Article

Direct anonymous attestation

Authors:

Ernie Brickell,

Liqun ChenAuthors Info & Claims

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

Pages 132 - 145

https://doi.org/10.1145/1030083.1030103

Published: 25 October 2004 Publication History

Abstract

This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group (TCG) as the method for remote authentication of a hardware module, called Trusted Platform Module (TPM), while preserving the privacy of the user of the platform that contains the module. DAA can be seen as a group signature without the feature that a signature can be opened, i.e., the anonymity is not revocable. Moreover, DAA allows for pseudonyms, i.e., for each signature a user (in agreement with the recipient of the signature) can decide whether or not the signature should be linkable to another signature. DAA furthermore allows for detection of "known" keys: if the DAA secret keys are extracted from a TPM and published, a verifier can detect that a signature was produced using these secret keys. The scheme is provably secure in the random oracle model under the strong RSA and the decisional Diffie-Hellman assumption.

References

[1]

G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In M. Bellare, editor, Advances in Cryptology --- CRYPTO2000, volume 1880 of LNCS, pages 255--270. Springer Verlag, 2000.]]

Digital Library

[2]

M. Bellare, J. A. Garay, and T. Rabin. Fast batch verification for modular exponentiation and digital signatures. In K. Nyberg, editor, Advances in Cryptology --- EUROCRYPT '98, volume 1403 of LNCS, pages 236--250. Springer Verlag, 1998.]]

[3]

D. Boneh, E. Brickell, L. Chen, and H. Shacham. Set signatures. Manuscript, 2003.]]

[4]

F. Boudot. Efficient proofs that a committed number lies in an interval. In B. Preneel, editor, Advances in Cryptology --- EUROCRYPT 2000, volume 1807 of LNCS, pages 431--444. Springer Verlag, 2000.]]

Digital Library

[5]

E. Brickell. An efficient protocol for anonymously providing assurance of the container of a private key. Submitted to the Trusted Computing Group, Apr. 2003.]]

[6]

E. F. Brickell, D. Chaum, I. B. Damgård, and J. van de Graaf. Gradual and verifiable release of a secret. In C. Pomerance, editor, Advances in Cryptology --- CRYPTO '87, volume 293 of LNCS, pages 156--166. Springer-Verlag, 1988.]]

Digital Library

[7]

J. Camenisch and A. Lysyanskaya. Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation. In B. Pfitzmann, editor, Advances in Cryptology --- EUROCRYPT 2001, volume 2045 of LNCS, pages 93--118. Springer Verlag, 2001.]]

Digital Library

[8]

J. Camenisch and A. Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. In M. Yung, editor, Advances in Cryptology --- CRYPTO 2002, volume 2442 of LNCS, pages 61--76. Springer Verlag, 2002.]]

Digital Library

[9]

J. Camenisch and A. Lysyanskaya. A signature scheme with efficient protocols. In S. Cimato, C. Galdi, and G. Persiano, editors, Security in Communication Networks, Third International Conference, SCN 2002, volume 2576 of LNCS, pages 268--289. Springer Verlag, 2003.]]

Digital Library

[10]

J. Camenisch and M. Michels. A group signature scheme with improved efficiency. In K. Ohta and D. Pei, editors, Advances in Cryptology --- ASIACRYPT '98, volume 1514 of LNCS, pages 160--174. Springer Verlag, 1998.]]

Digital Library

[11]

J. Camenisch and M. Michels. Proving in zero-knowledge that a number $n$ is the product of two safe primes. In J. Stern, editor, Advances in Cryptology --- EUROCRYPT '99, volume 1592 of LNCS, pages 107--122. Springer Verlag, 1999.]]

Digital Library

[12]

J. Camenisch and M. Michels. Separability and efficiency for generic group signature schemes. In M. Wiener, editor, Advances in Cryptology --- CRYPTO '99, volume 1666 of LNCS, pages 413--430. Springer Verlag, 1999.]]

Digital Library

[13]

J. Camenisch and V. Shoup. Practical verifiable encryption and decryption of discrete logarithms. In D. Boneh, editor, Advances in Cryptology --- CRYPTO 2003, volume 2729 of LNCS, pages 126--144, 2003.]]

[14]

J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In B. Kaliski, editor, Advances in Cryptology --- CRYPTO '97, volume 1296 of LNCS, pages 410--424. Springer Verlag, 1997.]]

Digital Library

[15]

R. Canetti. Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute of Science, Rehovot 76100, Israel, June 1995.]]

[16]

R. Canetti. Security and composition of multi-party cryptographic protocols. Journal of Cryptology, 13(1):143--202, 2000.]]

Digital Library

[17]

D. Chaum. Blind signatures for untraceable payments. In D. Chaum, R. L. Rivest, and A. T. Sherman, editors, Advances in Cryptology --- Proceedings of CRYPTO '82, pages 199--203. Plenum Press, 1983.]]

[18]

D. Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10):1030--1044, Oct. 1985.]]

Digital Library

[19]

D. Chaum. Zero-knowledge undeniable signatures. In I. B. Damgard, editor, Advances in Cryptology --- EUROCRYPT '90, volume 473 of LNCS, pages 458--464. Springer-Verlag, 1991.]]

Digital Library

[20]

D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In D. Chaum and W. L. Price, editors, Advances in Cryptology ---EUROCRYPT '87, volume 304 of LNCS, pages 127--141. Springer-Verlag, 1988.]]

[21]

D. Chaum and T. P. Pedersen. Wallet databases with observers. In E. F. Brickell, editor, Advances in Cryptology --- CRYPTO'92, volume 740 of LNCS, pages 89--105. Springer-Verlag, 1993.]]

Digital Library

[22]

D. Chaum and E. van Heyst. Group signatures. In D. W. Davies, editor, Advances in Cryptology --- EUROCRYPT '91, volume 547 of LNCS, pages 257--265. Springer-Verlag, 1991.]]

[23]

R. Cramer and V. Shoup. Signature schemes based on the strong RSA assumption. ACM Transactions on Information and System Security, 3(3):161--185, 2000.]]

Digital Library

[24]

I. Damgård and M. Koprowski. Practical threshold RSA signatures without a trusted dealer. In B. Pfitzmann, editor, Advances in Cryptology --- EUROCRYPT 2001, volume 2045 of LNCS, pages 152--165. Springer Verlag, 2001.]]

Digital Library

[25]

A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, volume 263 of LNCS, pages 186--194. Springer Verlag, 1987.]]

Digital Library

[26]

E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In B. Kaliski, editor, Advances in Cryptology --- CRYPTO '97, volume 1294 of LNCS, pages 16--30. Springer Verlag, 1997.]]

Digital Library

[27]

R. Gennaro, S. Halevi, and T. Rabin. Secure hash-and-sign signatures without the random oracle. In J. Stern, editor, Advances in Cryptology --- EUROCRYPT '99, volume 1592 of LNCS, pages 123--139. Springer Verlag, 1999.]]

Digital Library

[28]

S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281--308, Apr. 1988.]]

Digital Library

[29]

J. Kilian and E. Petrank. Identity escrow. In H. Krawczyk, editor, Advances in Cryptology --- CRYPTO '98, volume 1642 of LNCS, pages 169--185, Berlin, 1998. Springer Verlag.]]

Digital Library

[30]

A. K. Lenstra and E. K. Verheul. Selecting cryptographic key sizes. Journal of Cryptology, 14(4):255--293, 2001.]]

Digital Library

[31]

A. Lysyanskaya. Signature schemes and applications to cryptographic protocol design. PhD thesis, Massachusetts Institute of Technology, Cambridge, Massachusetts, Sept. 2002.]]

Digital Library

[32]

B. Pfitzmann and M. Waidner. Composition and integrity preservation of secure reactive systems. In Proc. 7th ACM Conference on Computer and Communications Security, pages 245--254. ACM press, Nov. 2000.]]

Digital Library

[33]

B. Pfitzmann and M. Waidner. A model for asynchronous reactive systems and its application to secure message transmission. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 184--200. IEEE Computer Society, IEEE Computer Society Press, 2001.]]

Digital Library

[34]

D. Pointcheval and J. Stern. Security proofs for signature schemes. In U. Maurer, editor, Advances in Cryptology --- EUROCRYPT '96, volume 1070 of LNCS, pages 387--398. Springer Verlag, 1996.]]

Digital Library

[35]

Trusted Computing Group. Trusted computing platform alliance (TCPA) main specification, version 1.1a. Republished as Trusted Computing Group (TCG) main specifcation, Version 1.1b, Available at www.trustedcomputinggroup.org, 2001.]]

[36]

Trusted Computing Group. TCG TPM specification 1.2. Available at www.trustedcomputinggroup.org, 2003.]]

[37]

Trusted Computing Group website. www.trustedcomputinggroup.org.]]

Cited By

Wu AYang YWen JZhang YZhao Q(2025)Non-interactive set intersection for privacy-preserving contact tracingJournal of Systems Architecture10.1016/j.sysarc.2024.103307158(103307)Online publication date: Jan-2025
https://doi.org/10.1016/j.sysarc.2024.103307
Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.024
MORIYAMA KOTSUKA A(2024)Permissionless Blockchain-Based Sybil-Resistant Self-Sovereign Identity Utilizing Attested Execution Secure ProcessorsIEICE Transactions on Information and Systems10.1587/transinf.2023BCI0001E107.D:9(1112-1122)Online publication date: 1-Sep-2024
https://doi.org/10.1587/transinf.2023BCI0001
Show More Cited By

Index Terms

Direct anonymous attestation
1. General and reference
  1. Document types
    1. Computing standards, RFCs and guidelines
2. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques

Recommendations

Enhanced privacy id: a direct anonymous attestation scheme with enhanced revocation capabilities
WPES '07: Proceedings of the 2007 ACM workshop on Privacy in electronic society

Direct Anonymous Attestation (DAA) is a scheme that enables the remote authentication of a Trusted Platform Module (TPM) while preserving the user's privacy. A TPM can prove to a remote party that it is a valid TPM without revealing its identity and ...
Privacy-Enhancing Proxy Signatures from Non-interactive Anonymous Credentials
DBSec 2014: Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy XXVIII - Volume 8566

Proxy signatures enable an originator to delegate the signing rights for a restricted set of messages to a proxy. The proxy is then able to produce valid signatures only for messages from this delegated set on behalf of the originator. Recently, two ...
Simplified security notions of direct anonymous attestation and a concrete scheme from pairings

Direct Anonymous Attestation (DAA) is a cryptographic mechanism that enables remote authentication of a user while preserving privacy under the user’s control. The DAA scheme developed by Brickell, Camenisch, and Chen has been adopted by the Trust ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

October 2004

376 pages

ISBN:1581139616

DOI:10.1145/1030083

General Chair:
Vijay Atluri
Rutgers University
,
Program Chairs:
Birgit Pfitzmann
IBM Research, Switzerland
,
Patrick McDaniel
AT&T Labs

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS04

Sponsor:

CCS04: 11th ACM Conference on Computer and Communications Security 2004

October 25 - 29, 2004

Washington DC, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

609
Total Citations
View Citations
3,382
Total Downloads

Downloads (Last 12 months)130
Downloads (Last 6 weeks)19

Reflects downloads up to 28 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wu AYang YWen JZhang YZhao Q(2025)Non-interactive set intersection for privacy-preserving contact tracingJournal of Systems Architecture10.1016/j.sysarc.2024.103307158(103307)Online publication date: Jan-2025
https://doi.org/10.1016/j.sysarc.2024.103307
Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.024
MORIYAMA KOTSUKA A(2024)Permissionless Blockchain-Based Sybil-Resistant Self-Sovereign Identity Utilizing Attested Execution Secure ProcessorsIEICE Transactions on Information and Systems10.1587/transinf.2023BCI0001E107.D:9(1112-1122)Online publication date: 1-Sep-2024
https://doi.org/10.1587/transinf.2023BCI0001
Xia ZZeng LGu KSu CHu HLong K(2024)Secure and Lightweight Vehicular Privacy Preservation Scheme Under Fog Computing-Based IoVsIEEE Transactions on Intelligent Vehicles10.1109/TIV.2023.33033129:2(4115-4129)Online publication date: Feb-2024
https://doi.org/10.1109/TIV.2023.3303312
Li CNing JXu SLin CLi JShen J(2024)DTACB: Dynamic Threshold Anonymous Credentials With Batch-ShowingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.344362219(7744-7758)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3443622
Zhang ZLi JLi YCao CCao Z(2024)Hardware Secure Module Based Lightweight Conditional Privacy-Preserving Authentication for VANETsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.341241819(6337-6350)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3412418
Jesus VBains BChang V(2024)Sharing Is Caring: Hurdles and Prospects of Open, Crowd-Sourced Cyber Threat IntelligenceIEEE Transactions on Engineering Management10.1109/TEM.2023.3279274(1-20)Online publication date: 2024
https://doi.org/10.1109/TEM.2023.3279274
Duan JZheng SWang WWang LHu XGu L(2024)Concise RingCT Protocol Based on Linkable Threshold Ring SignatureIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.3367888(1-15)Online publication date: 2024
https://doi.org/10.1109/TDSC.2024.3367888
Sardar MFossati TFrost SXiong S(2024)Formal Specification and Verification of Architecturally-Defined Attestation Mechanisms in Arm CCA and Intel TDXIEEE Access10.1109/ACCESS.2023.334650112(361-381)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3346501
De Benedictis MJacquin LPedone IAtzeni ALioy A(2024)A novel architecture to virtualise a hardware-bound trusted platform moduleFuture Generation Computer Systems10.1016/j.future.2023.08.012150:C(21-36)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1016/j.future.2023.08.012
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents