Subscribe

Issue No.03 - May/June (2012 vol.9)

pp: 345-360

Ernie Brickell , Intel Corporation, Hillsboro

Jiangtao Li , Intel Corporation, Hillsboro

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.63

ABSTRACT

Direct Anonymous Attestation (DAA) is a scheme that enables the remote authentication of a Trusted Platform Module (TPM) while preserving the user's privacy. A TPM can prove to a remote party that it is a valid TPM without revealing its identity and without linkability. In the DAA scheme, a TPM can be revoked only if the DAA private key in the hardware has been extracted and published widely so that verifiers obtain the corrupted private key. If the unlinkability requirement is relaxed, a TPM suspected of being compromised can be revoked even if the private key is not known. However, with the full unlinkability requirement intact, if a TPM has been compromised but its private key has not been distributed to verifiers, the TPM cannot be revoked. Furthermore, a TPM cannot be revoked from the issuer, if the TPM is found to be compromised after the DAA issuing has occurred. In this paper, we present a new DAA scheme called Enhanced Privacy ID (EPID) scheme that addresses the above limitations. While still providing unlinkability, our scheme provides a method to revoke a TPM even if the TPM private key is unknown. This expanded revocation property makes the scheme useful for other applications such as for driver's license. Our EPID scheme is efficient and provably secure in the same security model as DAA, i.e., in the random oracle model under the strong RSA assumption and the decisional Diffie-Hellman assumption.

INDEX TERMS

Security and protection, anonymity, privacy, cryptographic protocols, trusted computing.

CITATION

Ernie Brickell, Jiangtao Li, "Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities",

*IEEE Transactions on Dependable and Secure Computing*, vol.9, no. 3, pp. 345-360, May/June 2012, doi:10.1109/TDSC.2011.63REFERENCES

- [1] E. Brickell, J. Camenisch, and L. Chen, "Direct Anonymous Attestation,"
Proc. 11th ACM Conf. Computer and Comm. Security, pp. 132-145, 2004.- [2] Trusted Computing Group Website, http:/www. trustedcomputinggroup.org , 2011.
- [3] Trusted Computing Group, "TCG TPM Specification 1.2," http:/www.trustedcomputinggroup.org, 2003.
- [4] D. Boneh and H. Shacham, "Group Signatures with Verifier-Local Revocation,"
Proc. 11th ACM Conf. Computer and Comm. Security, pp. 168-177, Oct. 2004.- [5] J. Camenisch and A. Lysyanskaya, "A Signature Scheme with Efficient Protocols,"
Proc. Third Conf. Security in Comm. Networks, pp. 268-289, 2002.- [6] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, "A Practical and Provably Secure Coalition-Resistant Group Signature Scheme,"
Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '00), pp. 255-270, 2000.- [7] D. Boneh, X. Boyen, and H. Shacham, "Short Group Signatures,"
Proc. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '04), pp. 41-55, 2004.- [8] J. Camenisch and M. Stadler, "Efficient Group Signature Schemes for Large Groups,"
Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '97), pp. 410-424, 1997.- [9] D. Chaum and E. van Heyst, "Group Signatures,"
Proc. Ann. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '91), pp. 257-265, 1991.- [10] J. Kilian and E. Petrank, "Identity Escrow,"
Proc. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '98), pp. 169-185, 1998.- [11] J. Camenisch and A. Lysyanskaya, "An Efficient System for Non-Transferable Anonymous Credentials with Optional Anonymity Revocation,"
Proc. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '01), pp. 93-118, 2001.- [12] D. Chaum, "Security without Identification: Transaction Systems to Make Big Brother Obsolete,"
Comm. ACM, vol. 28, no. 10, pp. 1030-1044, 1985.- [13] S.A. Brands,
Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Aug. 2000.- [14] E. Bresson and J. Stern, "Efficient Revocation in Group Signatures,"
Proc. Fourth Int'l Workshop Practice and Theory in Public Key Cryptography, pp. 190-206, 2001.- [15] D.X. Song, "Practical Forward Secure Group Signature Schemes,"
Proc. Eighth ACM Conf. Computer and Comm. Security, pp. 225-234, 2001.- [16] J. Camenisch and A. Lysyanskaya, "Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials,"
Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '02), pp. 61-76, 2002.- [17] G. Ateniese, D.X. Song, and G. Tsudik, "Quasi-Efficient Revocation in Group Signatures,"
Proc. Sixth Int'l Conf. Financial Cryptography, pp. 183-197, 2002.- [18] P.P. Tsang, M.H. Au, A. Kapadia, and S.W. Smith, "Blacklistable Anonymous Credentials: Blocking Misbehaving Users without TTPs,"
Proc. ACM Conf. Computer and Comm. Security, pp. 72-81, 2007.- [19] R. Canetti, "Studies in Secure Multiparty Computation and Applications," PhD dissertation, Weizmann Inst. of Science, Rehovot, Israel, 1995.
- [20] R. Canetti, "Security and Composition of Multiparty Cryptographic Protocols,"
J. Cryptology, vol. 13, no. 1, pp. 143-202, 2000.- [21] B. Pfitzmann and M. Waidner, "Composition and Integrity Preservation of Secure Reactive Systems,"
Proc. Seventh ACM Conf. Computer and Comm. Security, pp. 245-254, Nov. 2000.- [22] B. Pfitzmann and M. Waidner, "A Model for Asynchronous Reactive Systems and Its Application to Secure Message Transmission,"
Proc. IEEE Symp. Security and Privacy, pp. 184-200, 2001.- [23] A. Fiat and A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems,"
Proc. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '86), pp. 186-194, 1987.- [24] D. Pointcheval and J. Stern, "Security Proofs for Signature Schemes,"
Proc. Ann. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '96), pp. 387-398, 1996.- [25] C.P. Schnorr, "Efficient Identification and Signatures for Smart Cards,"
J. Cryptology, vol. 4, no. 3, pp. 161-174, 1991.- [26] I. Damgård and E. Fujisaki, "An Integer Commitment Scheme Based on Groups with Hidden Order,"
Int'l Cryptology Conf. Advances in Cryptology (ASIACRYPT '02), pp. 125-142, Dec. 2002.- [27] E. Fujisaki and T. Okamoto, "Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations,"
Proc. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '97), pp. 16-30, 1997.- [28] D. Chaum, J.-H. Evertse, and J. van de Graaf, "An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations,"
Proc. Ann. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '87), pp. 127-141, 1987.- [29] D. Chaum, "Zero-Knowledge Undeniable Signatures,"
Proc. Ann. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '90), pp. 458-464, 1990.- [30] D. Chaum and T.P. Pedersen, "Wallet Databases with Observers,"
Proc. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '92), pp. 89-105, 1992.- [31] E.F. Brickell, D. Chaum, I. Damgård, and J. van de Graaf, "Gradual and Verifiable Release of a Secret,"
Proc. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '87), pp. 156-166, 1987.- [32] J. Camenisch and M. Michels, "Separability and Efficiency for Generic Group Signature Schemes,"
Proc. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '99), pp. 413-430, 1999.- [33] F. Boudot, "Efficient Proofs that a Committed Number Lies in an Interval,"
Proc. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '00), pp. 431-444, May 2000.- [34] R. Cramer, I. Damgård, and B. Schoenmakers, "Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols,"
Proc. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '94), pp. 174-187, 1994.- [35] A.K. Lenstra and E.R. Verheul, "Selecting Cryptographic Key Sizes,"
J. Cryptology, vol. 14, no. 4, pp. 255-293, 2001.- [36] J. Camenisch and M. Michels, "Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes,"
Proc. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '99), pp. 106-121, 1999.- [37] M. Bellare, J.A. Garay, and T. Rabin, "Fast Batch Verification for Modular Exponentiation and Digital Signatures,"
Proc. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '98), pp. 236-250, 1998.- [38] J. Camenisch and V. Shoup, "Practical Verifiable Encryption and Decryption of Discrete Logarithms,"
Proc. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '03), pp. 126-144, 2003. |