Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation.

Slides:



Advertisements
Similar presentations
Simple and Practical Anonymous Digital Coin Tracing
Advertisements

Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Secure Cloud Storage meets with Secure Network Coding
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
A Pairing-Based Blind Signature
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Digital Signatures and Hash Functions. Digital Signatures.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
The Attestation Mechanism in Trusted Computing. A Simple Remote Attestation Protocol Platform TPM Verifier Application A generates PK A & SK A 2) computes.
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
CS 395T Computational Soundness of Formal Models.
A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.
Anonymous Credentials Gergely Alpár Collis – November 24, 2011.
Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
WISA An Efficient On-line Electronic Cash with Unlinkable Exact Payments Toru Nakanishi, Mitsuaki Shiota and Yuji Sugiyama Dept. of Communication.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
By Jyh-haw Yeh Boise State University ICIKM 2013.
Adaptively Secure Broadcast, Revisited
Abstract Provable data possession (PDP) is a probabilistic proof technique for cloud service providers (CSPs) to prove the clients' data integrity without.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
SODA Archiving October 2013
CS259: Security Analysis of Network Protocols Winter 2008 Project Presentations 2 Day 2 – Feb. 21, 2008.
An ID-Based Mutual Authentication and Key Exchange Protocol for Low- Power Mobile Devices Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal.
Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.
WISTP’08 ©LAM /05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.
Brian A. LaMacchia Director, XCG Security & Cryptography, Microsoft Research.
Decentralized authorization and data security in web content delivery * Danfeng Yao (Brown University, USA) Yunhua Koglin (Purdue University, USA) Elisa.
An Improved Efficient Secret Handshakes Scheme with Unlinkability Author: Jie Gu and Zhi Xue Source: IEEE Comm. Letters 15 (2) (2011) Presenter: Yu-Chi.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
A New Provably Secure Certificateless Signature Scheme Date: Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Use or disclosure of the contents of this page is restricted by the terms on the notice page Intel Strategy for Post Quantum Crypto Ernie Brickell Presentation.
Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.
T Special Course in OS Security (Dan Forsberg) – Two possible steps from integrity-based remote attestation to the next level Property.
1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,
Trusted Computing and the Trusted Platform Module
Key Substitution Attacks on Some Provably Secure Signature Schemes
Building a Trustworthy Computer
Signing transactions anonymously with Identity Mixer in Hyperledger
Foundations of Fully Dynamic Group Signatures
Re(AC)t Reputation and Anonymous Credentials for Access Control (t=2)
A New Provably Secure Certificateless Signature Scheme
Formal Analysis and Applications of Direct Anonymous Attestation
Signing transactions anonymously with Identity Mixer in Hyperledger
Presentation transcript:

Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation

Trusted Platform Module (TPM)  Trusted Computing Group (2004)  Secure cryptoprocessor  Creates, stores, uses cryptographic keys  Measures host system  > 500M sold 2

Direct Anonymous Attestation (DAA)  TPM makes remote attestations – the computer booted the following software – the private part of this key is securely stored  Unlinkable: verifier only learns that some TPM created the attestation  Introduced by Brickell, Camenisch, Chen (2004)  Standardized in TPM spec 1.2 (2004) and 2.0 (2014) 3

How DAA works: Join 4

How DAA works: Signing 5

Informal Security of DAA  Anonymity: signatures by an honest platform without basename or different basenames are unlinkable  Unforgeability: No adversary can create signatures on messages that were never signed by a TPM  Non-frameability: One cannot create a signature on a message that links to an honest platform’s signature when the platform never signed this message 6

Existing Simulation-Based Models for DAA  Brickell, Camenisch, Chen (2004) – Does not output any signature values – Prohibits working with signature values in practice  Chen, Morrissey, Smart (2009) – Outputs signatures – Signature generation too simplistically modeled to be realizable 7

Existing Property-Based Models for DAA  Brickell, Chen, Li (2009) – Unforgeability not captured: trivially forgeable scheme can be proven secure – No property for non-frameability  Chen (2010) – Extends BCL’09 with non-frameability – Same flaws as BCL’09  Bernard et al. (2013) – Discusses flaws in all previous models – TPM + Host one party – Does not cover honest TPM in corrupt Host – Security Proof of “Pre-DAA” does not work for full DAA 8

Main Contribution  Security model for full-DAA setting – Comprehensive security model in UC framework – Allows composition by composition theorem – Signatures modeled as concrete values that are sent as output – TPM and Host separate parties – Extensive explanation on why this definition properly captures the security requirements  Scheme to realize the functionality – Provably secure instantiation – As efficient as existing DAA schemes 9

10

Do we need all these definitions?  (1, 1, 1, 1) is a valid credential on any key in Chen, Page, Smart 2010 – ISO standardized!  TPM2 spec contains static DH oracle – Larger groups and keys required (Xi et al., 2014)  TPM2 should make zero-knowledge proof – Problem in hash computation – Proof not zero-knowledge 11

Summary  DAA allows unlinkable signatures with secure devices  Prior security models not sufficient  Comprehensive security model in UC framework  Scheme to realize the security model 12

Thanks!  ia.cr/2015/1246  13

References (1/2)  Bernhard, D., Fuchsbauer, G., Ghadafi, E., Smart, N., Warinschi, B.: Anonymous attestation with user-controlled linkability. International Journal of Information Security 12(3), (2013)  Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. ACM CCS  Brickell, E., Chen, L., Li, J.: Simplified security notions of direct anonymous attestation and a concrete scheme from pairings. International Journal of Information Security 8(5), (2009)  Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. CRYPTO  Chen, L., Morrissey, P., Smart, N.: DAA: Fixing the pairing based protocols. ePrint Archive, Report 2009/

References (2/2)  Chen, L.: A DAA scheme requiring less tpm resources. Information Security and Cryptology  Chen, L., Morrissey, P., Smart, N.: On proofs of security for DAA schemes. Provable Security  Chen, L., Page, D., Smart, N.: On the design and implementation of an efficient DAA scheme. Smart Card Research and Advanced Application  Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym systems. SAC  Xi, L., Yang, K., Zhang, Z., Feng, D.: DAA-related APIs in TPM 2.0 revisited. Trust and Trustworthy Computing

(Un)linkability of Signatures 16

Universal Composability 17

Camenish-Lysyanskaya Signature (CL04) 18

Prove knowledge of CL04 signature 19 ProverVerifier

Existing Simulation-based Models for DAA  Brickell, Camenisch, Chen (2004) – Interactive Sign/Verify – Limits applications of DAA 20

Existing Simulation-based Models for DAA  Chen, Morrissey, Smart (2009) – Non-interactive Sign and Verify – Unrealizable 21

Signature Generation in Functionality 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.