Presentation is loading. Please wait.

Presentation is loading. Please wait.

Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation.

Published byIsaac Cole Modified over 8 years ago

Similar presentations

Presentation on theme: "Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation."— Presentation transcript:

1 Manu Drijvers, mdr@zurich.com. Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation

2 Trusted Platform Module (TPM)  Trusted Computing Group (2004)  Secure cryptoprocessor  Creates, stores, uses cryptographic keys  Measures host system  > 500M sold 2

3 Direct Anonymous Attestation (DAA)  TPM makes remote attestations – the computer booted the following software – the private part of this key is securely stored  Unlinkable: verifier only learns that some TPM created the attestation  Introduced by Brickell, Camenisch, Chen (2004)  Standardized in TPM spec 1.2 (2004) and 2.0 (2014) 3

4 How DAA works: Join 4

5 How DAA works: Signing 5

6 Informal Security of DAA  Anonymity: signatures by an honest platform without basename or different basenames are unlinkable  Unforgeability: No adversary can create signatures on messages that were never signed by a TPM  Non-frameability: One cannot create a signature on a message that links to an honest platform’s signature when the platform never signed this message 6

7 Existing Simulation-Based Models for DAA  Brickell, Camenisch, Chen (2004) – Does not output any signature values – Prohibits working with signature values in practice  Chen, Morrissey, Smart (2009) – Outputs signatures – Signature generation too simplistically modeled to be realizable 7

8 Existing Property-Based Models for DAA  Brickell, Chen, Li (2009) – Unforgeability not captured: trivially forgeable scheme can be proven secure – No property for non-frameability  Chen (2010) – Extends BCL’09 with non-frameability – Same flaws as BCL’09  Bernard et al. (2013) – Discusses flaws in all previous models – TPM + Host one party – Does not cover honest TPM in corrupt Host – Security Proof of “Pre-DAA” does not work for full DAA 8

9 Main Contribution  Security model for full-DAA setting – Comprehensive security model in UC framework – Allows composition by composition theorem – Signatures modeled as concrete values that are sent as output – TPM and Host separate parties – Extensive explanation on why this definition properly captures the security requirements  Scheme to realize the functionality – Provably secure instantiation – As efficient as existing DAA schemes 9

10 10

11 Do we need all these definitions?  (1, 1, 1, 1) is a valid credential on any key in Chen, Page, Smart 2010 – ISO 20008 standardized!  TPM2 spec contains static DH oracle – Larger groups and keys required (Xi et al., 2014)  TPM2 should make zero-knowledge proof – Problem in hash computation – Proof not zero-knowledge 11

12 Summary  DAA allows unlinkable signatures with secure devices  Prior security models not sufficient  Comprehensive security model in UC framework  Scheme to realize the security model 12

13 Thanks!  ia.cr/2015/1246  mdr@zurich.ibm.com 13

14 References (1/2)  Bernhard, D., Fuchsbauer, G., Ghadafi, E., Smart, N., Warinschi, B.: Anonymous attestation with user-controlled linkability. International Journal of Information Security 12(3), (2013)  Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. ACM CCS 2004.  Brickell, E., Chen, L., Li, J.: Simplified security notions of direct anonymous attestation and a concrete scheme from pairings. International Journal of Information Security 8(5), (2009)  Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. CRYPTO 2004.  Chen, L., Morrissey, P., Smart, N.: DAA: Fixing the pairing based protocols. ePrint Archive, Report 2009/198. 14

15 References (2/2)  Chen, L.: A DAA scheme requiring less tpm resources. Information Security and Cryptology 2010.  Chen, L., Morrissey, P., Smart, N.: On proofs of security for DAA schemes. Provable Security 2008.  Chen, L., Page, D., Smart, N.: On the design and implementation of an efficient DAA scheme. Smart Card Research and Advanced Application 2010.  Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym systems. SAC 1999.  Xi, L., Yang, K., Zhang, Z., Feng, D.: DAA-related APIs in TPM 2.0 revisited. Trust and Trustworthy Computing 2014. 15

16 (Un)linkability of Signatures 16

17 Universal Composability 17

18 Camenish-Lysyanskaya Signature (CL04) 18

19 Prove knowledge of CL04 signature 19 ProverVerifier

20 Existing Simulation-based Models for DAA  Brickell, Camenisch, Chen (2004) – Interactive Sign/Verify – Limits applications of DAA 20

21 Existing Simulation-based Models for DAA  Chen, Morrissey, Smart (2009) – Non-interactive Sign and Verify – Unrealizable 21

22 Signature Generation in Functionality 22

Download ppt "Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation."

Similar presentations

Simple and Practical Anonymous Digital Coin Tracing

Simple and Practical Anonymous Digital Coin Tracing
Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil.

Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Secure Cloud Storage meets with Secure Network Coding

Secure Cloud Storage meets with Secure Network Coding
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.

Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
The Attestation Mechanism in Trusted Computing. A Simple Remote Attestation Protocol Platform TPM Verifier Application A generates PK A & SK A 2) computes.

The Attestation Mechanism in Trusted Computing. A Simple Remote Attestation Protocol Platform TPM Verifier Application A generates PK A & SK A 2) computes.
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:

A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.

Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Similar presentations

Ads by Google