ABSTRACT
Direct Anonymous Attestation (DAA) is a privacy preserving authentication protocol initially designed for Trusted Platform Modules (TPMs). This cryptographic protocol, and some of its extensions such as Intel's Enhanced Privacy ID (EPID), have been widely deployed in millions of chips. Usually part of the attestation computation is delegated to the host (in most cases, either a PC or a smartphone) embedding the TPM, which is generally much more powerful. However, in Machine-to-Machine (M2M) and Internet of Things (IoT) use cases, the host may be as resource constrained as the TPM. Furthermore, any malware residing in the host may enable the tracking of the TPM owner.
In this paper, we propose an efficient DAA scheme, defined on elliptic curves, that involves bilinear pairings computations only on the verifier's side. Consequently, all computations on the platform side required to verify the validity of a group signing key or to generate a DAA can be, contrarily to previous solutions, entirely carried out by a resource constrained TPM. Our DAA scheme, which is more efficient than all existing DAA schemes, is formally proven secure under a variant of the LRSW assumption and can be extended to support private key and signature based revocations as well as group signing keys with attributes. As it is suitable for resource constrained environments such as SIM cards, our DAA scheme can be of particular interest for M2M applications involving a SIM card. More precisely, we show how to design a privacy-preserving authentication protocol for embedded SIMs (eSIM) so as to cope with a real issue that has arisen at GSM Association (GSMA). By implementing our DAA scheme on a Global Platform compliant SIM card, we show its efficiency and suitability for real-world use cases. Actually, a TPM can be anonymously authenticated in only 169 ms.
- P. S. L. M. Barreto and M. Naehrig. Pairing-friendly elliptic curves of prime order. In SAC 2005, pages 319--331. Springer Berlin Heidelberg, 2006. Google ScholarDigital Library
- L. Batina, J.-H. Hoepman, B. Jacobs, W. Mostowski, and P. Vullers. Developing Efficient Blinded Attribute Certificates on Smart Cards via Pairings, pages 209--222. Springer Berlin Heidelberg, 2010. Google ScholarDigital Library
- Bellare, Namprempre, Pointcheval, and Semanko. The one-more-rsa-inversion problems and the security of chaum's blind signature scheme. Journal of Cryptology, 16(3):185--215, 2003.Google ScholarCross Ref
- D. Bernhard, G. Fuchsbauer, E. Ghadafi, N. P. Smart, and B. Warinschi. Anonymous attestation with user-controlled linkability. In International Journal of Information Security, volume 12, pages 219--249, 2013. Google ScholarDigital Library
- S. Brands. Rapid demonstration of linear relations connected by boolean operators. In EUROCRYPT '97, pages 318--333. Springer Berlin Heidelberg, 1997. Google ScholarDigital Library
- S. A. Brands. An efficient off-line electronic cash system based on the representation problem. CWI (Centre for Mathematics and Computer Science), 1993.Google Scholar
- E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In ACM CCS 2004, pages 132--145. ACM, 2004. Google ScholarDigital Library
- E. Brickell and J. Li. Enhanced Privacy Id: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities. In WPES 2007, pages 21--30. ACM, 2007. Google ScholarDigital Library
- E. Brickell and J. Li. A pairing-based daa scheme further reducing tpm resources. In TRUST 2010, pages 181--195. Springer Berlin Heidelberg, 2010. Google ScholarDigital Library
- E. Brickell and J. Li. Enhanced privacy ID from bilinear pairing for hardware authentication and attestation. In IJIPSI, volume 1, pages 3--33, 2011.Google ScholarCross Ref
- J. Camenisch, M. Drijvers, and A. Lehmann. Anonymous attestation using the strong diffie hellman assumption revisited. In TRUST 2016, pages 1--20. Springer International Publishing, 2016.Google ScholarCross Ref
- J. Camenisch, M. Drijvers, and A. Lehmann. Anonymous attestation using the strong diffie hellman assumption revisited. Cryptology ePrint Archive, Report 2016/663, 2016.Google Scholar
- J. Camenisch, M. Drijvers, and A. Lehmann. Universally composable direct anonymous attestation. In PKC 2016, pages 234--264, 2016. Google ScholarDigital Library
- S. Canard, B. Schoenmakers, M. Stam, and J. Traoré. List signature schemes. In Discrete Applied Mathematics, volume 154, pages 189--201, 2006. Google ScholarDigital Library
- L. Chen. A daa scheme requiring less tpm resources. In Inscrypt 2009, pages 350--365. Springer Berlin Heidelberg, 2010. Google ScholarDigital Library
- L. Chen, D. Page, and N. P. Smart. On the design and implementation of an efficient daa scheme. In CARDIS 2010, pages 223--237. Springer Berlin Heidelberg, 2010. Google ScholarDigital Library
- L. Chen and R. Urian. DAA-A: Direct anonymous attestation with attributes. In TRUST 2015, pages 228--245. Springer International Publishing, 2015.Google ScholarCross Ref
- X. Chen and D. Feng. Direct anonymous attestation for next generation TPM. In JCP, volume 3, pages 43--50, 2008.Google ScholarCross Ref
- I. Damgård. Efficient concurrent zero-knowledge in the auxiliary string model. In EUROCRYPT 2000, pages 418--430. Springer Berlin Heidelberg, 2000. Google ScholarDigital Library
- A. de la Piedra, J.-H. Hoepman, and P. Vullers. Towards a Full-Featured Implementation of Attribute Based Credentials on Smart Cards, pages 270--289. Springer International Publishing, 2014. Google ScholarDigital Library
- N. Desmoulins, R. Lescuyer, O. Sanders, and J. Traoré. Direct anonymous attestations with dependent basename opening. In CANS 2014, pages 206--221. Google ScholarDigital Library
- G. AlLee, Intel. EPID for IoT Identity. https://img.en25.com/Web/McAfeeE10BuildProduction/%7Ba6dd7393-63f8-4c08-b3aa-89923182a7e5%7D_EPID_Overview_Public_2016-02-08.pdf?elqTrackId=48387d7899274c7985c6ac808d6ecbac&elqaid=7811&elqat=2, 2016.Google Scholar
- GSMA. SGP.01 Embedded SIM Remote Provisioning Architecture, Technical Specification, V3.1, 2014.Google Scholar
- GSMA. SGP.02 Remote Provisioning Architecture for Embedded UICC, Technical Specification, V1.1, 2016.Google Scholar
- GSMA. SGP.21 RSP Architecture V2.0, 2016.Google Scholar
- GSMA. SGP.22 Remote SIM Provisioning Technical Specification; Version 1.1, 2016.Google Scholar
- International Organization for Standardization. ISO/IEC 20008--2: Information technology - Security techniques - Anonymous digital signatures - Part 2: Mechanisms using a group public key, 2013.Google Scholar
- W. Lueks, G. Alpár, J.-H. Hoepman, and P. Vullers. Fast Revocation of Attribute-Based Credentials for Both Users and Verifiers, pages 463--478. Springer International Publishing, 2015.Google Scholar
- A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In H. Heys and C. Adams, editors, SAC'99, 1999 Proceedings, pages 184--199. Springer Berlin Heidelberg, 2000. Google ScholarDigital Library
- U. Maurer. Cryptography and Coding: 10th IMA International Conference, 2005. Proceedings, chapter Abstract Models of Computation in Cryptography, pages 1--12. Springer Berlin Heidelberg, 2005. Google ScholarDigital Library
- V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm. Mathematical Notes, 55(2):165--172, 1994.Google ScholarCross Ref
- D. Pointcheval and O. Sanders. Short randomizable signatures. In Topics in Cryptology - CT-RSA 2016, pages 111--126. Springer International Publishing, 2016. Google ScholarDigital Library
- V. Shoup. Advances in Cryptology --- EUROCRYPT '97: International Conference on the Theory and Application of Cryptographic Techniques Konstanz, Germany, May 11--15, 1997 Proceedings, chapter Lower Bounds for Discrete Logarithms and Related Problems, pages 256--266. Springer Berlin Heidelberg, 1997. Google ScholarDigital Library
- Trusted Computing Group. TPM main specification (version 1.2), 2004. http://www.trustedcomputinggroup.org/tpm-main-specification/.Google Scholar
Index Terms
Anonymous attestations made practical
Recommendations
Direct anonymous attestation
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityThis paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group (TCG) as the method for remote authentication of a hardware module, called Trusted Platform Module (TPM), while preserving the ...
Privacy-Enhancing Proxy Signatures from Non-interactive Anonymous Credentials
DBSec 2014: Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy XXVIII - Volume 8566Proxy signatures enable an originator to delegate the signing rights for a restricted set of messages to a proxy. The proxy is then able to produce valid signatures only for messages from this delegated set on behalf of the originator. Recently, two ...
Probably Secure Efficient Anonymous Credential Scheme
This article describes how after the concept of anonymous credential systems was introduced in 1985, a number of similar systems have been proposed. However, these systems use zero-knowledge protocols to authenticate users, resulting in inefficient ...
Comments