Paper 2004/205

Direct Anonymous Attestation

Ernie Brickell, Jan Camenisch, and Liqun Chen


This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the module. Direct anonymous attestation can be seen as a group signature without the feature that a signature can be opened, i.e., the anonymity is not revocable. Moreover, DAA allows for pseudonyms, i.e., for each signature a user (in agreement with the recipient of the signature) can decide whether or not the signature should be linkable to another signature. DAA furthermore allows for detection of ``known'' keys: if the DAA secret keys are extracted from a TPM and published, a verifier can detect that a signature was produced using these secret keys. The scheme is provably secure in the random oracle model under the strong RSA and the decisional Diffie-Hellman assumption.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Full version of ACM CCS 04 paper.
digital signaturesprivacygroup signatures
Contact author(s)
jca @ zurich ibm com
2004-08-21: received
Short URL
Creative Commons Attribution


      author = {Ernie Brickell and Jan Camenisch and Liqun Chen},
      title = {Direct Anonymous Attestation},
      howpublished = {Cryptology ePrint Archive, Paper 2004/205},
      year = {2004},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.