Our first contribution is to identify issues in existing models for DAA and explain how these errors allow for proving security of insecure protocols. These issues are exhibited in all deployed and proposed DAA protocols (although they can often be easily fixed).
Our second contribution is a new security model for a class of “pre-DAA scheme”, i.e., DAA schemes where the computation on the user side takes place entirely on the trusted platform. Our model captures more accurately than any previous model the security properties demanded from DAA by the Trusted Computing Group (TCG), the group that maintains the DAA standard. Extending the model from pre-DAA to full DAA is only a matter of refining the trust models on the parties involved.
Finally, we present a generic construction of a DAA protocol from new building blocks tailored for anonymous attestation. Some of them are new variations on established ideas, and may be of independent interest. We give instantiations for these building blocks that yield a DAA scheme more efficient than the one currently deployed, and as efficient as the one about to be standardised by the TCG which has no valid security proof.Category / Keywords: Cryptographic protocols / DAA, group signatures, security models. Date: received 5 Dec 2011, last revised 24 Jan 2013 Contact author: nigel at cs bris ac uk Available formats: PDF | BibTeX Citation Note: Fixed some formatting Version: 20130124:081027 (All versions of this report) Discussion forum: Show discussion | Start new discussion