Information Technology Reference
In-Depth Information
Feng[19], Brickell and Li[20], Chen[21], respectively. Security of these schemes is
based on the
q
-SDH assumption and DDH assumption. To the best of our knowledge,
Brickell's DAA scheme [31] is the most efficient DAA scheme and it requires least
amount of TPM resources.
Our contributions
. In this paper, our contribution is the novel DAA scheme. In the
construction of our DAA scheme, we focus on the efficiency of Sign protocol and
Verify algorithm rather than that of the Join/Issue protocol, since in practice the
Join/Issue protocol is executed much less times than the Sign protocol and Verify
algorithm. With the motivation, our works are as follows:
We design a secure two-party computation (2PC) protocol for the Join/Issue proto-
col to generate the signing key by making use of additive homomorphic encryp-
tion[23]
and verifiable encryption technique[24].
Under the
q
-SDH assumption [25] and XDH assumption [25], we propose a new
DAA scheme. At the performance aspect, in the signing phase our DAA scheme only
requires one exponentiation when unlinkability is necessary or two exponentiations
when linkability is necessary for TPM, and three exponentiations (unlinkability) or
four exponetiations (linkability) for the host to respectively perform.
At last, we give a comparison between our scheme and all the existing ECC-based
DAA schemes, the result shows that our DAA scheme has better performance than all
the existing schemes.
Roadmap
. Rest of this paper is organized as follows. We first present the formal
definition and the enhanced security model of DAA scheme in Section 2. We then
review some cryptography assumptions and tools of which we make use in Section 3.
We focus on the design of security two-party computation protocol in Section 4. We
construct our new DAA scheme in Section 5 and the corresponding security proofs
and performance comparison with the existing DAA schemes in Section 6. We then
conclude the paper in Section 7.
2
Formal Definition and Security Model of DAA
2.1
Formal Definition of DAA
We firstly present the formal definition of DAA. There are four types of players in the
DAA scheme: the issuer
, the TPM
, the host
and the verifier
.
and
form
a platform in the trusted computing environment and share the role of the DAA signer
. A DAA scheme
= (Setup, Join/Issue, Sign, Verify, Link) consists of the
following five polynomial-time algorithms and protocols:
Setup
: On input of a security parameter 1
κ
, this randomized algorithm can produce
two pairs (
ipk
,
isk
) where
isk
is the issuer's secret key, and
ipk
is the public key in-
cluding the global public parameters. Formally, the algorithm can be written as:
Setup(1 )
.
Join/Issue
: This protocol runs between a signer (
,
) and an issuer
. Each of
the algorithms (Join, Issue) takes input a secret value, and output the signer's DAA
signing key
sigk a
ssociated with signer's secret key
sk
. Note that the
sigk
is given to
κ
→
(
ipk isk
,
)
