w hat is daa
play

W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 - PowerPoint PPT Presentation

Mar 05, 2023 •340 likes •1.06k views

D IRECT A NONYMOUS A TTESTATION Essam Ghadafi ghadafi@cs.bris.ac.uk Department of Computer Science, University of Bristol Brown Univeristy 14 th March - 2013 D IRECT A NONYMOUS A TTESTATION O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA

  1. D IRECT A NONYMOUS A TTESTATION Essam Ghadafi ghadafi@cs.bris.ac.uk Department of Computer Science, University of Bristol Brown Univeristy – 14 th March - 2013 D IRECT A NONYMOUS A TTESTATION

  2. O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S TANDARD -M ODEL C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY 7 O PEN P ROBLEMS 8 D IRECT A NONYMOUS A TTESTATION

  3. O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S TANDARD -M ODEL C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY 7 O PEN P ROBLEMS 8 D IRECT A NONYMOUS A TTESTATION

  4. O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S TANDARD -M ODEL C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY 7 O PEN P ROBLEMS 8 D IRECT A NONYMOUS A TTESTATION

  5. O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S TANDARD -M ODEL C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY 7 O PEN P ROBLEMS 8 D IRECT A NONYMOUS A TTESTATION

  6. O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S TANDARD -M ODEL C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY 7 O PEN P ROBLEMS 8 D IRECT A NONYMOUS A TTESTATION

  7. O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S TANDARD -M ODEL C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY 7 O PEN P ROBLEMS 8 D IRECT A NONYMOUS A TTESTATION

  8. O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S TANDARD -M ODEL C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY 7 O PEN P ROBLEMS 8 D IRECT A NONYMOUS A TTESTATION

  9. O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S TANDARD -M ODEL C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY 7 O PEN P ROBLEMS 8 D IRECT A NONYMOUS A TTESTATION

  10. W HAT IS DAA? A protocol standardized by TCG (Trusted Computing Group) that allows a user possessing a TPM (Trusted Platform Module) to attest to this fact to a verifier, i.e. the TPM anonymously authenticates itself to the verifier. ◮ Direct: Without a third party. ◮ Anonymous: The identity of the user is not revealed. ◮ Attestation: A proof, i.e. convinces the verifier. TPM delegates the non-critical operations to its more powerful host. D IRECT A NONYMOUS A TTESTATION 1 / 46

  11. DAA User 1 User 2 Join DAA Signature User x User 3 User 4 Verifier Manager Group D IRECT A NONYMOUS A TTESTATION 2 / 46

  12. T HE TPM Cryptographic Persistent Memory Processor Endorsement Key (EK) Random Number Generator Secured Input - Output Storage Root Key (SRK) RSA Key Generator Versatile Memory Platform Configuration Registers (PCR) SHA-1 Hash Generator Attestation Identity Key (AIK) Enc-Dec-Sign Storage Keys Engine D IRECT A NONYMOUS A TTESTATION 3 / 46

  13. F EATURES OF DAA ◮ The user remains anonymous, i.e. verifiers do not know which TPM produced the signature. ◮ Rogue (i.e. compromised) TPMs can be traced. ◮ The user can opt to have some of his transactions (targeted at the same verifier, i.e. on the same basename bsn ) to be linkable. However, anonymity is still preserved. D IRECT A NONYMOUS A TTESTATION 4 / 46

  14. A BIT OF H ISTORY The first DAA protocol (RSA-based) was proposed by Brickell, Camenisch and Chen [BCC04] in 2004 and was standardized by TCG as TPM 1.2. Other (Pairing-based) constructions followed: ◮ Brickell, Chen and Li [BCL08] 2008. ◮ Chen [C09] 2009. ◮ Chen, Morrissey and Smart [CMS09] 2009. ◮ Chen, Page and Smart [CPS10] 2010. ◮ Bernhard, Fuchsbauer, Ghadafi, Smart and Warinschi [BFG+11] 2011. D IRECT A NONYMOUS A TTESTATION 5 / 46

  15. PRE -DAA To simplify the security model and the constructions, we proceed in two steps: 1 Consider a pre-DAA scheme: a fully functional DAA but the user is regarded as one entity (i.e. not split into a powerful untrusted Host and a computationally-constrained trusted TPM). 2 Convert the pre-DAA into a DAA by delegating non-critical operations to the Host without compromising the security. D IRECT A NONYMOUS A TTESTATION 6 / 46

  16. H OW TO TRACE ? Unlike in group signatures, users do not have public keys bound to their identities! Q: So how to trace users? D IRECT A NONYMOUS A TTESTATION 7 / 46

  17. H OW TO TRACE ? Unlike in group signatures, users do not have public keys bound to their identities! Q: So how to trace users? A: We use the join transcript as a public key for the user “ Uniquely Identifying Transcripts ”. ◮ ⇒ Each completed transcript T traces to at most one secret key sk . D IRECT A NONYMOUS A TTESTATION 7 / 46

  18. S YNTAX OF A PRE -DAA S CHEME ◮ Setup ( 1 λ ) : Creates common public parameters param . ◮ GKg ( param ) : Creates a key pair ( gmpk , gmsk ) for the issuer. ◮ UKg ( param ) : Creates a secret key sk for a user. ◮ � Join ( gmpk , sk ) , Issue ( gmsk ) � : If completed successfully, the user obtains a group signing key gsk . ◮ GSig ( sk , gsk , bsn , m ) : Creates a signature σ on message m and basename bsn . bsn could be empty, i.e. bsn = ⊥ . ◮ Verify ( gmpk , σ, m , bsn ) : Verifies a signature. ◮ Link ( gmpk , m 0 , σ 0 , m 1 , σ 1 , bsn ) : Checks if σ 0 on ( m 0 and bsn ) and σ 1 on ( m 1 and bsn ) where bsn � = ⊥ are by the same user. D IRECT A NONYMOUS A TTESTATION 8 / 46

  19. S YNTAX OF A PRE -DAA S CHEME ◮ * Identify T ( gmpk , T , sk ) : Checks if transcript T matchs the secret key sk . ◮ * Identify S ( gmpk , σ, m , bsn , sk ) : Checks if σ was produced by the owner of sk . D IRECT A NONYMOUS A TTESTATION 9 / 46

  20. S ECURITY OF PRE -DAA The security requirements are: ◮ Correctness. ◮ Anonymity. ◮ Traceability. ◮ Non-frameability. D IRECT A NONYMOUS A TTESTATION 10 / 46

  21. S ECURITY OF PRE -DAA ◮ Correctness: If all parties are honest, we have that: Signatures are accepted by the Verify algorithm. Signatures can be traced. Signatures that are linkable link. D IRECT A NONYMOUS A TTESTATION 11 / 46

  22. S ECURITY OF PRE -DAA ◮ Anonymity: Signatures do not reveal who signed them and unlinkable signatures do not link even if the Issuer is corrupt. D IRECT A NONYMOUS A TTESTATION 12 / 46

  23. S ECURITY OF PRE -DAA ◮ Anonymity: Signatures do not reveal who signed them and unlinkable signatures do not link even if the Issuer is corrupt. gmpk,gmsk AddU AddU ... USK USK i 0 , i 1, bsn, m i 0 , i 1, bsn, m GSK GSK b←{0,1} Sign Sign σ←GSig(gsk b ,sk b ,m,bsn) CrptU CrptU ... SndToU SndToU b * Adversary wins if: b = b ∗ , both i 0 and i 1 are honest and he never asked for a signature on bsn by i 0 or i 1 . D IRECT A NONYMOUS A TTESTATION 12 / 46

  24. S ECURITY OF PRE -DAA ◮ Traceability-1: The adversary cannot output an untraceable signature. D IRECT A NONYMOUS A TTESTATION 13 / 46

  25. S ECURITY OF PRE -DAA ◮ Traceability-1: The adversary cannot output an untraceable signature. gmpk SndToI SndToI ... CrptU CrptU σ, m, bsn, sk' 1 , ..., sk' n Adversary wins if all the following holds: σ verifies on m and bsn . ∀T ∈ T ∃ i ∈ { 1 , n } s.t. T traces to sk i . T is the set of all Join transcripts. σ does not trace to any sk i . D IRECT A NONYMOUS A TTESTATION 13 / 46

  26. S ECURITY OF PRE -DAA ◮ Traceability-2: The adversary cannot output two signatures which should link but they do not. D IRECT A NONYMOUS A TTESTATION 14 / 46

  27. S ECURITY OF PRE -DAA ◮ Traceability-2: The adversary cannot output two signatures which should link but they do not. gmpk, gmsk ... σ 0 , m 0 , σ 1 , m 1 , bsn, sk' Adversary wins if all the following holds: σ 0 verifies on m 0 and bsn , and σ 1 verifies on m 1 and bsn . Both σ 0 and σ 1 trace to sk ′ . σ 0 and σ 1 do not link. D IRECT A NONYMOUS A TTESTATION 14 / 46

  28. S ECURITY OF PRE -DAA ◮ Non-Frameability-1: The adversary cannot output a signature that traces to an honest user who did not produce it. D IRECT A NONYMOUS A TTESTATION 15 / 46

  29. S ECURITY OF PRE -DAA ◮ Non-Frameability-1: The adversary cannot output a signature that traces to an honest user who did not produce it. gmpk,gmsk AddU AddU USK USK ... GSK GSK Sign Sign σ, m, i, bsn CrptU CrptU SndToU SndToU Adversary wins if all the following holds: σ verifies on m and bsn . User i is honest and has not signed ( m , bsn ) . σ traces to sk i . D IRECT A NONYMOUS A TTESTATION 15 / 46

  30. S ECURITY OF PRE -DAA ◮ Non-Frameability-2: The adversary cannot output signatures that link but they should not. D IRECT A NONYMOUS A TTESTATION 16 / 46

  31. S ECURITY OF PRE -DAA ◮ Non-Frameability-2: The adversary cannot output signatures that link but they should not. gmpk,gmsk AddU AddU USK USK ... GSK GSK Sign Sign σ 0 , m 0 , bsn 0 ,σ 1 , m 1 , bsn 1 , sk CrptU CrptU SndToU SndToU Adversary wins if all the following holds: σ 0 verifies on m 0 and bsn 0 , and σ 1 verifies on m 1 and bsn 1 . σ 0 and σ 1 link on either bsn 0 or bsn 1 . bsn 0 � = bsn 1 , bsn 0 = ⊥ , bsn 1 = ⊥ , or only one signature traces to sk . D IRECT A NONYMOUS A TTESTATION 16 / 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Analytical Framework for Particle and Volume Data of Large-Scale Combustion Simulations Franz

An Analytical Framework for Particle and Volume Data of Large-Scale Combustion Simulations Franz

An Analytical Framework for Particle and Volume Data of Large-Scale Combustion Simulations Franz Sauer 1 , Hongfeng Yu 2 , Kwan-Liu Ma 1 1 University of California, Davis 2 University of Nebraska, Lincoln Introduction Detailed combustion

484 views • 27 slides
DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon 2014 Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function whiteboxed : AES-CBC

1.43k views • 103 slides
CS137: Today Electronic Design Automation Multilevel Synthesis/Optimization Why

CS137: Today Electronic Design Automation Multilevel Synthesis/Optimization Why

CS137: Today Electronic Design Automation Multilevel Synthesis/Optimization Why Transforms -- defined Day 5: October 7, 2005 Division/extraction Multi-level Synthesis How we support transforms Boolean Division

358 views • 9 slides
Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora

Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora

Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora Cagli 1 , 3 ecile Dumas 1 C Emmanuel Prouff 2 , 3 1

1.28k views • 100 slides
Goals for Today Learning Objective: Understand primitives for interpretation versus

Goals for Today Learning Objective: Understand primitives for interpretation versus

Goals for Today Learning Objective: Understand primitives for interpretation versus translation Announcements, etc: Midterm debrief will have to happen after spring break; sorry! MP2 extension: now due on March 25th MP3

669 views • 19 slides
Update on Proposed Privatization 27 October 2017 Overview of Proposed Privatization Proposed

Update on Proposed Privatization 27 October 2017 Overview of Proposed Privatization Proposed

Update on Proposed Privatization 27 October 2017 Overview of Proposed Privatization Proposed Scheme is the result of the rigorous and independent Strategic Review process Scheme of Arrangement (Scheme) for all the issued and paid-up

697 views • 14 slides
Biophysical Chemistry: NMR Spectroscopy Relaxation & Multidimensional Spectrocopy Lieven Buts

Biophysical Chemistry: NMR Spectroscopy Relaxation & Multidimensional Spectrocopy Lieven Buts

Relaxation Multidimensional Spectroscopy Summary Biophysical Chemistry: NMR Spectroscopy Relaxation & Multidimensional Spectrocopy Lieven Buts Vrije Universiteit Brussel 9th December 2011 Lieven Buts Biophysical Chemistry: NMR

612 views • 38 slides
4Q18 Earnings Call Presentation January 23, 2019 Sands Macao Sands Bethlehem Four Seasons Macao The

4Q18 Earnings Call Presentation January 23, 2019 Sands Macao Sands Bethlehem Four Seasons Macao The

The Venetian Macao Marina Bay Sands, Singapore Sands Cotai Central, Macao The Parisian Macao 4Q18 Earnings Call Presentation January 23, 2019 Sands Macao Sands Bethlehem Four Seasons Macao The Venetian Las Vegas The Palazzo, Las Vegas Forward

1.03k views • 64 slides
Forward-Looking Statements From time to time, the Bank makes written and oral forward-looking

Forward-Looking Statements From time to time, the Bank makes written and oral forward-looking

Scotia Capital Ed Clark Financials Sum m it 2 0 0 6 President & CEO TD Bank Financial Group September 12, 2006 Forward-Looking Statements From time to time, the Bank makes written and oral forward-looking statem ents, including in this

428 views • 18 slides
Food waste prevention Westminster Forum, 29 June 2010 Professor David C Wilson Independent Waste

Food waste prevention Westminster Forum, 29 June 2010 Professor David C Wilson Independent Waste

Food waste prevention Westminster Forum, 29 June 2010 Professor David C Wilson Independent Waste and Resources Management Consultant & Visiting Professor, Imperial College www.davidcwilson.com The food we waste today WRAP: one

629 views • 16 slides
CIBC WORLD MARKETS Institutional Investor Conference BILL DOWNE Chief Operating Officer October

CIBC WORLD MARKETS Institutional Investor Conference BILL DOWNE Chief Operating Officer October

CIBC WORLD MARKETS Institutional Investor Conference BILL DOWNE Chief Operating Officer October 4 06 FORWARD-LOOKING STATEMENTS CAUTION REGARDING FORWARD-LOOKING STATEMENTS Bank of Montreals public communications often include written

92 views • 8 slides
2008 Financial Services Conference Ellen Costello Chief Executive Officer Harris Bankcorp New

2008 Financial Services Conference Ellen Costello Chief Executive Officer Harris Bankcorp New

CITIGROUP 2008 Financial Services Conference Ellen Costello Chief Executive Officer Harris Bankcorp New York City January 30 2008 FORWARD LOOKING STATEMENTS Caution Regarding Forward-Looking Statements Bank of Montreals public

498 views • 11 slides
Health equity as equality, or health equity as an asset? Martin Laverty Far North Queensland

Health equity as equality, or health equity as an asset? Martin Laverty Far North Queensland

Health equity as equality, or health equity as an asset? Martin Laverty Far North Queensland remote school participation Social Skills Improvement System Rating Scale (SSIS) results derived from teacher assessment of student participants at

335 views • 20 slides
Health Inequalities: A postcode lottery Postcode Lottery Health Inequalities Health

Health Inequalities: A postcode lottery Postcode Lottery Health Inequalities Health

Health Inequalities: A postcode lottery Postcode Lottery Health Inequalities Health inequalities are differences in health status or in the distribution of health determinants between different population groups due to the conditions in

662 views • 15 slides
A SHORT INTRODUCTION TO TWO-PHASE FLOWS Void fraction: Experimental techniques and simple models

A SHORT INTRODUCTION TO TWO-PHASE FLOWS Void fraction: Experimental techniques and simple models

A SHORT INTRODUCTION TO TWO-PHASE FLOWS Void fraction: Experimental techniques and simple models Herv e Lemonnier DTN/SE2T, CEA/Grenoble, 38054 Grenoble Cedex 9 T el. 04 38 78 45 40 herve.lemonnier@cea.fr ,

522 views • 40 slides
Physics 2D Lecture Slides Lecture 17: Feb 10 th Vivek Sharma UCSD Physics Just What is Waving

Physics 2D Lecture Slides Lecture 17: Feb 10 th Vivek Sharma UCSD Physics Just What is Waving

Physics 2D Lecture Slides Lecture 17: Feb 10 th Vivek Sharma UCSD Physics Just What is Waving in Matter Waves ? For waves in an ocean, its the water that waves For sound waves, its the molecules in medium For light its the E

432 views • 15 slides
CHARACTERIZATION OF NANOCOMPOSITES USING MICROWAVES FOR CURING PROCESS Francisco Fraga-Lpez *,

CHARACTERIZATION OF NANOCOMPOSITES USING MICROWAVES FOR CURING PROCESS Francisco Fraga-Lpez *,

CHARACTERIZATION OF NANOCOMPOSITES USING MICROWAVES FOR CURING PROCESS Francisco Fraga-Lpez *, Hugo Rebolo, Julio A. Seijas, Eugenio Rodrguez-Nez, Jos Manuel Martnez-Ageitos, Javier Miragaya, Eva Vzquez-Barreiro Facultade de

604 views • 5 slides
Geographically Dispersed Percona XtraDB Cluster Deployment Marco (the Grinch) Tusa September

Geographically Dispersed Percona XtraDB Cluster Deployment Marco (the Grinch) Tusa September

Geographically Dispersed Percona XtraDB Cluster Deployment Marco (the Grinch) Tusa September 2017 Dublin About me Marco The Grinch Open source enthusiast Percona consulting Team Leader 2 Agenda What is PXC When nodes

1.29k views • 59 slides
Background High Time Resolution Universe (HTRU) survey Running since 2008, now entering

Background High Time Resolution Universe (HTRU) survey Running since 2008, now entering

Ben Barsdell Matthew Bailes Christopher Fluke David Barnes S POTTING R ADIO T RANSIENTS W ITH THE HELP OF GPU S Background High Time Resolution Universe (HTRU) survey Running since 2008, now entering deep phase Uses the Parkes 64m radio

292 views • 16 slides
Method Taking into Account Process Dispersion to Detect Hardware Trojan Horse by Side-Channel

Method Taking into Account Process Dispersion to Detect Hardware Trojan Horse by Side-Channel

Method Taking into Account Process Dispersion to Detect Hardware Trojan Horse by Side-Channel X. Ngo, Z. Najm, S. Guilley, S. Bhasin, J.-L.Danger PROOFS14, Busan, South Korea Introduction to HTH and its detection Proposed HTH Detection

429 views • 27 slides
Joint Physics Analysis Center (JPAC) The Joint Physics Analysis Center (JPAC) formed in

Joint Physics Analysis Center (JPAC) The Joint Physics Analysis Center (JPAC) formed in

Amplitude analysis of / 0 0 Alessandro Pilloni Joint Physics Analysis Center Krakow, June 6 th , 2016 Joint Physics Analysis Center (JPAC) The Joint Physics Analysis Center (JPAC) formed in October 2013 We

873 views • 17 slides
Boiling Curve Wall Temp. Controlled. Pool boiling curve for temperature controlled case with

Boiling Curve Wall Temp. Controlled. Pool boiling curve for temperature controlled case with

Boiling Curve Wall Temp. Controlled. Pool boiling curve for temperature controlled case with increasing temperature and decreasing temperature. Note that there is a hysteresis especially in the transition region. 4 Pool Boiling Curve

295 views • 7 slides
2020 Phishing Attack Landscape and Industry Benchmarking The data you need to know Perry

2020 Phishing Attack Landscape and Industry Benchmarking The data you need to know Perry

2020 Phishing Attack Landscape and Industry Benchmarking The data you need to know Perry Carpenter Joanna Huisman Chief Evangelist & Strategy Officer SVP Strategic Insights & Research KnowBe4, Inc. KnowBe4, Inc. Perry Carpenter

581 views • 37 slides
FTP/4-5Ra Optimisation of production method of a nanostructured ODS ferritic steels P.

FTP/4-5Ra Optimisation of production method of a nanostructured ODS ferritic steels P.

FTP/4-5Ra Optimisation of production method of a nanostructured ODS ferritic steels P. Unifantowicz 1 , J. Fikar 1 , P. Sptig 1 , C. Testani 2 , F. Maday 2 , N. Baluc 1 , M.Q. Tran 1 1 Fusion Technology-Materials, CRPP EPFL, Association

458 views • 19 slides

More recommend