Paper 2020/1450

Subversion-Resilient Enhanced Privacy ID

Antonio Faonio, EURECOM
Dario Fiore, IMDEA Software Institute
Luca Nizzardo, Protocol Labs
Claudio Soriente, NEC Labs Europe

Anonymous attestation for secure hardware platforms leverages tailored group signature schemes and assumes the hardware to be trusted. Yet, there is an ever increasing concern on the trustworthiness of hardware components and embedded systems. A subverted hardware may, for example, use its signatures to exfiltrate identifying information or even the signing key. In this paper we focus on Enhanced Privacy ID (EPID)---a popular anonymous attestation scheme used in commodity secure hardware platforms like Intel SGX. We define and instantiate a \emph{subversion resilient} EPID scheme (or SR-EPID). In a nutshell, SR-EPID provides the same functionality and security guarantees of the original EPID, despite potentially subverted hardware. In our design, a ``sanitizer'' ensures no covert channel between the hardware and the outside world both during enrollment and during attestation (i.e., when signatures are produced). We design a practical SR-EPID scheme secure against adaptive corruptions and based on a novel combination of malleable NIZKs and hash functions modeled as random oracles. Our approach has a number of advantages over alternative designs. Namely, the sanitizer bears no secret information---hence, a memory leak does not erode security. Further, the role of sanitizer may be distributed in a cascade fashion among several parties so that sanitization becomes effective as long as one of the parties has access to a good source of randomness. Also, we keep the signing protocol non-interactive, thereby minimizing latency during signature generation.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. CT-RSA 2022
Groth-Sahai subversion EPID group signatures pairing-based cryptography
Contact author(s)
faonio @ eurecom fr
dario fiore @ imdea org
luca @ protocol ai
claudio soriente @ neclab eu
2022-05-27: revised
2020-11-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {Antonio Faonio and Dario Fiore and Luca Nizzardo and Claudio Soriente},
      title = {Subversion-Resilient Enhanced Privacy ID},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1450},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.