Information Technology Reference
In-Depth Information
in the TPM. However, the Privacy CA architecture has met with some real-world
limitations as described in [4].
To address the limitations of Privacy CA, another way called Direct Anonymous
Attestation (DAA) [4] was developed and incorporated into the latest TPM specifica-
tion 1.2 [2] and the Mobile Trusted Module specification [5]. DAA is a remote au-
thentication mechanism for trusted computing platform, and mainly consists of the
Join/Issue protocol and the Sign protocol. The participants in a DAA scheme have
three types: the issuer, the signer and the verifier. The issuer is in charge of verifying
the legitimating of signers and of issuing a signing key to each signer. The signer,
which consists of a TPM and a host where the TPM is attached, can convince a verifi-
er that the DAA signatures generated by the signer are valid. The verifier can verify
the membership of the signer from the DAA signatures but it cannot learn the identity
of the signer. The DAA scheme is completely decentralized and achieves anonymity
by combining research on group signatures and credential systems. Unlike the group
signatures, the issuer in DAA is not a privileged group manager, so anonymity can
never be revoked, i.e., a DAA signature cannot be opened by anyone including the
issuer to reveal the identity of the signer. Instead of full-anonymity and traceability as
held in group signatures[6], DAA has user-controlled anonymity and traceability, that
means the DAA signer (user) and verifier are able to decide whether the verifier
enables to determine if any two signatures have been produced by the same signer.
Related works
. DAA has drawn a lot of attention from both industry and crypto-
graphic researchers after the concept and a concrete scheme of DAA were first intro-
duced by Brickell, Camenisch, and Chen [4]. Durahim et al.[7] constructed a privacy-
preserving mutual authentication and key agreement protocol using DAA scheme for
ensuring privacy. Bichsel et al. [8] made use of a variant DAA scheme to build an
anonymous credential system on a standard Java card. Bella et al.
[9] utilized a DAA
scheme to enforce privacy in e-commerce and proposed a self-enforcing privacy pro-
tocol. Gummadi et al.
[10] developed a NAB (“Not-A-Bot”) system which can pre-
serve the current privacy semantics of web and email by extending the DAA service.
Many other DAA-based works have been presented in literatures [11, 12, 13].
However the performance of original DAA scheme is inefficient, hence many other
DAA schemes were proposed from the view of performance. Recently, researchers
have been working on how to create DAA schemes with elliptic curves and pairings,
since ECC-based DAA is more efficient in both computation and communication than
RSA-based DAA. The first ECC-based DAA scheme was proposed by Brickell et
al.[14] This scheme is based on symmetric pairings. Chen et al. [15,16]
improved the
above scheme
[14] and proposed two extended DAA schemes by using asymmetric
pairings for the purpose of increasing implementation flexibility and efficiency. To
further improve the performance of the scheme [16], Chen et al.
[17]
modified the
scheme, and compared with the original DAA scheme via a concrete implementation.
Recently, Chen [18]
introduced a more efficient DAA scheme by making use of batch
proof and verification technique. But the efficient scheme
[18]
has some security
drawbacks, Brickell et al [31] then fix these drawbacks by proposing a new batch
proof and verification protocol. These DAA schemes are based on the LRSW assump-
tion and DDH assumption. Other DAA schemes were proposed by Chen and
