because the underlying interactive protocol is statistically zero-knowledge, no information is statistically revealed by（c, s f , s x , st , sw , sδ1 , sδ 2）in the random oracle model. Lemma 3(Unlinkability): If using two different SSID when generating the signatures,Deciding whether two signatures and σ 1 = (T1 , T2 , c, nt , s f , sx , st , sw , sδ1 , sδ 2 )

σ 2 = (T1 , T2 , c, nt , s f , sx , st , sw , sδ1 , sδ 2 ) were computed by the same trusted computing platform is computationally hard. I.

Implementation In this section we will prototype the concrete DAA scheme.We investigated our proposed schemes on a Intel dual-core 3.2GHz desktop computers with 1GB RAM [23] running Windows.We used the NTL library , openssl [13] library and the PBC library as the underlying cryptographic libraries. We design a experiments to evaluate how efficient of the proposed scheme.We prototyped three modules tpm-module,host-module and server-module. The tpmmodule emulates the function of the hardware TPM, the host-module play the part of the Host and the servermodule play the part of the Issuer. © 2008 ACADEMY PUBLISHER

47

Choices of the ECC curve

Supersingular elliptic curves are rather special curves with additional algebraic structure and have, until recently, been regarded as dangerous for use in cryptography, because the extra structure makes them vulnerable to certain specialised attacks. However, whereas standard elliptic curve cryptosystems such as ElGamal encryption or ECDSA can be implemented using randomly generated elliptic curves,the elliptic curves required to implement pairing-based systems must have certain properties that randomly generated elliptic curves are unlikely to have.The supersingular elliptic curves can implement bilinear pairings. We select the ECC curve. For the groups G1,G2,GT and their associated bilinear map, we can use,for example,the elliptic curve proposed by [9] and Tate pairing.We used the supersingular elliptic curve

E : y 2 = x 3 + x over Fp 2

with p≡3mod4

The security level of our implementation of pairing assumes that the solution of a discrete logarithm problem over Fp2 , where p is 512 bits,is as hard as the discrete logarithm problem over Fp where p is 1024 bits and contemporary usage dictates a discrete logarithm problem on an elliptic curve using points with order A where A is 160 bits. These problems are as difficult as solving a 1024-bit integer factorization RSA problem. The table II gives the time results of the different step of the DAA scheme including DAA-join,DAA-sign and DAA-Verify. TABLE II Time Results of our scheme DAA-Join DAA-Sign DAA-Verify Time Time Time results results results Host 26ms 53ms 90ms TPM(Emulated) 31ms 27ms 0 Roles

Roles Host TPM

TABLE III Time Results of BCC scheme DAA-Join DAA-Sign Time DAA-Verify Time results results Time results 718ms 1237ms 1823ms 910ms 826ms 0

From Table II and Table III, we can see that our new scheme is much more efficient than the original BCC scheme in all steps of the DAA scheme. V.CONCLUSION In this paper, we propose a new direct anonymous attestation scheme. We propose a new Direct Anonymous Scheme from the bilinear maps based on the decisional Diffie-Hellman assumption and q-SDH assumption. Compared to other schemes, our scheme cut down the signature length ， bring down the TPM part computational cost in the sign process. Our scheme meet the security requirements of unforgeability,variable anonymity and unlinkability.

48


compute T = g f F . The only thing S has to take care of is checking the consistence of the L1 entries. s

APPENDIX A SECURITY PROOF Lemma 4 Under the DDH assumption, the DAA scheme specified in Section IV is user-controlled anonymous. More specifically, if there is an adversary A that succeeds with a non-negligible probability to break user-controlled anonymity of the scheme, then there is a simulatorsolves the DDH problem with a non-negligible probability. Proof: The security proof is very similar with the proof in paper[22].We will show how an adversary A that succeeds with a non-negligible probability to break usercontrolled anonymity of the DAA scheme may be used to construct a simulator S that solves the DDH problem. a b ab c Let(g,g ,g );A =g ;B =g , where a,b,c be the instance of the DDH problem that we wish to answer which from A ab and B is equal to g . We now describe the construction of the simulator S. S performs the following game with A. Initial: In the initial of the game, S runs Setup to get issuer I's public key （p,g1,g2,g3,gT,Y,g,h) and secret key (r).Make all the values known to A.S creates algorithms to respond to queries made by A during its attack, including two random oracles denoted by H, H1, which refer to the hash-functions H used in zero knowledge proof and H1 used in H1:{0,1}*→ G3 respectively. Phase 1: S keeps the following lists: Li for i = 0,1 stores data for query/response pairs to random oracle Hi. Ljc stores data for query/response records for Join queries and Corrupted queries. Each item of Ljc is （ ID,f,C,cre,c ） where c = 1 means that the corresponding signer is corrupted and c = 0. cre is the credential the trusted computing platform get from the issuer. Ls stores data for query/response records for Sign queries. Each item of Ls is ID,m,SSID,σ,s, where s = 1

means that SSID = and s = 0 means that SSID ⊥≠⊥ under the Sign query. At he beginning of the simulation, S sets all the above lis empty. An empty item is denoted by the symbol *. Simulator: Join(ID). At the beginning of the simulation choose α,β uniformly at random.We show how to respond to the i-th query made by A below. Note that we assume A does not make repeat queries. *

If i=α, choose uα from Z q uniformly at random, set Fα = ( g )

a uα

A

to

get

creα,

; run Join with and

add

（IDα , uα , Fα , creα , 0）to Ljc. Note that since S does not know the value Fα = auα , it is not able to execute as the prover in SPK { f : Fα = g } . f

However S can forge the proof by controlling the random oracle of H1 as follows: randomly choose s f and c and


−c

*

If i=β, choose u β from Z q uniformly at random; set

Fβ = ( g a )

uβ

; do the

same thing as in the previous item to get

creβ Else choose f uniformly at random *

from Z q

; compute

F = g f , if

F = g a or F = g b , abort outputting “abortion 0”, run Join with A to get ; verify before accept it and then add ( ID, f , F , cre, 0) in Ljc, Simulator: Corrupt(ID). We assume that A makes the queries Join(ID) before it makes the Corrupt query using the identity. Otherwise, S answers the Join query first. Find the entry ( ID, f , F , cre,0) in Ljc, return f and update the item to

( ID, f , F , cre,1)

Simulator: Sign(ID,m,SSID). Let m ' be the input message A wants to sign. We assume that A makes the queries Join(ID) before it makes the Sign query using the identity.Otherwise, S answers the Join query first. We have the following multiple cases to consider. Case 1: ID≠ IDα and ID≠IDβ. Find the entry ( ID, f , F , cre, 0 /1) in Ljc, compute σ=Sign, add

( ID, f , F , cre,1/ 2) to Ls and respond with σ. Case 2: ID≠IDβ. S is not able to create such a signature since S does not know the corresponding secret key. But S is able to forge the signature by controlling the random oracles of H1. S finds the entry

( IDα , fα , Fα , creα , 0) j in Ljc, and forges σ; Case 3: ID=IDβ. Again, Si cannot create this signature properly without the knowledge of fβ. S forges the signature in the same way as in Case 2 above At the end of Phase 1, A outputs a message m, a basename SSID, two identities {ID0 , ID1} , {ID0 , ID1} ≠ {IDα , IDβ } , S aborts outputting “abortion 1". We assume that Join has already been queried at ID0 and ID1 by A. If this is not the case we can define Join at these points as we wish. Neither ID0 nor ID1 should have been asked for the Corrupt query and the Sign query with the same SSID≠⊥ by following the definition of the game defined in Section 2.2 of the paper[22]. S chooses a bit b at random, and generates the challenge by querying if b = 0 otherwise in the same way as Case 2 of the Sign query simulation. S returns the result σ to A. Phase 2, S and A carry on the query and response


process as in Phase 1. Again, A is not allowed to make any Corrupt query to either ID0 or ID1 and to make any Sign query to either ID0 or ID1 with the same . At the end of Phase 2, A outputs , S considers the following 4 cases: Case 1. If b = b ' = 0 , S marks “true-A". Case 2. If b = b ' = 1 , S marks “true-B". Case 3. If b = 0, b ' = 1 , S marks “failure-A". Case 4. b = 1, b ' = 0 , S marks “failure-B". S runs the above game with A k times. At the end of the k games, the number of b = 0 and the number of b = 1 should be identical, based on the random selection of b. S sets the numbers of “true-A" and “true-B" as kA and kB respectively. If kA = kB, S aborts outputting “abortion 2".

49

[3]

[4]

[5]

[6]

B

If kA > kB, S answers that A = g

ab

[7]

holds; if kA < kB, S

[8]

It is clear that the simulations for H0, H1 are indistinguishable from real random oracles. If the event abortion 0 happens, S gets the value a or

[9]

B

B

ab answers that B = g holds.

ab

b, S can compute g and thus to solve the DDH problem. Since S chooses its value uniformly at random

[10]

*

from Z q , the chance of this event happens is negligible. The

[11]

event

abortion 1 happens if {ID0 , ID1} ≠ {IDα , IDβ } . Since IDα and IDβ are chosen at random, the chance of this event happens is negligible. It is clear that the simulations for H0, H1 are indistinguishable from real random oracles. Lemma 2 Under the SDH assumption, the DAA scheme specified in Section IV is user-controlledtraceable. More specifically, if there is an adversary A that succeeds with a non-negligible probability to break user-controlled-traceability of the scheme, then there is a simulator S running in polynomial time that solves the SDH problem with a non-negligible probability. Proof: This Theorem can be concluded from the theorem 1 of the paper [1].

[12]

[13]

[14]

[15]

[16]

ACKNOWLEDGMENT This paper is supported by the National Natural Science Foundation of China under grant No.60673083, No.60603017 and The National High-Tech Research and Development Plan of China under Grant No 2006AA01Z454, 2007AA01Z412.

[17]

REFERENCES

[19]

Jun Furukawa, Hideki Imai: An Efficient Group Signature Scheme from Bilinear Maps. IEICE Transactions 89-A(5): 1328-1338 (2006) [2] Ernest F. Brickell, Jan Camenisch, Liqun Chen: Direct anonymous attestation. ACM Conference on Computer and Communications Security 2004: 132-145.

[18]

[1]


[20]

He Ge, Stephen R. Tate: A Direct Anonymous Attestation Scheme for Embedded Devices. Public Key Cryptography 2007: 16-30 Dan Boneh, Xavier Boyen, Hovav Shacham: Short Group Signatures. CRYPTO 2004: 41-55 National Security Agency. The Case for Elliptic Curve Cryptography, Accessed on April 11, 2006. http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm. Torben Pryds Pedersen. Non-interactive and informationtheoretic secure verifiable secret sharing. In Joan Feigenbaum, editor, Advances in Cryptology – CRYPTO ’91, volume 576 of Lecture Notes in Computer Science, pages 129–140. Springer Verlag, 1992. TCG.http://www.trustedcomputinggroup.org A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In CRYPTO ’86, vol. 263 of LNCS, pp. 186–194. Atsuko Miyaji, Masaki Nakabayashi, Shunzou Takano: New explicit conditions of elliptic curve traces for FRreduction. IEICE Trans. E85-A(2), pp. 481-484, 2002. Jan Camenisch: Better Privacy for Trusted Computing Platforms: (Extended Abstract). ESORICS 2004: 73-88 R. Canetti. Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute of Science, Rehovot 76100, Israel, June 1995. B. Pfitzmann and M. Waidner. Composition and integrity preservation of secure reactive systems.In Proc. 7th ACM Conference on Computer and Communications Security, pages 245–254. ACM Press, Nov. 2000. Pbc library benchmarks. http://crypto.stanford.edu/pbc/times.html. Ernie Brickell,Jiangtao Li,Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhaned Revocation Capabilities, Cryptology ePrint Archive, Report 2007/194 D.Pointcheval and J.Stern,Security arguments for digital signatures and blind signatures,J.Crytol.,vol.13,no.3,pp.361-396,2000. Jan Camenisch: Protecting (Anonymous) Credentials with the Trusted Computing Group's TPM V1.2. SEC 2006: 135-147 Shane Balfe, Amit D. Lakhani, Kenneth G. Paterson: Trusted Computing: Providing Security for Peer-to-Peer Networks. Peer-to-Peer Computing 2005: 117-124 Andreas Pashalidis, Chris J. Mitchell: Single Sign-On Using Trusted Platforms. ISC 2003: 54-68 J. Camenisch and A. Lysyanskaya. A signature scheme with efficient protocols. In SCN 2002, vol. 2576 of LNCS, pp. 268–289. Springer Verlag, 2003. Dan Boneh, Hovav Shacham: Group signatures with verifier-local revocation. ACM Conference on Computer and Communications Security 2004: 168-177

50

J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In B. Kaliski,editor, Advances in Cryptology — CRYPTO ’97, volume 1296 of LNCS, pages 410–424. SpringerVerlag, 1997. [22] Ernie Brickell,Liqun Chen and Jiangtao Li. Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings,In Conference on Trusted Computing(TRUST 2008),Villach,Austria,March 2008. [23] Shoup, V.: Ntl: a library for doing number theory. http://www.shoup.net/ntl/


[21]


Chen Xiaofeng: Born in Zhejing Province,China,1980. holds a BSc degree in computer science, XIDIAN University,China. Ph.D.candidate in Institute of Software Chinese Academy of Sciences, Beijing. His research interests include information system and security, trusted computing.

Feng Dengguo born in ShanXi Province,China,1965. holds a PH.D degree in XIDIAN University, China(1995) Since 1997, he has served as a Professor of Chinese Academy of Sciences, Beijing. In addition to teaching, his main research interests are in the field of information system and security