Paper 2017/200

Anonymous Attestation with Subverted TPMs

Jan Camenisch, Manu Drijvers, and Anja Lehmann


Various sources have revealed that cryptographic standards and components have been subverted to undermine the security of users, reigniting research on means to achieve security in presence of such subverted components. In this paper we consider direct anonymous attestation (DAA) in this respect. This standardized protocol allows a computer with the help of an embedded TPM chip to remotely attest that it is in a healthy state. Guaranteeing that different attestations by the same computer cannot be linked was an explicit and important design goal of the standard in order to protect the privacy of the user of the computer. Surprisingly, none of the standardized or otherwise proposed DAA protocols achieves privacy when the TPM is subverted, but they all rely on the honesty of the TPM. As the TPM is a piece of hardware, it is hardly possible to tell whether or not a given TPM follows the specified protocol. In this paper we study this setting and provide a new protocol that achieves privacy also in presence of subverted TPMs.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2017
Direct Anonymous AttestationSubliminal channelAnonymityPrivacyUniversal ComposabilityTrusted Platform Module
Contact author(s)
mdr @ zurich ibm com
2017-06-28: revised
2017-02-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jan Camenisch and Manu Drijvers and Anja Lehmann},
      title = {Anonymous Attestation with Subverted TPMs},
      howpublished = {Cryptology ePrint Archive, Paper 2017/200},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.