Paper 2014/052

DAA-related APIs in TPM2.0 Revisited

Li Xi


In TPM2.0, a single signature primitive is proposed to support various signature schemes including Direct Anonymous Attestation (DAA), U-Prove and Schnorr signature. This signature primitive is implemented by several APIs which can be utilized as a static Diffie-Hellman oracle. In this paper, we measure the practical impact of the SDH oracle in TPM2.0 and show the security strength of these signature schemes can be weakened by 14-bit. We propose a novel property of DAA called forward anonymity and show how to utilize these DAA-related APIs to break forward anonymity. Then we propose new APIs which not only remove the Static Diffie-Hellman oracle but also support the foward anonymity, thus significantly improve the security of DAA and the other signature schemes supported by TPM2.0. We prove the security of our new APIs under the discrete logarithm assumption in the random oracle model. We prove that DAA satisfy forward anonymity using the new APIs under the Decision Diffie-Hellman assumption. Our new APIs are almost as efficient as the original APIs in TPM2.0 specification and can support LRSW-DAA and SDH-DAA together with U-Prove as the original APIs.

Available format(s)
Publication info
Preprint. MINOR revision.
cryptographic protocols
Contact author(s)
xili @ tca iscas ac cn
2014-02-18: revised
2014-01-22: received
See all versions
Short URL
Creative Commons Attribution


      author = {Li Xi},
      title = {DAA-related APIs in TPM2.0 Revisited},
      howpublished = {Cryptology ePrint Archive, Paper 2014/052},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.