Paper 2022/1691

TokenWeaver: Privacy Preserving and Post-Compromise Secure Attestation

Cas Cremers, CISPA Helmholtz Center for Information Security
Charlie Jacomme, Inria Paris
Eyal Ronen, Computer Science Department, Tel Aviv University

Modern attestation based on Trusted Execution Environments (TEEs) can significantly reduce the risk of secret compromise by attackers, while allowing users to authenticate across various services. However, this has also made TEEs a high-value attack target, driving an arms race between novel compromise attacks and continuous TEEs updates. Ideally, we would like to ensure that we achieve Post-Compromise Security (PCS): even after a compromise, we can update the TEE into a secure state. However, at the same time, we would like the privacy of users to be respected, preventing providers (such as Intel, Google, or Samsung) or services from tracking users. In this work, we develop TokenWeaver, the first privacy-preserving post-compromise secure attestation method with automated formal proofs for its core properties. We base our construction on weaving together two types of token chains, one of which is linkable and the other is unlinkable. We provide the full formal models, including protocol, security properties, and proofs for reproducibility, as well as a proof-of-concept implementation in python that shows the simplicity and applicability of our solution.

Available format(s)
Cryptographic protocols
Publication info
TEE Trusted Execution Environments PCS Post-Compromise Security Privacy Unlinkability TamarinDeepSec
Contact author(s)
cremers @ cispa de
charlie jacomme @ inria fr
er @ eyalro net
2022-12-06: approved
2022-12-06: received
See all versions
Short URL
Creative Commons Attribution


      author = {Cas Cremers and Charlie Jacomme and Eyal Ronen},
      title = {TokenWeaver: Privacy Preserving and Post-Compromise Secure Attestation},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1691},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.