Cryptology ePrint Archive: Report 2016/663

Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited

Jan Camenisch and Manu Drijvers and Anja Lehmann

Abstract: Direct Anonymous Attestation (DAA) is a cryptographic protocol for privacy-protecting authentication. It is standardized in the TPM standard and implemented in millions of chips. A variant of DAA is also used in Intel's SGX. Recently, Camenisch et al.~(PKC 2016) demonstrated that existing security models for DAA do not correctly capture all security requirements, and showed a number of flaws in existing schemes based on the LRSW assumption. In this work, we identify flaws in security proofs of a number of qSDH-based DAA schemes and point out that none of the proposed schemes can be proven secure in the recent model by Camenisch et al.~(PKC 2016). We therefore present a new, provably secure DAA scheme that is based on the qSDH assumption. The new scheme is one of the most efficient DAA schemes, with support for DAA extensions to signature-based revocation and attributes. We rigorously prove the scheme secure in the model of Camenisch et al., which we modify to support the extensions. As a side-result of independent interest, we prove that the BBS+ signature scheme is secure in the type-3 pairing setting, allowing for our scheme to be used with the most efficient pairing-friendly curves.

Category / Keywords: cryptographic protocols / Direct Anonymous Attestation, Universal Composability, Trusted Platform Module

Original Publication (with major differences): Trust and Trustworthy Computing 2016

Date: received 28 Jun 2016, last revised 6 Jan 2017

Contact author: mdr at zurich ibm com

Available format(s): PDF | BibTeX Citation

Note: This revision slightly modifies the construction, achieving a more efficient scheme than the original publication.

Version: 20170106:132727 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]