Ernie Brickell

Enhanced privacy id: a direct anonymous attestation scheme with enhanced revocation capabilities

Direct Anonymous Attestation (DAA) is a scheme that enables the remote authentication of a Trusted Platform Module (TPM) while preserving the users privacy. A TPM can prove to a remote party that it is a valid TPM without revealing its identity and without linkability. In the DAA scheme, a TPM can be revoked only if the DAA private key in the hardware has been extracted and published widely so that verifiers obtain the corrupted private key. If the unlinkability requirement is relaxed, a TPM suspected of being compromised can be revoked even if the private key is not known. However, with the full unlinkability requirement intact, if a TPM has been compromised but its private key has not been distributed to verifiers, the TPM cannot be revoked. Furthermore, a TPM cannot be revoked from the issuer, if the TPM is found to be compromised after the DAA issuing has occurred. In this paper, we present a new DAA scheme called Enhanced Privacy ID (EPID) scheme that addresses the above limitations. While still providing unlinkability, our scheme provides a method to revoke a TPM even if the TPM private key is unknown. This expanded revocation property makes the scheme useful for other applications such as for drivers license. Our EPID scheme is efficient and provably secure in the same security model as DAA, i.e., in the random oracle model under the strong RSA assumption and the decisional Diffie-Hellman assumption.

A New Direct Anonymous Attestation Scheme from Bilinear Maps

Direct Anonymous Attestation (DAA) is a cryptographic mechanism that enables remote authentication of a user while preserving privacy under the users control. The DAA scheme developed by Brickell, Camenisch, and Chen has been adopted by the Trust Computing Group (TCG) for remote anonymous attestation of Trusted Platform Module (TPM), a small hardware device with limited storage space and communication capability. In this paper, we propose a new DAA scheme from elliptic curve cryptography and bilinear maps. The lengths of private keys and signatures in our scheme are much shorter than the lengths in the original DAA scheme, with a similar level of security and computational complexity. Our scheme builds upon the Camenisch-Lysyanskaya signature scheme and is efficient and provably secure in the random oracle model under the LRSW (stands for Lysyanskaya, Rivest, Sahai and Wolf) assumption and the decisional Bilinear Diffie-Hellman assumption.

Simplified security notions of direct anonymous attestation and a concrete scheme from pairings

Direct Anonymous Attestation (DAA) is a cryptographic mechanism that enables remote authentication of a user while preserving privacy under the user’s control. The DAA scheme developed by Brickell, Camenisch, and Chen has been adopted by the Trust Computing Group for remote anonymous attestation of Trusted Platform Module, which is a small hardware device with limited storage space and communication capability. In this paper, we provide two contributions to DAA. We first introduce simplified security notions of DAA including the formal definitions of user controlled anonymity and traceability. We then propose a new DAA scheme from elliptic curve cryptography and bilinear maps. The lengths of private keys and signatures in our scheme are much shorter than the lengths in the original DAA scheme, with a similar level of security and computational complexity. Our scheme builds upon the Camenisch–Lysyanskaya signature scheme and is efficient and provably secure in the random oracle model under the LRSW (stands for Lysyanskaya, Rivest, Sahai and Wolf) assumption and the decisional Bilinear Diffie–Hellman assumption.

A pairing-based DAA scheme further reducing TPM resources

Direct Anonymous Attestation (DAA) is an anonymous signature scheme designed for anonymous attestation of a Trusted Platform Module (TPM) while preserving the privacy of the device owner. Since TPM has limited bandwidth and computational capability, one interesting feature of DAA is to split the signer role between two entities: a TPM and a host platform where the TPM is attached. Recently, Chen proposed a new DAA scheme that is more efficient than previous DAA schemes. In this paper, we construct a new DAA scheme requiring even fewer TPM resources. Our DAA scheme is about 5 times more efficient than Chens scheme for the TPM implementation using the Barreto-Naehrig curves. In addition, our scheme requires much smaller size of software code that needs to be implemented in the TPM. This makes our DAA scheme ideal for the TPM implementation. Our DAA scheme is efficient and provably secure in the random oracle model under the strong Diffie-Hellman assumption and the decisional Diffie-Hellman assumption.

Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities

Direct Anonymous Attestation (DAA) is a scheme that enables the remote authentication of a Trusted Platform Module (TPM) while preserving the users privacy. A TPM can prove to a remote party that it is a valid TPM without revealing its identity and without linkability. In the DAA scheme, a TPM can be revoked only if the DAA private key in the hardware has been extracted and published widely so that verifiers obtain the corrupted private key. If the unlinkability requirement is relaxed, a TPM suspected of being compromised can be revoked even if the private key is not known. However, with the full unlinkability requirement intact, if a TPM has been compromised but its private key has not been distributed to verifiers, the TPM cannot be revoked. Furthermore, a TPM cannot be revoked from the issuer, if the TPM is found to be compromised after the DAA issuing has occurred. In this paper, we present a new DAA scheme called Enhanced Privacy ID (EPID) scheme that addresses the above limitations. While still providing unlinkability, our scheme provides a method to revoke a TPM even if the TPM private key is unknown. This expanded revocation property makes the scheme useful for other applications such as for drivers license. Our EPID scheme is efficient and provably secure in the same security model as DAA, i.e., in the random oracle model under the strong RSA assumption and the decisional Diffie-Hellman assumption.

Enhanced Privacy ID from Bilinear Pairing for Hardware Authentication and Attestation

Enhanced Privacy ID (EPID) is a cryptographic scheme that enables the remote authentication and attestation of a hardware device while preserving the privacy of the device. EPID can be seen as a direct anonymous attestation scheme with enhanced revocation capabilities. In EPID, a device can be revoked if the private key embedded in the hardware device has been extracted and published widely so that the revocation manager finds the corrupted private key. In addition, the revocation manager can revoke a device based on the signatures the device has created, if the private key of the device is not known. In this paper, we introduce a new security notion of EPID including the formal definitions of anonymity and unforgeability. We also give a construction of an EPID scheme from bilinear pairing. Our EPID scheme is efficient and provably secure in the random oracle model under the strong Diffie-Hellman assumption and the decisional Diffie-Hellman assumption.

A (corrected) DAA scheme using batch proof and verification

Direct anonymous attestation (DAA) is a cryptographic primitive for providing anonymous signatures, and is a part of trusted computing technology from the Trusted Computing Group (TCG). DAA offers a nice balance between user authentication and privacy. One active research topic in trusted computing community is to develop DAA schemes that require minimum TPM resources. In 2010, Chen introduced a new DAA scheme using batch proof and verification. In this scheme, the TPM only needs to perform one or two exponentiations to create a DAA signature, depending on whether linkability is required. In this paper, we demonstrate an attack to this DAA scheme. The attack allows any malicious host to forge linkable DAA signatures without knowing the private key. We also present a patch to this DAA scheme to mitigate the attack. Our new DAA scheme has the same computational requirement for a TPM. We formally prove the new DAA scheme is secure in the random oracle model under the blind-4 bilinear LRSW assumption, the DDH assumption, and the gap-DL assumption.

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes

Direct Anonymous Attestation (DAA) is an anonymous signature scheme designed for anonymous attestation of a Trusted Platform Module (TPM) while preserving the privacy of the device owner. In 2004, Brickell, Camenisch, and Chen provided the first DAA scheme based on the strong RSA assumption and decisional Diffie-Hellman assumption. This scheme was adopted by the Trusted Computing Group in the TPM 1.2 Specification and has been implemented in hundreds of millions of computer platforms. Since then, multiple DAA schemes have been developed, many of which are based on bilinear maps. In this paper, we discover that in a large number of DAA schemes, including the original one adopted in TPM 1.2, a malicious user can treat a TPM as a static Diffie-Hellman (DH) oracle, therefore security of these schemes are based on the hardness of the static DH problem. However, this security feature has not been analyzed in the security proofs of most of these schemes. Brown and Gallant showed that one can break the Static DH problem in a group of order ρ with only O(ρ 1/3) oracle queries and O(ρ 1/3) group operations. Our discovery means that the security level of these DAA schemes can be significantly weaken, only roughly 2/3 of the claimed security level. We discuss the impact of our discovery and present how to patch the affected DAA schemes to avoid this attack.

Recent Advances and Existing Research Questions in Platform Security

In this talk I will provide a description of recent uses Intel has made of cryptography in our platforms, including providing a hardware random number generator, using anonymous signatures, and improving performance of cryptographic algorithms. I will discuss how processor capabilities could be used more effectively by cryptographic algorithms. I will then discuss research questions in cryptographic protocols and platform security that are motivated by our goals.

A Vision for Platform Security

Intel has recently produced several new capabilities to enhance security on the platform that have been released or will be released in the near future. In this presentation I will give a review of these capabilities and discuss their benefit to the security of the platform.