## Direct Anonymous Attestation for Next

## Generation TPM

CHEN Xiaofeng

State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing, China Email: chenxiaof@is.iscas.ac.cn

FENG Dengguo

State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing, China Email: feng@is.iscas.ac.cn

* Abstract*—

**Trusted computing platforms have been**

**proposed as a promising approach to enhance the security**

**of general-purpose computing systems. Direct Anonymous**

**Attestation(DAA) is a scheme that allows a Trusted**

**Platform Module (TPM) which is the core component of**

**the trusted computing platform to remotely convince a**

**communication partner that it is indeed a Trusted**

**Platform Module while preserving the user’s privacy. The**

**first DAA scheme developed by Brickell which is**

**relatively complex and time-consuming was adopted by**

**the current TPM specification.As the ECC cryptosystem**

**is more efficient compared to the RSA cryptosystem,**

**more and more cryptographic device is based on the ECC**

**cryptosystem, so it is anticipated that the TPM will be**

**based on the ECC in near future. In this paper, we**

**propose a new direct anonymous attestation which is**

**suitable for the ECC-based TPM. This paper presents an**

**efficient construction that implements all anonymous**

**authentication features specified in DAA. The proposed**

**scheme has the best computational performance of all the**

**DAA schemes up to now. The new DAA scheme is**

**provably secure in the random oracle model under the**

**q-SDH and the decisional Diffie-Hellman assumption.**

**Index Terms—Direct Anonymous Attestation; Trusted **

**Computing Platform;Trusted Platform Module; ECC **

I. INTRODUCTION

Direct Anonymous Attestation(DAA) is a scheme developed by Brickell,Camenisch,and Chen[2] which we refer to as the BCC scheme in this paper for remote authentication of a security hardware module,called Trusted Platform Module(TPM),while preserving the privacy of the user of the platform that contains the module. The scheme was adopted by the Trusted Computing Group(TCG)[7],an non-profit standardization body that aims to develop and promote an open industry standard for trusted computing hardware and software building blocks, and was included in TPM specification version 1.2. According to the TPM specification, the current BCC implementation is based on the RSA cryptosystem whose computation is based on the modular exponentiations, modular squarings and multiplications. One limitation of the original BCC

scheme is that the lengths of private keys and DAA signatures are quite large for a small TPM, i.e., around 670 bytes and 2800 bytes, respectively.It is inappropriate for mobile platform adopt the BCC scheme. Unlike desktop computers, mobile devices have very stringent limitations with respect to available power, physical circuit area, and cost. So, In PKC2007 conference,He Ge and Stephen R.Tate proposed a new DAA scheme[3] which we refer to as the HS scheme for devices with low computing capabilities,such as cell phones. All the two DAA schemes are suitable for RSA-based TPM which implement the modular squaring and multiplication operations; the security of all the two DAA schemes are based on strong RSA assumption and the decisional Diffie-Hellman assumption.

According to [5], Elliptic curve cryptography is more efficient than integer factorization systems and discrete logarithm systems in terms of key sizes and bandwidth for schemes of relative security. This feature make it especially attractive for next generation TPM. There are two reasons that in near future, it is necessary to design a new ECC-based TPM architecture:

1、The current encryption and decryption scheme is based on RSA-systems,compared to the ECC cryptosystem,the RSA-based system’s efficiency is relatively poor, more and more cryptosystems are based on eclipse curves, Meanwhile under the same security level, the ECC cryptosystem has shorter key length.

2、 In current TPM implementation, the BCC scheme is adopted as the privacy solution, but the BCC scheme is so complex and time-consuming that it is very difficult to deploy the BCC scheme. Also because of the complexity of the BCC scheme. it is not proper to implement the BCC scheme in mobile computing platform, so it is necessary design a new efficient direct anonymous scheme that can be implemented also in mobile platform.

cryptography, it is more efficient than the traditional DAA scheme which is based on the RSA cryptosystem like BCC scheme and HS scheme,we will demonstrate this point in Section IV when we present performance analysis.

The rest of this paper is organized as follows. Firstly in section II describe the related work about DAA schemes, then we define our notations and briefly review some previously known cryptographic techniques in SectionШ. After that we describe our schemes in Section IV, Finally We conclude this paper in section V.

Your goal is to simulate the usual appearance of papers in a Journal of the Academy Publisher. We are requesting that you follow these guidelines as closely as possible.

II. RELATED WORK

After the BCC scheme was adopted as privacy solution for trusted computing platform, there have been several different papers discussing the deficiency and extensions of the BCC scheme. In order to provide the same privacy level as Privacy CA scheme, Jan Camenisch propose a scheme based on the BCC scheme which using a two stage authorization[10]. In original BCC scheme,a TPM can be revoked only if the TPM’s private key in the hardware has been extracted and published widely.In paper[14],the authors present a new scheme which provides a method to revoke a TPM even if the TPM private key is unknown as in BCC scheme.

Meanwhile, researches on application of the DAA scheme are going on. The paper [16] provides a mechanism to insure that credentials can only be used with the TPM it got issued to. In P2P systems, We can employ the functionalities provided by trusted computing technology to establish a pseudonymous authentication scheme for peers and extend this scheme to build secure channels between peers for future communications[17]. The paper [18] demonstrates how Single Sign On among disparate service providers can be achieved using TCG-conformant computing platforms. Ernie Brickell proposed a direct anonymous attestation based on bilinear maps[22].This scheme which we refer to as the BCL scheme is the first DAA scheme which is based on the bilinear maps.

Ш Preliminaries

**Bilinear Maps**:We review a few concepts related to

bilinear maps:

1． and are two (multiplicative) cyclic groups of prime order

1

*G* *G*_{2}

*p*;

2．*g*_{1} is a generator of *G*_{1} and *g*_{2} is a generator of
;

2

*G*

3．

### ψ

is a computable isomorphism from to ,with2

*G*

1

*G*

### ψ

(*g*

_{2})=

*g*

_{1}; and

4． is a computable map with the following properties:

*e*

*e G*:

_{1}×

*G*

_{2}→

*G*

_{T}Bilinearity:

;

1, 2 ( , ) ( ,

*a* *b* *ab*

*u*∈*G v*∈*G*，*e u v* =*e u v*)
Non-degeneracy: *e g g*( 1, 2)≠1

**The Strong Diffile-Hellman Assumption**: Let

be cyclic groups of prime order

1, 2

*G G* *p* ，where

possibly *G*_{1}=*G*_{2}。Let *g*_{1} be a generator of *G*_{1} and *g*_{2}
a generator of *G*_{2}。Consider the following problem:

*q*−*Strong***Diffie-Hellman Problem**. The *q*−*SDH*

problem in

### (

*G G*

_{1}

### ,

_{2}

### )

is defined as follows: given a### (

*q*

### +

### 2

### )

tuple （*g g g*

_{1}

### ,

_{2}

### ,

_{2}γ

### ,

*g*

_{2}γ2

### ,...,

*g*

_{2}γ

*q*） as

input,output a pair where 。An algorithm

1/( ) 1

### (

*g*

γ +*x*

### ,

*x*

### )

*x*

### ∈

**Z**

*

_{p}*A*

has advantabe ### ε

in solving*q SDH*

### −

inif 1 2

### (

*G G*

### ,

### )

1/( )

1 2 2 1

### Pr[ ( ,

*A g g*

γ### ,...,

*g*

γ*q*

### )

### =

### (

*g*

γ+*x*

### , )]

*x*

### ≥

### ε

Where the probability is over the random choice of generator*g*

_{2}in

*G*

_{2}(with

*g*

_{1}

### ←

### ψ

### (

*g*

_{2}

### )

)，of### γ

in，and of the random bits of *

*p*

**Z**

*A*

. We say that the

*q-SDH * assumption holds in *(G1,G2)* if there is no
polynomial time algorithms solving the *q-SDH* problem
in *(G1,G2)*.

**Proofs of Knowledge of Discrete logarithms: **We

will use various protocols to prove knowledge of and relations among discrete logarithms. To describe these protocols, we use notation introduced by Camenisch and Stabler[21] for various proofs of knowledge of discrete logarithms and proofs of the validity of statements about discrete logarithms.For instance,

{( , ): }

*PK* α β *y g h*= α β∧ =*y g h*αβ denotes “zero
knowledge proof of knowledge of integers α β, and

γ such that

*y*

### =

*g h*

α β and *y*

### =

*g h*

α β holds” where
are elements of some groups

### , , , , ,

*y g h y g h*

*G*=< >=< >*g* *h* and*G* =< >=< >*g* *h* 。In the random
oracle model, such protocols can be turned into signature
schemes using the Fiat-Shamir heuristic[8] We use the

notation to denote a signature

obtained in this way.

(( ) : )( )

*SPK*

### α

*y*=

*g*α

*m*

IV THE NEW DIRECT ANONYMOUS ATTESTATION

*A.* *The Security Model *

This section introduces the model for direct anonymous attestation, which is a variant of the group signature model.Both these two models support procedures KeyGen, Join,Sign and Verify, while DAA further supports mechanism such as variable linkabiliby and rogue TPM tagging.

**Definition 1**. Direct anonymous attestation is a

digital signature scheme with 5-tuple of polynomial-time

KeyGen: A probabilistic algorithm that takes
as input the security parameter and outputs
a pair of group master keys (*SK,VK*). *SK* is the
user’s signing key, which is kept secret, and
*VK *the user’s verification key, which is made
public.

*k*

*1*

DAA-Join: An interactive protocol between a
TPM and the issuer. The TPM obtains a group
membership certificate *C* to become a group
member.

DAA-Sign: Using its group membership
certificate *C* and private key

*sk*

, the TPM
creates an anonymous group signature ### σ

for a message### σ

←*Sign*

_{sk C}_{,}（ ）

*M*.

DAA-Verify: A signature

### σ

is verified to make sure it originates from a legitimate TPM without knowledge of which particular one. Rogue tagging: A rogue TPM can be identified and excluded for the group.We adopt the security notions and security model in paper [22], DAA should satisfy the following properties

—**Unforgeability**: Only trusted computing group

are able to sign messages on behalf of the group,An adversary,which has corrupted a set of signers’ secret keys and their credentials, finds it hard to forge a valid signature under a secret key and credential, which is not in the set.

—**Anonymous**: It is infeasible to identify the real

TPM of a signature unless this TPM is on the revocation list.

—**Unlinkability**:It is infeasible to link two different

signatures of the same TPM if the two basenames are not same and chosen randomly.

*B.* *Key Generation for Issuer *

Given security parameters

*1*

*k*, the Issuer chooses

1 2 , 3

*1* *2* *T* *T*

*G* =<*g* >*,G* =<*g* >*,G* =<*g* > *G* =<*g*_{3} >
Such that its order

*p*

is of length ，and there exists a
pairing maps: ,

*k*

1 2

### :

_{T}*e G*

### ×

*G*

### →

*G*

ψ(*g*

_{2})=

*g*

_{1},chooses and

,compute

### /

*R*

*r*

### ∈

**Z**

*p*

**Z**

### ( , )

*g h*

### ∈

_{R}### （ ）

*G*

*2*

_{1}*Y*

### =

*g*

_{2}

*r*，then the key pairs for the DAA Issuer is:

1 2 3

### (

*pk sk*

### ,

### )

### =

### (( ,

*p g g g g Y g h r*

### ,

### ,

### ,

_{T}### , , , ), )

C. DAA-Join

1. TPM Chooses

### /

*R*

*f*

### ∈

**Z**

*p*

**Z**

, ，
compute

### '

_{R}### /

*t*

### ∈

**Z**

*p*

**Z**

'

*f* *t*

*C*

### =

*g h*

，
i、 TPM selects ，

compute

2 '

### ,

### ( /

*f*

*t*

*R*

*r r*

### ∈

**Z**

*p*

**Z**

### )

### '

'

### '

*rf*

*rt*

*C*

### =

*g h*

ii、The issuer select

*c*

### ∈

*R*

**Z**

### /

*p*

**Z**

iii、 TPM compute

' '

### ,

*f* *f* *t* *t*

*s*

### =

*r*

### +

*cf s*

### = +

*r*

*ct*

， send
'

### ,

*f* *t*

*s*

*s*

to the issuer
iv、The issuer verify '

?

### '

*c*

*sf*

*st*

*C*

### =

*C g h*

−
2. The issuer

select

*x*

### ∈

*R*

**Z**

### /

*p*

**Z**

### , ''

*t*

### ∈

*R*

**Z**

### /

*p*

**Z**

，compute
，send , to the
host.
'' ) 1

### (

*t*

*A*

### =

*g Ch*

### ）

1/(γ +*x*

*t*

*t*

*t*

### ,

*A x*

*t*

### ''

3. The host stores

*A x*

### ,

，send*t*

### ''

to the TPM 4. TPM compute### =

### '

### +

### '

### '

，store*f t*

### ,

verify2 1 2 2

### ( ,

### )

### ( ,

### )

### (

### ,

### )

### ( ,

### )

*x*

*f*

*t*

*e A Yg*

*e g g*

*e g*

*g*

*e h g*

2

### =

### ⋅

### ⋅

(1)So,The anonymous credential is

### ( ,

and thesecret key kept by TPM is

### , )

*A x t*

*f*

*D.* *DAA-Sign *

1 ． The host selects ,compute ,

### /

*R*

*w*

### ∈

**Z**

*p*

**Z**

1

### (

### )

*w*

*T*

### =

*Ah*

2
*w* *x*

*T*

### =

*g h*

− , is the commitment of
the . Prove that

1

### ,

2*T T*

### ,

*A x*

1 1 2

2 2 1

### ( , ) / ( ,

### )

### ( , )

### ( ,

### )

### ( ,

### ) / ( ,

### )

*w*

*wx t* *f* *x*

*e T Y*

*e g g*

*e h Y*

*e h g*

+ *e g g*

*e T g*

### =

2

(2)

2

*w* *x*

*T*

### =

*g h*

− ，*T*

_{2}−

*x*

*g h*

*wx*−

*xx*

### =

### 1

(3) 2．The trusted computing platform have the knowledge*f x w t*

### , , ,

， compute### δ

_{1}

### =

*wx*

，
2

*xx*

### δ

### = −

， * 。### :{0,1}

*p*

*H*

### →

**Z**

a) TPM select ， ，

compute

### /

*f*

*r*

### ∈

**Z**

*p*

**Z**

*r*

_{t}### ∈

**Z**

### /

*p*

**Z**

1

*R*

,send *R*

_{1}to the host

1

### ( ,

2### )

### ( ,

### )

*f* *t*

*r* *r*

2

*R*

### =

*e g g*

*e h g*

b) The host select ，

compute

1 2

### ,

### ,

### ,

### /

*x* *w*

*r r r r*

_{δ}

_{δ}

### ∈

**Z**

*p*

**Z**

1

*R*

### =

11

### ( , )

### ( ,

1 2### )

### ( ,

### )

*w* *x* *r*

*r* *r*

*R e h Y*

*e T g*

*e h g*

_{2}δ ,

2

*w* *x*

*r* *r*

*R*

### =

*g h*

， 1 2
3 2

*x* *r* *r*

*r*

*R*

### =

*T g h*

δ δ
c) The host compute

1 2 1 2 1 2 3

### ( || ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### )

*h* *T*

*c*

### =

*H g h g*

*g*

*g*

*Y T*

*T*

*R*

*R*

*R*

，send

*c*

*to TPM*

_{h}d) The TPM selects

*n*

_{t}### ∈

_{R}**Z**

### /

*p*

**Z**

,computes
### (

### (

_{h}### ||

_{t}### ) ||

### )

*c*

### =

*H H c*

*n*

*m*

e) The host computes

### (

### )

*x*

*x*

*s*

### = + −

*r*

*c*

*x*

,
1 1 1

*s*

_{δ}

### =

*r*

_{δ}

### +

*c*

### δ

,*s*

_{w}### = +

*r cw*

*,*

_{w}2 2 2

*s*

_{δ}

### =

*r*

_{δ}

### +

*c*

### δ

,TPM Computes*s*

_{f}### =

*r*

_{f}### +

*c*

*f*

,
### (

### )

*t*

*t*

3.The host compute signature

1 2

1 2

### ( ,

*T T c n s*

### , , ,

_{t}

_{f}### ,

*s s s s*

_{x}### , ,

_{t}

_{w}### ,

_{δ}

### ,

*s*

_{δ}

### )

### σ

### =

*E.* *DAA-Verify *

1. Given the signature

1 2

1 2

### ( ,

*T T c n s*

### , , ,

*t*

*f*

### , ,

*s s s s*

*t*

*x*

### ,

*w*

### ,

δ### ,

*s*

δ ### )

### σ

### =

and the public key

### ( ,

*p g g g Y g h*

_{1}

### ,

_{2}

### ,

_{T}### , , , )

2. Compute

1

'

1 2 2 1

1 1 2

### ( ,

### )

### ( , )

### ( ,

### )

### ( ,

### )

### ( ( , ) / ( ,

### ))

*t*

*f*

*w*2

*s*

*s*

*s* *s* *s _{x}*

*c*

*R*

*e g g*

*e h Y*

*e h g*

*e T g*

*e T Y*

*e g g*

δ+ −

### =

， ' 2 2*w*

*x*

*s*

*s*

*c*

*R*

### =

*T g h*

− , ' 1 2
3 2

*x* *s* *s*

*s*

*R*

### =

*T g h*

δ δ
3. Verify
?

1 2

' ' '

1 2 1 2 3

### (

### (

### ( || ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ) ||

### ) ||

### )

*T*

*t*

*c H H H g h g*

*g*

*g*

*Y*

*T*

*T*

*R*

*R*

*R*

*n*

*m*

### =

*F.* *Authentication with Variable Anonymity *

In order to achieve variable anonymity, when generating the signature, the TPM compute a commitment value

*T*

_{3}using the TPM’s secret

*f*

,
meanwhile select a Solely Signature Identifier, or *SSID*as the identifier of the signature. If the two signatures have the same

*SSID*when generating the signature, the two signature signatures are linkable, if the

*SSID*is selected randomly, then the signature is anonymous. In order to provide variable anonymity, the TPM compute as follows:

1

### (

### )

*H SSID*

### η

### =

，_{3}

*f*

*T*

### =

### η

，_{4}

*rf*

*R*

### =

### η

，'

4 3

*f*

*s*
*c*

*R*

### =

*T*

−### η

1 2 3 1

2 3 1 2 3 4

### (

### (

### ( ||

### || ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ) ||

### ) ||

### )

*T*

*t*

*c*

*H H H*

*g h g*

*g*

*g*

*g*

*Y T*

*T*

*T*

*R*

*R*

*R*

*R*

*n*

*m*

### η

### =

* 1

### :{0,1}

3*H*

### →

*G*

.output the signature
1 2

1 2 3

### ( , , , , , , , , , ,

*T T T c n s s s s s s*

_{t}

_{f}

_{t}

_{x}

_{w}_{δ}

### ,

_{δ}

### )

### σ η

### =

Verify the signature as follows:

?

1 2 3

' ' ' '

1 2 3 1 2 3 4

### (

### (

### ( ||

### || ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ||

### ) ||

### ) ||

### )

*T*

*t*

*c H H H*

*g h g*

*g*

*g*

*g*

*Y T*

*T*

*T*

*R*

*R*

*R*

*R*

*n*

*m*

### η

### =

*G.* *Evaluation *

**Signature Length**: We assume that

*G*

_{1}

### ≠

*G*

_{2}such

that the representation of can be a 171 bit string

when | |

1

*G*

170

*p* = by using the elliptic curve defined by
[9].We also assume that the representations of and

are 1020 bits and 171 bits. The signature include 8

elements from
*T*
*G*
3

*G*

*
*p*

*Z*

and 4 elements from group ,the
total signature length is 2044bits.
1

*G*

**Computational performance**: We also estimate the

computational cost of our scheme by the number of scalar multiplications/modular exponentiations in

and and the number of pairing
operations required for **DAA-Sign** and

**DAA-Verify**,since these are the most costly

computations.Here,we assume that the signer has

precomputed values and .When

generating the signature, it needs 9 modular exponentiations and 0 pairing computations.When verifying the signature,it needs 4 modular exponentiations and 1 pairing computations.

1

### ,

2### ,

3*G G G*

*G*

_{T}*e*

2

### ( ,

### )

*e g g*

*e h Y*

### ( , )

**Comparison with previous schemes**: We evaluate

the signature length and computational complexity of the proposed scheme to those of the previous

schemes[2][3]and [22]

We select the security parameter in BCC scheme[2] as follows:

'

### 2048,

### 104,

### 368,

### 120,

### 2536,

### 80,

### 160,

### 80,

### 1632,

### 208

*n* *f* *e* *e* *v*

*H* *r*

*l*

*l*

*l*

*l*

*l*

*l*

*l*

*l*

*l*

*l*

φ

ρ

Γ

### =

### =

### =

### =

### =

### =

### =

### =

### =

### =

HS scheme[3] as follows:

792

520

### 2048,

### 9 / 8,

### 2

### ,

### 2

### ,

### 540,

### 300,

### 160

*n*

*s* *b* *c*

*l*

*X*

*Y*

*l*

*l*

*l*

### α

### =

### =

### =

### =

### =

### =

### =

and BCL[22]scheme as follows:

### 512,

### 160,

### 80,

### 256

*p* *q* *H*

*l*

### =

*l*

### =

*l*

_{φ}

### =

*l*

### =

We list the assumptions required in our scheme and the previous schemes[2,3,22]. These results of estimation and required assumptions are given in Table I,Where Scheme Signature

length

Total Computational Cost of Sign Process

The Computational Cost of Join Process

The Computational Cost of Sign Process

assumpations

BCC[2] 20555 bits 8ME+0NP 4ME+0 NP 4ME+0 NP Strong RSA DDH HS[3] 7614bits 3ME+0 NP 5ME+0 NP 3ME+0 NP strong RSA

“ME”，“NP”are abbreviations of “the number of Modular Exponentiations” and “the Number of Pairing”.

Currently, the most efficient construction which is based on the bilinear maps is the one proposed in [22]. From the above table, We can see that compare to the BCL scheme which is also based on the ECC cryptosystem, our scheme require less pairing computations,the signature length of our scheme is 49% of those of scheme in [22]. The computational cost for our scheme is also smaller than those of scheme in [22]. Finally,our scheme has the shortest signature length of all the schemes..

*H.* *Security Analysis *

**Theorem 1. **The direct anonymous attestation is

secure under the *q-SDH* and the decisional
Diffie-Hellman assumption.

We have to show that our scheme satisfies all the security properties listed in Definition 1.

The proposed scheme meet the requirements of

**Unforgeability** ,**Anonymity** and **Unlinkability**.We give

informal discussion here.A more detailed security proof is give in Appendix A.

**Lemma 1(Unforgeability):**Only the trusted

computing platform which has successfully execute the join process are able to sign messages on behalf of the group which is composed of trusted computing platforms.This is an immediate consequence of the interactive protocol under the signature scheme is zero-knowledge under the random oracle model.

**Lemma 2(Anonymity): **Given a valid

signature

1 2

1 2

### ( ,

*T T c n s*

### , , ,

_{t}

_{f}### ,

*s s s s*

_{x}### , ,

_{t}

_{w}### ,

_{δ}

### ,

*s*

_{δ}

### )

### σ

### =

identifying the actual signer is computationally hard for everyone.Because the underlying interactive protocol is statistically zero-knowledge, no information is statistically revealed by in the

random oracle model.

1 2

### ,

_{f}### ,

_{x}### , ,

_{t}

_{w}### ,

### ,

*c s*

*s s s s*

_{δ}

*s*

_{δ}

### （

### ）

**Lemma 3(Unlinkability): **If using two different

*SSID* when generating the signatures**,**Deciding whether
two signatures

1 2

1

### ( ,

*T T c n s*

1 2### , , ,

*t*

*f*

### ,

*s s s s*

*x*

### , ,

*t*

*w*

### ,

δ### ,

*s*

δ ### )

### σ

### =

and1 2 2

### ( ,

*T T c n s s s s s*

1 2### , , ,

*t*

*f*

### ,

*x*

### , ,

*t*

*w*

### ,

δ### ,

*s*

δ ### )

### σ

=were computed by the same trusted computing platform is computationally hard.

*I.* *Implementation *

In this section we will prototype the concrete DAA scheme.We investigated our proposed schemes on a Intel dual-core 3.2GHz desktop computers with 1GB RAM running Windows.We used the NTL library[23], openssl library and the PBC library[13] as the underlying cryptographic libraries.

We design a experiments to evaluate how efficient of the proposed scheme.We prototyped three modules module,host-module and server-module. The tpm-module emulates the function of the hardware TPM, the host-module play the part of the Host and the server-module play the part of the Issuer.

Choices of the ECC curve

Supersingular elliptic curves are rather special curves with additional algebraic structure and have, until recently, been regarded as dangerous for use in cryptography, because the extra structure makes them vulnerable to certain specialised attacks. However, whereas standard elliptic curve cryptosystems such as ElGamal encryption or ECDSA can be implemented using randomly generated elliptic curves,the elliptic curves required to implement pairing-based systems must have certain properties that randomly generated elliptic curves are unlikely to have.The supersingular elliptic curves can implement bilinear pairings.

We select the ECC curve. For the groups G 1,G2,GT and their associated bilinear map, we can use,for example,the elliptic curve proposed by [9] and Tate pairing.We used the supersingular elliptic curve

2

2 3

### :

*p*

*E y*

### =

*x*

### +

*x over F*

with*p*

### ≡3mod4

The security level of our implementation of pairing
assumes that the solution of a discrete logarithm problem
over , where *p *is 512 bits,is as hard as the discrete
logarithm problem over where *p *is 1024 bits and
contemporary usage dictates a discrete logarithm
problem on an elliptic curve using points with order

where

### A

is 160 bits. These problems are as difficult as solving a 1024-bit integer factorization RSA problem.2
*p*

*F*

*p*

*F*

### A

The table II gives the time results of the different step of the DAA scheme including DAA-join,DAA-sign and DAA-Verify.

**TABLE II Time Results of our scheme **

Roles DAA-Join Time

results

DAA-Sign Time results

DAA-Verify Time results

Host 26ms 53ms 90ms

TPM(Emulated) 31ms 27ms 0

**TABLE III Time Results of BCC scheme **

Roles DAA-Join Time results

DAA-Sign Time results

DAA-Verify Time results

Host 718ms 1237ms 1823ms

TPM 910ms 826ms 0

From Table II and Table III, we can see that our new scheme is much more efficient than the original BCC scheme in all steps of the DAA scheme.

V.CONCLUSION

APPENDIX A SECURITY PROOF

**Lemma 4 **Under the DDH assumption, the DAA

scheme specified in SectionIV is user-controlled
anonymous. More specifically, if there is an adversary *A*
that succeeds with a non-negligible probability to break
user-controlled anonymity of the scheme, then there is a
simulatorsolves the DDH problem with a non-negligible
probability.

Proof: The security proof is very similar with the
proof in paper[22].We will show how an adversary A that
succeeds with a non-negligible probability to break
user-controlled anonymity of the DAA scheme may be used
to construct a simulator S that solves the DDH problem.
Let(g,ga,gb);A =gab;B =gc, where a,b,c be the instance of
the DDH problem that we wish to answer which from A
and B is equal to gab. We now describe the construction
of the simulator* S*. *S *performs the following game with A.

**Initial**: In the initial of the game, S runs Setup to get
issuer I's public key （*p,g1,g2,g3,gT,Y,g,h*) and secret key
(*r*).Make all the values known to A.S creates algorithms
to respond to queries made by A during its attack,
including two random oracles denoted by *H, H*

*1*, which
refer to the hash-functions* H* used in zero knowledge
proof and* H*

*1*used in* H1*:{0,1}*→*G3 *respectively.

**Phase 1: **S keeps the following lists: *L*

*i*for i = 0,1
stores data for query/response pairs to random oracle* H _{i}.*

*L*stores data for query/response records for Join queries and Corrupted queries. Each item of

_{jc}*L*

*jc* is

（ *ID,f,C,cre,c* ） where *c* = 1 means that the
corresponding signer is corrupted and* c* = 0. cre is the
credential the trusted computing platform get from the
issuer.* L*

*s *stores data for query/response records for Sign
queries. Each item of *L _{s}*is

*ID,m,SSID,σ,s,*where

*s*= 1 means that

*SSID*= and

*s*= 0 means that

*SSID*⊥≠⊥ under the Sign query. At he beginning of the simulation, S sets all the above lis empty. An empty item is denoted by the symbol *.

Simulator: Join(ID). At the beginning of the
simulation choose α,β uniformly at random.We show
how to respond to the i-th query made by *A* below. Note
that we assume *A* does not make repeat queries.

If i=α, choose uα from

*Z*

**uniformly at*

_{q}random, set

### (

*a*

### )

*u*

*F*

*g*

α
α

### =

; run Join with A to get creα, and addto* L*

### ,

### ,

### ,

### , 0

*ID u*

_{α}

_{α}

*F cre*

_{α}

_{α}

### （

### ）

*jc*. Note that
since S does not know the value

*F*

_{α}

### =

*au*

_{α}, it is not able to execute as

the prover in

### { :

*f*

### }

*SPK f F*

_{α}

### =

*g*

.
However *S*can forge the proof by controlling the random oracle of

*H*

*1*as
follows: randomly choose

*s*

*and*

_{f}*c*and

compute . The only thing *S*
has to take care of is checking the
consistence of the* L*

*f*

*s* *c*

*T*

### =

*g F*

−
*1 *entries.

If i=β, choose

*u*

_{β}from

*Z*

**uniformly*

_{q}at random; set

*F*

_{β}

### =

### (

*g*

*a*

### )

*u*β ; do the

same thing as in the previous item to get

*cre*

β
Else choose *f* uniformly at random
from

*Z*

** ; compute*

_{q}*F*

### =

*g*

*f*, if

*a*

*F*

### =

*g*

or , abort outputting
“**abortion 0**”, run Join with A to get ;

verify before accept it and then add
in* L*

*b*

*F*

### =

*g*

### (

*ID f F cre*

### , , ,

### , 0)

*,*

_{jc}Simulator: Corrupt(ID). We assume that A makes the queries Join(ID) before it makes the Corrupt query using the identity. Otherwise, S answers the Join query first. Find the entry

### (

*ID f F cre*

### ,

### , ,

### , 0)

in*L*, return f and update the item to

_{jc}### (

*ID f F cre*

### , , ,

### ,1)

Simulator:* Sign(ID,m,SSID)*. Let be the input
message A wants to sign. We assume that A makes the
queries Join(*ID*) before it makes the Sign query using the
identity.Otherwise, S answers the Join query first. We
have the following multiple cases to consider.

### '

*m*

Case 1: *ID≠ IDα* and *ID≠IDβ*. Find the entry
in* L*

### (

*ID f F cre*

### , , ,

### , 0 /1)

*, compute σ=*

_{jc}*Sign*, add to

### (

*ID f F cre*

### , , ,

### ,1/ 2)

*L*

*s*and respond with σ.

Case 2*: ID≠IDβ*. *S* is not able to create such a
signature since S does not know the corresponding secret
key. But* S* is able to forge the signature by controlling
the random oracles of *H*

*1*. *S* finds the entry

### (

*ID*

_{α}

### ,

*f*

_{α}

### ,

*F cre*

_{α}

### ,

_{α}

### , 0

### )

### }

j in* Ljc*, and forges σ;

Case 3: *ID=IDβ*. Again, *S _{i}* cannot create this
signature properly without the knowledge of

*fβ*.

*S*forges the signature in the same way as in Case 2 above

At the end of Phase 1, A outputs a message m, a

basename *SSID*, two identities

0 1

### {

*ID ID*

### ,

,### {

*ID ID*

_{0}

### ,

_{1}

### } {

### ≠

*ID ID*

α### ,

β### }

,*S*aborts outputting “abortion 1". We assume that Join has already been queried at

*ID*and

_{0}*ID*by A. If this is not the case we can define Join at these points as we wish. Neither

_{1}*ID*nor

_{0}*ID*should have been asked for the Corrupt query and the Sign query with the same

_{1}*SSID*≠⊥ by following the definition of the game defined in Section 2.2 of the paper[22].

*S* chooses a bit b at random, and generates the
challenge by querying if b = 0 otherwise in the same
way as Case 2 of the Sign query simulation. S returns the
result σ to A.

process as in Phase 1. Again, *A* is not allowed to make
any Corrupt query to either *ID*

*0*or *ID1*and to make any
Sign query to either *ID _{0}*or

*ID*with the same . At the end of Phase 2,

_{1}*A*outputs ,

*S*considers the following 4 cases:

Case 1. If

*b*

### =

*b*

### '

### =

### 0

, S marks “true-A". Case 2. If*b*

### =

*b*

### ' 1

### =

, S marks “true-B". Case 3. If*b*

### =

### 0, ' 1

*b*

### =

, S marks “failure-A".Case 4.

*b*

### =

### 1, '

*b*

### =

### 0

, S marks “failure-B".*S*runs the above game with

*A*k times. At the end of the k games, the number of b = 0 and the number of b = 1 should be identical, based on the random selection of b. S sets the numbers of “true-A" and “true-B" as k

_{A }and k

_{B }respectively. If k

_{A }= k

_{B},

*S*aborts outputting “abortion 2". If k

B

A > kBB, *S* answers that

*ab*

*A*

### =

*g*

holds; if k
A < kB, S answers that

B

*ab*

*B*

### =

*g*

holds.
It is clear that the simulations for *H _{0}, H_{1}* are
indistinguishable from real random oracles.

If the event abortion 0 happens, *S* gets the value a or
b, *S* can compute and thus to solve the DDH
problem. Since S chooses its value uniformly at random
from

*ab*

*g*

*

*q*

*Z*

, the chance of this event happens is negligible.
The event abortion 1 happens if

### {

*ID ID*

_{0}

### ,

_{1}

### } {

### ≠

*ID ID*

_{α}

### ,

_{β}

### }

. Since*ID*

_{α}and

*IDβ*are chosen at random, the chance of this event happens is negligible.

It is clear that the simulations for *H*

*0, H1 * are
indistinguishable from real random oracles.

**Lemma 2 Under the SDH assumption, the DAA **
**scheme specified in Section IV is **
**user-controlled-traceable. More specifically, if there is an adversary **
**A that succeeds with a non-negligible probability to **
**break user-controlled-traceability of the scheme, then **
**there is a simulator S running in polynomial time that **
**solves the SDH problem with a non-negligible **

**probability. **

Proof: This Theorem can be concluded from the theorem 1 of the paper [1].

ACKNOWLEDGMENT

This paper is supported by the National Natural Science Foundation of China under grant No.60673083, No.60603017 and The National High-Tech Research and Development Plan of China under Grant No 2006AA01Z454, 2007AA01Z412.

REFERENCES

[1] Jun Furukawa, Hideki Imai: An Efficient Group Signature Scheme from Bilinear Maps. IEICE Transactions 89-A(5): 1328-1338 (2006)

[2] Ernest F. Brickell, Jan Camenisch, Liqun Chen: Direct anonymous attestation. ACM Conference on Computer and Communications Security 2004: 132-145.

[3] He Ge, Stephen R. Tate: A Direct Anonymous Attestation Scheme for Embedded Devices. Public Key Cryptography 2007: 16-30

[4] Dan Boneh, Xavier Boyen, Hovav Shacham: Short Group Signatures. CRYPTO 2004: 41-55

[5] National Security Agency. The Case for Elliptic Curve Cryptography, Accessed on April 11, 2006. http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm.

[6] Torben Pryds Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Joan Feigenbaum, editor, Advances in Cryptology – CRYPTO ’91, volume 576 of Lecture Notes in Computer Science, pages 129–140. Springer Verlag, 1992.

[7] TCG.http://www.trustedcomputinggroup.org

[8] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In CRYPTO ’86, vol. 263 of LNCS, pp. 186–194.

[9] Atsuko Miyaji, Masaki Nakabayashi, Shunzou Takano: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. E85-A(2), pp. 481-484, 2002.

[10] Jan Camenisch: Better Privacy for Trusted Computing Platforms: (Extended Abstract). ESORICS 2004: 73-88

[11] R. Canetti. Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute of Science, Rehovot 76100, Israel, June 1995.

[12] B. Pfitzmann and M. Waidner. Composition and integrity preservation of secure reactive systems.In Proc. 7th ACM Conference on Computer and Communications Security, pages 245–254. ACM Press, Nov. 2000.

[13] Pbc library benchmarks.

http://crypto.stanford.edu/pbc/times.html.

[14] Ernie Brickell,Jiangtao Li,Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhaned Revocation Capabilities, Cryptology ePrint Archive, Report 2007/194

[15] D.Pointcheval and J.Stern,Security arguments for digital

signatures and blind signatures,J.Crytol.,vol.13,no.3,pp.361-396,2000.

[16] Jan Camenisch: Protecting (Anonymous) Credentials with the Trusted Computing Group's TPM V1.2. SEC 2006: 135-147

[17] Shane Balfe, Amit D. Lakhani, Kenneth G. Paterson: Trusted Computing: Providing Security for Peer-to-Peer Networks. Peer-to-Peer Computing 2005: 117-124

[18] Andreas Pashalidis, Chris J. Mitchell: Single Sign-On Using Trusted Platforms. ISC 2003: 54-68

[19] J. Camenisch and A. Lysyanskaya. A signature scheme with efficient protocols. In SCN 2002, vol. 2576 of LNCS, pp. 268–289. Springer Verlag, 2003.

[21] J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In B. Kaliski,editor, Advances in Cryptology — CRYPTO ’97, volume 1296 of LNCS, pages 410–424. SpringerVerlag, 1997.

[22] Ernie Brickell,Liqun Chen and Jiangtao Li. Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings,In Conference on Trusted Computing(TRUST 2008),Villach,Austria,March 2008.

[23] Shoup, V.: Ntl: a library for doing number theory. http://www.shoup.net/ntl/

**Chen Xiaofeng**: Born in Zhejing Province,China,1980. holds

a BSc degree in computer science, XIDIAN University,China. Ph.D.candidate in Institute of Software Chinese Academy of Sciences, Beijing.

His research interests include information system and security, trusted computing.

**Feng Dengguo** born in ShanXi Province,China,1965. holds a

PH.D degree in XIDIAN University, China(1995)