A note on the Chen–Morrissey–Smart DAA scheme

Information Processing Letters 110 (2010) 485–488

Contents lists available at ScienceDirect

Information Processing Letters www.elsevier.com/locate/ipl

A note on the Chen–Morrissey–Smart DAA scheme Liqun Chen a , Jiangtao Li b,∗ a b

HP Laboratories, United Kingdom Intel Corporation, United States

a r t i c l e

i n f o

a b s t r a c t

Article history: Received 30 May 2009 Received in revised form 6 April 2010 Accepted 22 April 2010 Available online 28 April 2010 Communicated by Y. Desmedt Keywords: Cryptography Trusted computing User privacy Direct Anonymous Attestation User-controlled linkability

Direct Anonymous Attestation (DAA) is a cryptographic scheme that enables remote authentication of a platform while preserving the privacy of the user of the platform. The DAA scheme developed by Brickell, Camenisch, and Chen has been adopted by the Trust Computing Group (TCG) for remote anonymous attestation of Trusted Platform Module (TPM). Recently, Chen, Morrissey, and Smart proposed an efficient DAA scheme from bilinear pairing. In this paper, we show that there is a design flaw in the name base option of the proposed CMS-DAA scheme such that a corrupted signer or corrupted host may break the linkability property of the DAA scheme. We also suggest a solution that fixes the flaw. © 2010 Elsevier B.V. All rights reserved.

1. Introduction Direct Anonymous Attestation (DAA) is a cryptographic scheme that enables remote authentication of a computer platform while preserving user privacy. The concept and first concrete scheme of DAA was introduced by Brickell, Camenisch, and Chen [3] for anonymous authentication of a hardware module, called Trusted Platform Module (TPM). The scheme was adopted by an industry standardization body, namely Trusted Computing Group (TCG) [10]. The DAA scheme was specified in the TCG TPM specification version 1.2 [9], which has recently been accepted as an ISO/IEC standard [1]. DAA has drawn a lot of attention from both industrial and academic researchers (e.g., [2,4,7], to list a few). A DAA scheme involves three types of entities: issuers, signers, and verifiers. An issuer is in charge of verifying the legitimation of signers and of issuing a DAA credential to each signer. A signer can prove that it holds a valid DAA credential to a verifier by providing a DAA signature.

*

Corresponding author. E-mail addresses: [email protected] (L. Chen), [email protected] (J. Li). 0020-0190/$ – see front matter doi:10.1016/j.ipl.2010.04.017

© 2010

Elsevier B.V. All rights reserved.

A verifier can verify existence of the credential from the signature but he cannot learn the identity of the signer. DAA is targeted for implementation in the TPM which has limited storage space and computation capability. For this reason, the role of the signer is split between a TPM and a host that is the computer platform having the TPM “built in”. The TPM is the real signer and holds a secret signing key, whereas the host helps the TPM to compute the signature under the credential, but is not allowed to learn the signing key or to forge such a signature without the TPM involvement. The most interesting feature of DAA is to provide differing degrees of user privacy. Interactions in DAA signing and verification are anonymous, that means the verifier, the issuer or both of them colluded cannot discover a legitimate signer’s identity from its DAA signature. However, the signer and verifier can negotiate as to whether or not the verifier is able to link different signatures signed by the signer. This unique property of DAA is called user-controlled linkability. Recently, Chen, Morrissey, and Smart [7] proposed a new DAA scheme from bilinear pairings, which we call the CMS-DAA scheme in this paper. This scheme optimized performance of the first pairing-based DAA scheme in [4], and is one of the most efficient DAA schemes that requires

486

L. Chen, J. Li / Information Processing Letters 110 (2010) 485–488

minimum computations by the TPM. In this paper, we show that there is a design flaw in the CMS-DAA scheme such that it does not hold the property of user-controlled linkability. More specifically, a corrupted signer or even a corrupted host alone can break this property. We then suggest a solution that fixes the flaw without introducing too much computational overhead. Note that Chen, Morrissey, and Smart later proposed a fix to their CMS-DAA scheme in [8]. 2. Review of DAA specification A formal DAA specification was specified in [3], via an ideal-system/real-system model to prove security of DAA, that is based on security models for multi-party computation [6]. For the purpose of this paper, we overview the ideal-system only and details of the specification can be found in [3]. There are five types of players: an issuer I , a TPM Mi , a host Hi , a verifier V j , and a revocation oracle O . Mi and Hi form a platform in the trusted computing environment and share the role of a DAA signer. T denotes as a trusted third party dealing with any cryptographic protocols in the ideal-system. The following operations are supported: Setup Each player indicates to T whether or not it is corrupted. Each TPM Mi sends its unique identity idi to T who forwards it to the respective host Hi . Join The host Hi contacts T and requests to become a member. Thus T asks the corresponding TPM Mi whether it wants to become a member. Then, T asks the issuer I whether the platform with identity idi can become a member. If Mi was tagged rogue, T also tell I this. If the issuer agrees, T notifies Hi that it has become a member. Sign/Verify A host Hi wants to sign a message m with respect to some basename bsn ∈ {0, 1}∗ ∪ {⊥} for some verifier V j . So Hi sends m, bsn to T . If Hi /Mi are not a member, then T denies the request. Otherwise, T forwards m to the corresponding Mi and asks it whether it wants to sign. If it does, T tells Hi that Mi agrees and asks it w.r.t. which basename bsn it wants to sign (or whether it wants to abort). If Hi does not abort, T proceeds as follows: • If Mi has been tagged rogue, T lets V j know that a rogue TPM has signed m. • If bsn = ⊥ then T informs V j that m has been signed w.r.t. bsn. • If bsn = ⊥ then T checks whether Hi /Mi have already signed a message w.r.t. bsn. If this is the case, T looks up the corresponding pseudonym P in its database; otherwise T chooses a new random pseudonym P . Finally, T informs V j that the platform with pseudonym P has signed m. Revoke O tells T to tag of the platform with identity id as a rogue. If the TPM with identity id is not corrupted, T denies the request. Otherwise, T marks the TPM with identity id as rogue. Observe that the above ideal-system model captures the following properties.

• Unforgeability: a valid DAA signature can only be produced with the involvement of a TPM that is not tagged rogue. • Anonymity/pseudonymity: in the Sign/Verify operation, the identity of a signer that is not tagged rogue is hidden to I and V j . • User-controlled linkability: signatures involving the same TPM using the same basename are linkable to each other via a pseudonym P , but if they are signed with regard to different basenames or no basename (i.e. bsn = ⊥), then they cannot be linked. 3. User-controlled linkability and name base option As mentioned earlier, user-controlled linkability is a unique property of DAA, and it is achieved using the basename. There are two options in DAA with respect to using basenames: (1) random base option where bsn = ⊥ and (2) name base option where bsn = ⊥. If the random base option is used, DAA signatures are unlinkable to the verifiers. If the name base option is used, given the same basename bsn, which could be the name or a particular piece of information of the verifier, all the signatures created by the same DAA signer contain the same pseudonym P ; so they are linkable. Observe that even if a DAA signer is corrupted, the signatures it created must still contain the same P . Therefore this property should be held in any robust DAA scheme no matter whether the signer is corrupted or not. When using the DAA scheme in applications, which one of the two options is chosen and which particular bsn value is used in the name base option should be a result of the negotiation between the signer and verifier. As a result, this property allows the verifier to build his own black list of unwelcome signers. We now give a usage example for the name base option of DAA. Consider a key provisioning server for providing keys to platforms. The policy of the server is that one platform can only obtain one unique key. To enforce its policy, the server uses the name base option of the DAA scheme as follows: The server chooses a basename; each platform uses the basename to create a DAA signature as the key material request. If the signature can be correctly verified and the platform has not requested any key before, the server issues a new key to the platform. If the platform has been revoked or has already requested a key before, then the server will not issue any key for it. The DAA scheme with the name based option provides to this application with a good balance between protecting user privacy and preventing a potentially malicious platform from obtaining multiple keys. 4. Chen–Morrissey–Smart DAA scheme We now briefly review the Chen–Morrissey–Smart (CMS) DAA scheme [7] as follows. We omit some details on the setup and join operations and keep our focus on the sign and verify operations. The CMS-DAA scheme has the following four operations: Setup The issuer I chooses groups G 1 =  P 1 , G 2 =  P 2 , and G T , all of prime order q, and an admissible bi-

L. Chen, J. Li / Information Processing Letters 110 (2010) 485–488

linear map e : G 1 × G 2 → G T . I chooses four hash functions H 1 , H 2 , H 3 , H 4 : {0, 1}∗ → Zq . I chooses y x, y ← Zq and computes X := P 2x and Y := P 2 . The issuer’s private key is (x, y ) and the corresponding public key is ipk = (q, P 1 , P 2 , X , Y , G 1 , G 2 , G T , e , H 1 , H 2 , H 3 , H 4 ). Join The join operation is an interactive protocol between the issuer I , a TPM M, and a host H. It has the following steps: 1. I chooses a nonce n I and sends n I to M. 2. M derives its DAA secret f from its internal seed f

value and computes F := P 1 . 3. M performs the proof of knowledge PK {( f ): f

P 1 = F } to I . The details of this proof of knowledge protocol can be found in [7]. 4. I chooses r ← Zq and computes A := P 1r , B := A y , and C := A x · F rxy . 5. I sends M the triple ( A , B , C ) as the DAA credential, which is a Camenisch–Lysyanskaya signature [5] on f . 6. M computes E := B f and forwards ( A , B , C , E ) to H. 7. H computes ρa := e ( A , X ), ρb := e ( B , X ), and ρc := e (C , P 2 ). H verifies that e ( A , Y ) = e ( B , P 2 ) and e ( A · E , X ) = ρc and stores ( A , B , C , E , ρa , ρb , ρc ) values. Sign Given a basename bsn, the signed message m and a verifier’s nonce n V , the sign operation is jointly performed by a TPM M and a host H in the following steps. 1. If bsn = ⊥, M chooses r  ← Zq , otherwise, M computes r  := H 2 ( f bsn).  2. M sends r  to H who computes A  := A r , B  := r  r  r B , C := C , and E := E . 3. M and H jointly perform the following zeroknowledge proof









SPK ( f ): e A  , X · e B  , X

f

  = e C , P 2

 ∧ E  = B  f (m n V n T ),

where n T is M’s nonce.  (a) M chooses v ← Zq and computes D  := B vr , and sends D  to H.    (b) H computes ρa := ρar , ρb := ρbr , ρc := ρcr ,  and τ := e ( D , X ). (c) H computes c  := H 3 (ipk bsn A  B  C  D  E  ρa ρb ρc τ n V ). (d) H sends c  to M. M chooses a nonce n T and computes c := H 4 (c  n T m). (e) M computes s := v + c · f and sends (c , s, n T ) to H. 4. The signature on m is σ := ( A  , B  , C  , E  , c , s, n V , n T ). Verify The verify operation has the following steps: 1. For each f i in the revocation list, V checks that E  = B  f i . 2. V checks that e ( A  , Y ) = e ( B  , P 2 ). 3. V computes ρa := e ( A  , X ), ρb := e ( B  , X ), and ρc := e (C  , P 2 ).

487

4. V computes τ := (ρb )s · (ρc /ρa )−c and D  := B s · E −c . 5. V computes c  := H 3 (ipk bsn A  B  C  D  E  ρa ρb ρc τ n V ). 6. V verifies that c = H 4 (c  n T m). 7. If any of the above steps fail, V returns reject, otherwise, returns accept. 5. Problem of the CMS-DAA scheme Recall that, in the name base option of DAA, the signatures created with the same basename by the same DAA signer should be linkable. This is independent on whether the signer is corrupted or not. Clearly, if a DAA signer follows the CMS-DAA scheme properly, her signatures with the same bsn can be linked, as she will compute the same r  := H 2 ( f bsn) each time. The problem with the CMS-DAA scheme is that in the name base option, the computation of r  is not done in a verifiable manner, i.e., the verifier cannot check how the value r  was generated, since H 2 is a one-way hash-function and f is a secret. This problem leads to the following attacks to the user-controlled linkability property of the scheme. We now show how an adversary controlling either the TPM M or the host H can break this property.

• If the adversary controls M, the malicious M can

always choose a random r  instead of computing r  := H 2 ( f bsn) even if the signer and verifier “have agreed” to use the name base option. So the DAA signatures are always unlinkable. • If the adversary controls H but not M, the malicious H can always tell the honest M that bsn = ⊥ even if H has agreed with V to use the name base option and to put a certain bsn value agreed with V into computation of c  . In that case, M will always choose a random r  since M never checks the input of c  , and then the signatures will be always unlinkable. In the DAA scheme, the communication between M and H is invisible to V . • Even if the adversary only controls H but not M, and also if V and M do have an authentic communication channel, e.g., the value bsn is included in the signature by M as part of the signed message when computing c instead of c  , the adversary can still do the attack by modifying the r  value as follows: H receives r  from M, then chooses a different rˆ  in all its computation. Since D  value is computed by M, H can do an extra exponentiation with (ˆr  /r  ) on D      such that D  = ( B vr )rˆ /r = B v rˆ . As a result, the DAA signature is still valid but using a different rˆ  instead of r  = H 2 ( f bsn). The resulting signatures finished by the adversary are unlinkable due to this attack. Note that although in the CMS-DAA scheme, it is specified that the value r  is generated by M, actually H has a full control to this value. Consider the example in Section 3, the adversary can use the above attacks to obtain multiple keys from the key provisioning server.

488

L. Chen, J. Li / Information Processing Letters 110 (2010) 485–488

6. Proposed changes to the CMS-DAA scheme To fix the problem of the CMS-DAA scheme, we introduce (b, k) pair back as was used in several DAA schemes [3,4]. The (b, k) pair serves the purpose of revocation check. In the name base option, k also becomes a pseudonym. We sketch our modified CMS-DAA scheme as follows: Setup Same as the setup algorithm in Section 4 except that the issuer defines H 2 : {0, 1}∗ → G 1 . Join Same as the join protocol in Section 4. Sign The sign operation takes the following steps: 1. If bsn = ⊥, M chooses b ← G 1 , otherwise, M computes b := H 2 (1 bsn). 2. M computes k := b f , then chooses r  ← Zq and sends (b, k, r  ) to H.    3. H computes A  := A r , B  := B r , and C  := C r . 4. M and H jointly perform the following zeroknowledge proof









SPK ( f ): e A  , X · e B  , X

f

  = e C , P 2

 ∧ k = b f (m n V n T ).

6. V computes c  := H 3 (ipk bsn A  B  C  b k ρa ρb ρc F τ n V ). 7. V verifies that c = H 4 (c  n T m). 8. If any of the above steps fail, V returns reject, otherwise, returns accept. Note that the user-controlled linkability property of this modified DAA scheme holds as the verifier can verify the correctness of the b value. Also note that, the extra cost of this countermeasure is that M needs to compute three exponentiations (all in G 1 ) instead of one in the original CMS-DAA scheme. The computation loads for H and V are close to the original scheme. There are two differences in another fix of the CMSDAA scheme proposed in [8]: the values b and r  are created by the host H instead of the TPM M, and the TPM M performs two exponentiations in G 1 and one exponentiation in G T . The first is advantage and the second is disadvantage. In the overall comparison, performance of these two fixes is similar to each other. References



(a) M chooses v ← Zq and computes D  := B vr , and sends D  to H. (b) M computes F := b v and sends F to H.    (c) H computes ρa := ρar , ρb := ρbr , ρc := ρcr , and τ := e ( D  , X ). (d) H computes c  := H 3 (ipk bsn A  B  C  b k ρa ρb ρc F τ n V ). (e) H sends c  to M. M chooses a nonce n T and computes c := H 4 (c  n T m). (f) M computes s := v + c · f and sends (c , s, n T ) to H. 5. The signature on m is σ := (b, k, A  , B  , C  , c , s , n V , n T ). Verify The verify operation takes the following steps: 1. For each f i in the revocation list, V checks that k = b f i . 2. If bsn = ⊥, V verifies b ∈ G 1 , otherwise, verifies that b = H 2 (1 bsn). 3. V checks that e ( A  , Y ) = e ( B  , P 2 ). 4. V computes ρa := e ( A  , X ), ρb := e ( B  , X ), and ρc := e (C  , P 2 ). 5. V computes τ := (ρb )s · (ρc /ρa )−c and F := b s · k−c .

[1] ISO/IEC PAS DIS 11889: Information technology – Security techniques – Trusted platform module. [2] M. Backes, M. Maffei, D. Unruh, Zero-knowledge in the applied picalculus and automated verification of the Direct Anonymous Attestation protocol, in: Proceedings of IEEE Symposium on Security and Privacy, IEEE Computer Society, 2008, pp. 202–215. [3] E. Brickell, J. Camenisch, L. Chen, Direct Anonymous Attestation, in: Proceedings of the 11th ACM Conference on Computer and Communications Security, ACM Press, 2004, pp. 132–145. [4] E. Brickell, L. Chen, J. Li, A new Direct Anonymous Attestation scheme from bilinear maps, in: Proceedings of 1st International Conference on Trusted Computing, in: LNCS, vol. 4968, Springer, 2008, pp. 166– 178. [5] J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in: Advances in Cryptology — CRYPTO ’04, in: LNCS, vol. 3152, Springer, 2004, pp. 56–72. [6] R. Canetti, Security and composition of multiparty cryptographic protocols, Journal of Cryptology 13 (1) (2000) 143–202. [7] L. Chen, P. Morrissey, N.P. Smart, Pairings in trusted computing, in: Proceedings of the 2nd International Conference on Pairing-Based Cryptography, in: LNCS, vol. 5209, Springer, 2008, pp. 1–17. [8] L. Chen, P. Morrissey, N.P. Smart, DAA: Fixing the pairing based protocols, Cryptology ePrint Archive, Report 2009/198, http://eprint.iacr. org/, 2009. [9] Trusted Computing Group, TCG TPM specification 1.2, 2003. Available at http://www.trustedcomputinggroup.org. [10] Trusted Computing Group website, http://www.trustedcomputinggroup. org.