Primitives and building blocks

We first recall the details of Camenisch-Lysyanskaya (CL) signatures [CL03, Lys02], which form the foundations of RSA-based DAA, and introduce some notational conventions.

Signature scheme. A CL signature is denoted clsign(x_sk, x_prime, x_rand, x_msg), where x_skis the secret key, xprime is a random prime, xrandis a nonce, and xmsg is a message. The prime and nonce components can be derived from a signature. Verification is standard given a signature, message, and public key, that is, checkclsign(pk(x_sk), x_msg, clsign(x_sk, x_prime, x_rand, x_msg)) = accept.

Signature scheme for committed values. The scheme supports signatures on com-mitted values. Given the public part of a signing key pk(x_sk), a message x_csk, and com-mitment factor x_cf, the committed value is U = clcommit(pk(x_sk), x_cf, x_csk) and the asso-ciated signature is clsign(x_sk, y_prime, y_rand, U ) for some prime y_prime and random y_rand. This signature can be opened to recover σ = clopen(pk(xsk), xcf, clsign(xsk, yprime, yrand, U )) = clsign(x_sk, y_prime, y_rand◦ x_cf, x_csk), that is, the signature on x_csk. (A proof should also be provided to demonstrate that σ does not contain a covert channel – such details will be omitted from the model presented here – see Appendix B for further details.)

82 CHAPTER 4. ANONYMITY IN DIRECT ANONYMOUS ATTESTATION

Notation for primitives that prove knowledge. Various primitives which prove knowledge of, and relations among, discrete logarithms are used by CL signatures and RSA-based DAA. These primitives will be described using the notation introduced by Camenisch & Stadler [CS97a]. For instance,

PK {(α, β) : N = commit(α, Z) ∧ U = clcommit(pk(sk_I), α, β)}

denotes a “zero-knowledge Proof of Knowledge of α, β such that N = commit(α, Z) and U = clcommit(pk(sk_I), α, β) holds.” In the example, the Greek letters in parentheses are used for values about which knowledge is being proved and these values are kept secret by the prover. All other values, that is, those from the Latin alphabet, are known to the verifier. The Fiat-Shamir heuristic [FS87, PS96] allows an interactive zero-knowledge scheme to be converted into a signature scheme. A signature acquired in this way is termed a Signature Proof of Knowledge and is denoted, for example, as SPK {(α) : N = commit(α, Z)}(m), where m is a message.

Proving knowledge of a signature. The signature scheme for committed values can be used to build an anonymous credential system. Given a signature σ = clsign(x_sk, x_prime, x_rand, x_csk) and commitment factor x_cf, an anonymous credential ˆσ = clcommit(pk(x_sk), x_cf, σ). The zero-knowledge proof of knowledge

PK {(xcsk, xcf) : checkclsign(pk(xsk), xcsk, clopen(pk(xsk), xcf, ˆσ)) = accept}

can then be used to demonstrate that the anonymous credential ˆσ is indeed a commitment to a signature on the message xcsk using commitment factor xcf.

The application of these primitives to construct the RSA-based DAA protocol will be considered in the next section.

4.4. CASE STUDY: RSA-BASED DAA 83

4.4.2 Protocol description

For the purpose of studying user-controlled anonymity, it is sufficient to consider the join and sign algorithms. Given system parameters pk(sk_I), bsn_I (that is, the issuer’s public key and basename), the TPM’s secret DAASeed, a counter value cnt, and the TPM’s endorsement key; the join algorithm (Figure 4.5) proceeds as follows:

Figure 4.5 RSA-based DAA join algorithm

Trusted platform Issuer

Trusted platform publishes pk(sk_M) Issuer publishes pk(sk_I) and bsn_I tsk = hash(hash(DAASeed, hash(pk(skI))), cnt, 0)

Generate v⁰ computes secret tsk = hash(hash(DAASeed, hash(pk(sk_I))), cnt, 0) and derives the commitment N_I = commit(tsk, ζ_I). The TPM also generates a blinding factor v⁰,

84 CHAPTER 4. ANONYMITY IN DIRECT ANONYMOUS ATTESTATION

which is used to compute the commitment U = clcommit(pk(sk_I), v⁰, tsk). The trusted platform sends U, N_I to the issuer.

2. The issuer generates a nonce n_e and sends the encrypted nonce to the TPM. The TPM decrypts the ciphertext to recover n_e, computes a_U = hash(U, n_e) and sends a_U to the issuer, therefore authenticating as a trusted platform. (Note that the protocol does not rely on the authentication technique recommended by the Trusted Computing Group.)

3. The trusted platform generates a signature proof of knowledge that the messages U, N_I are correctly formed and sends it to the issuer.

4. The issuer verifies the proof and generates a signature clsign(sk_I, e, v⁰⁰, U ). The signature is sent to the trusted platform.

5. The trusted platform verifies the signature and opens it to reveal the credential cre = clsign(skI, e, v⁰◦ v⁰⁰, tsk), that is, the TPM’s secret tsk signed by the issuer.

The join algorithm outputs cre, tsk; which can be provided as input, along with the system parameters, a basename bsn, and message m, to the sign algorithm. The sign algorithm proceeds as follows.

5. If bsn = ⊥, the host generates a nonce ζ; otherwise, the host computes ζ = hash(0, bsn). The host provides the TPM with ζ. The TPM computes the com-mitment N_V = commit(tsk, ζ) and generates the anonymous credential cre =d clcommit(pk(sk_I), w, cre) using a nonce w. The trusted platform then produces a signature proof of knowledge thatcre is a commitment to a valid credential, andd that N_V is correctly formed.

The sign algorithm outputs the signature proof of knowledge which is sent to the verifier.

Intuitively, if a verifier is presented with such a proof, then the verifier is convinced that it is communicating with a trusted platform.

4.4. CASE STUDY: RSA-BASED DAA 85

4.4.3 Equational theory

The signature is defined below

Σ = {accept, ⊥, 0, 1, F_join, F_sign, clgetnonce, clgetprime, hash, pk, commit, ◦,

dec, open, checkclsign, checkspk, clcommit, clopen, penc, spk, clsign}

Functions accept, ⊥, 0, 1, F_join, F_sign are constant symbols; clgetnonce, clgetprime, hash, pk are unary functions; commit, ◦, dec, open are binary functions; checkclsign, checkspk, clcommit, clopen, penc, spk are ternary functions; and clsign is a function of arity four.

Since hash is defined as a unary function, we occasionally write hash(x_plain,1, . . . , x_plain,n) to denote hash((x_plain,1, . . . , x_plain,n)). The equations associated with these functions are defined below.

dec(x_sk, penc(pk(x_sk), x_rand, x_plain)) = x_plain

clgetprime(clsign(x_sk, x_prime, x_rand, x_msg)) = x_prime

clgetnonce(clsign(x_sk, x_prime, x_rand, x_msg)) = x_rand

checkclsign(pk(x_sk), x_msg, clsign(x_sk, x_prime, x_rand, x_msg)) = accept

open(x_rand, commit(x_rand, x_plain)) = x_plain

clopen(x, x_rand, clcommit(x, x_rand, x_plain)) = x_plain

clopen(pk(x_sk), x_rand, clsign(x_sk, y_prime, y_rand, clcommit(pk(x_sk), x_rand, x_msg)))

= clsign(x_sk, y_prime, y_rand◦ x_rand, x_msg)

A signature proof of knowledge is encoded in the form spk(F, U, V ), where F is a constant declaring the particular proof in use, U denotes the witness (or private component) of a signature of knowledge, and V defines the public parameters and message being signed.

The function checkspk is used to verify a signature and we define the following equations.

86 CHAPTER 4. ANONYMITY IN DIRECT ANONYMOUS ATTESTATION

checkspk(Fjoin, V, spk(Fjoin, (xtsk, xcf), V )) = accept

where V = (x_ζI, x_pk, commit(x_tsk, x_ζI), clcommit(x_pk, x_cf, x_tsk), x_msg)

checkspk(F_sign, V, spk(F_sign, (x_tsk, x_cf), V )) = accept where V = (x_ζ, pk(x_sk), commit(x_tsk, x_ζ),

clcommit(pk(x_sk), x_cf, clsign(x_sk, x_prime, x_rand, x_tsk)), x_msg)

The first equation is used to verify the signature proof of knowledge produced by the trusted platform during the join algorithm and the second is used by a trusted platform during the sign algorithm to assert group membership.

4.4.4 Model in applied pi

The RSA-based DAA process specification is presented in Definition 4.7. For convenience we abbreviate c(x).let x₁ = π₁(x) in . . . let x_n = π_n(x) in P as c(x₁, . . . , x_n).P . The join process Join_RSA is instantiated by inputting the join algorithm’s parameters: the RSA-based DAA system parameters wparams; the TPM’s internal secret wDAASeed; the counter value w_cnt chosen by the host; and the TPM’s endorsement key w_ek. The system parameters w_params are expected to be a pair containing the issuer’s public key w_pk and basename w_bsnI. The process constructs the terms N_I, U in accordance with the protocol’s description (Section 4.4.2) and outputs the values to the issuer. The process then receives a ciphertext x, which it decrypts, and outputs the hash of the plaintext paired with U . A nonce y is then input and a signature proof of knowledge is produced. Finally, the process inputs a signature z on the commitment U and concludes by outputting the attestation identity credential cre and TPM’s secret tsk on the private channel a⁰_j; that is, the Join_RSA process returns the values cre, tsk to the Signer⁺ process. The sign process Sign_RSA is instantiated by inputting the sign algorithm’s parameters: the RSA-based DAA system parameters w_params; the verifier’s basename w_bsn; the message w_msg to be signed; the attestation identity credential w_cre; and the TPM’s secret w_tsk. The process recovers the issuer’s public key w_pk from the system parameters, and inputs a

4.4. CASE STUDY: RSA-BASED DAA 87 Definition 4.7. The DAA process specification hJoinRSA, Sign_RSAi is defined where

Join_RSA = aˆ _j(w_params, w_DAASeed, w_cnt, w_ek) . ν v⁰ .

let w_pk= π₁(w_params) in let w_bsnI = π₂(w_params) in let ζ_I = hash(0, w_bsnI) in

let tsk = hash(hash(w_DAASeed, hash(w_pk)), w_cnt, 0) in let N_I = commit(tsk, ζ_I) in

let U = clcommit(w_pk, v⁰, tsk) in

ch(N_I, U )i . c(x) . chhash(U, dec(w_ek, x))i . c(y) . ν n_t. ch(n_t, spk(F_join, (tsk, v⁰), (ζ_I, w_pk, N_I, U, (n_t, y ))))i . c(z) let cre = clopen(w_pk, v⁰, z) in

if checkclsign(w_pk, tsk, cre) = accept then a⁰_jh(cre, tsk)i

Sign_RSA = aˆ s(wparams, wbsn, wmsg, wcre, wtsk) . let wpk = π1(wparams) in c(x) . ν n_t. ν w .

if w_bsn =⊥ then ν ζ .

let cre = clcommit(wd pk, w, w_cre) in let N_V = commit(w_tsk, ζ) in

let spk = spk(F_sign, (w_tsk, w), (ζ, w_pk, N_V,cre, (nd t, x, w_msg))) in a⁰_sh(ζ, w_pk, N_V,cre, nd _t, spk )i

else

let ζ = hash(0, w_bsn) in

let cre = clcommit(wd _pk, w, w_cre) in let NV = commit(wtsk, ζ) in

let spk = spk(Fsign, (wtsk, w), (ζ, wpk, NV,cre, (nd t, x, wmsg))) in a⁰_sh(ζ, w_pk, N_V,cre, nd t, spk )i

88 CHAPTER 4. ANONYMITY IN DIRECT ANONYMOUS ATTESTATION

nonce x from the verifier. The if-then-else branch models the signer’s ability to produce either linkable or unlinkable signatures, based upon the parameter w_bsn; in particular, the if-branch produces an unlinkable signature, whereas the else-branch produces a linkable signature. The process concludes by outputting a signature on the private channel a⁰_s; that is, the Sign_RSA process returns the signature to the Signer⁺ process.