IEEE International Conference on Social Computing / IEEE International Conference on Privacy, Security, Risk and Trust

Enhanced Privacy ID from Bilinear Pairing for Hardware Authentication and Attestation

Ernie Brickell Jiangtao Li Intel Corporation Intel Labs Hillsboro, USA Hillsboro, USA Email: [email protected] Email: [email protected]

Abstract—Enhanced Privacy ID (EPID) is a cryptographic in DAA. If the named base option in DAA is used, it can scheme that enables the remote authentication and attestation allow revocation based on signatures for all uses of the same of a hardware device while preserving the privacy of the device. named base, but it has the unfortunate property of removing EPID can be seen as a direct anonymous attestation scheme with enhanced revocation capabilities. In EPID, a device can be the anonymity for all uses with the same named base. To get revoked if the private embedded in the hardware device has around the problem of the limited revocation properties of been extracted and published widely so that the revocation man- DAA, Brickell and Li [12] introduced the notion of Enhanced ager finds the corrupted private key. In addition, the revocation Privacy ID (EPID). In EPID, the revocation manager can manager can revoke a device based on the signatures the device revoke a hardware device based on the signatures that were has created, if the private key of the device is not known. In this paper, we introduce a new security notion of EPID including the signed by the private key of the device, without reducing the formal definitions of anonymity and unforgeability. We also give anonymity properties. The EPID scheme will have broader a construction of an EPID scheme from bilinear pairing. Our applicability beyond attestation and the TCG application. More EPID scheme is efficient and provably secure in the random motivations about EPID can be found in [13]. oracle model under the strong Diffie-Hellman assumption and the decisional Diffie-Hellman assumption. In an EPID scheme, there are four types of entities: an Index Terms—hardware authentication; trusted computing; issuer, a revocation manager, platforms, and verifiers. The privacy; anonymity; direct anonymous attestation; cryptographic issuer could be the same entity as the revocation manager. protocol The issuer is in charge of issuing membership to platforms, i.e., each platform obtains a unique private key from the issuer I. INTRODUCTION through a join process. A platform can prove membership to Consider the following authentication problem: a hardware a verifier by creating a signature using its private key. The device (e.g., a graphics chip, a , a verifier can verify membership of the platform by verifying the mobile device, a smart phone, or a processor) wants to authen- signature, but he cannot learn the identity of the platform. One ticate to a service provider that it is a genuine hardware device important feature of EPID is that nobody besides the platform instead of a software simulator, so that the service provider can knows the platform’s private key and nobody can trace the send a protected resource (e.g., one-time password or high signatures created by the platform if the platform has not definition media) to the device. One possible solution is that been tampered. Yet an EPID scheme has to be able to revoke the hardware manufacturer assigns each device a unique device a platform if the platform’s private key has been corrupted. certificate. The device can authenticate to the service provider There are two types of revocations in EPID: (1) private-key by showing the device certificate. However, such solution based revocation in which the revocation manager revokes a raises a serious privacy concern as the device certificate can platform based on the platform’s private key, and (2) signature uniquely identify the device. based revocation in which the revocation manager revokes a Brickell, Camenisch, and Chen [10] introduced a crypto- platform based on the signatures created by the platform. A graphic scheme called Direct Anonymous Attestation (DAA) formal specification of EPID is given in Section II. In this that can solve the above problem. The original usage of DAA paper, we provide two contributions: is for anonymous authentication of a special hardware device called the Trusted Platform Module (TPM). The DAA scheme 1) We give a new security notion of EPID. This new was adopted by the Trusted Computing Group (TCG) [38] and security model is intended to address the same concept standardized in the TCG TPM Specification 1.2 [37]. of EPID introduced in [12]. We formally model the two In a DAA scheme, a hardware device can be revoked only revocation methods into the security model, and we give if the private key embedded in the hardware device has been a formal definition of anonymity and unforgeability with extracted and published widely so that the revocation manager notions of revocation embedded. finds the corrupted private key. However, if an attacker corrupts 2) We develop a concrete EPID scheme from bilinear maps. a hardware device and obtains the device’s private key, but he Our EPID scheme builds on top of Boneh, Boyen, and never publishes it, then there is no way to revoke the key Shacham’s group signature scheme [6] and Furukawa

978-0-7695-4211-9/10 $26.00 © 2010 IEEE 768 DOI 10.1109/SocialCom.2010.118 and Imai group signature scheme [28]. Our construction revocation of hardware devices to be a rare event for the of EPID is efficient and provably secure in the random following reasons: oracle model under the strong Diffie-Hellman assump- 1) To use the EPID scheme for hardware authentication, tion and the decisional Diffie-Hellman assumption. Our we revoke an EPID key only if it has been extracted out new EPID scheme requires a much shorter key length of the hardware device. EPID enables platform authen- and signature size than the original RSA based EPID tication, but not for user authentication. If a platform scheme [12] and yet achieves a higher level of security. changes ownership or is stolen, there is no need to revoke the EPID key inside as it is a valid platform. A. Motivation for Signature Based Revocation 2) In general, hardware has a good protection on its key We now present a concrete example for motivating signa- materials than software based solutions. If the secure ture based revocation. Suppose each platform has a unique storage and trusted execution environment of the plat- EPID private key. Consider there is a provisioning server form are implemented in hardware, then the only way for provisioning content protection keys to each platform. to extract the EPID key is to launch a physical attack. Only platform with valid EPID private key can obtain a Although our revocation method in the EPID scheme seems unique content protection key from the provisioning server. expensive, it is more capable, privacy friendly, and practical If an attacker breaks one EPID private key, he could use the given our estimation that revocation is a rare event. corrupted EPID private key to obtain content protection keys. If the attacker publishes the EPID private key over the Internet, C. Related Work we can revoke the key. However, in practice, the attacker may The EPID scheme can be seen as a special group signature embed the obtained content protection key in a media ripper scheme [1], [6], [21], [24] without the feature of opening software without publishing the EPID private key. Once we a group signature and identifying the signer of the signa- find the ripper software on the Internet and extract the content ture. There have been several revocation methods proposed protection key in it, we can back trace to the EPID signature for group signatures, such as [9], [36], [18], [2], [7]. The that was used to obtain the content protection key. We then unique property that EPID has that none of the above have, revoke the platform based on the signature without knowing is the capability to revoke a private key that generated a the corrupted EPID private key. signature, without being able to open the signature. The A possible alternative to handle revocation is to add trace- EPID scheme in this paper also shares some properties with ability to the EPID scheme, as most group signature schemes identity escrow [30], anonymous credential systems [17], [22], do. That is, we give the revocation manager the ability to open pseudonym system of Brands [8], and blacklistable anonymous a signature and identify the actual signer. To revoke a platform credentials scheme [39]. based on its signature, the revocation manager first finds out As mentioned earlier, EPID can be seen as a DAA scheme the platforms private key or its identity, then put the private with additional revocation capabilities. We remove some fea- key into the revocation list. As in DAA schemes [10], [11], tures of DAA from the design of EPID, such as the name based EPID scheme chooses not to have traceability from the revo- option and the outsourcing capability, since those features cation manager in order to provide maximum privacy for the are more TPM specific. We could easily add those features unrevoked platforms. Traceability provides the capability that back to EPID if needed. After DAA was first introduced by a revocation manager can determine which platform generates Brickell, Camenisch, and Chen [10], it has drawn a lot of which signatures, for any signatures at any time, without any attention from both industry and cryptographic community acknowledgement from the user that is being traced. This is not (e.g., [16], [32], [3], to list a few). Brickell, Chen, and Li desirable from a privacy perspective. In EPID, if a platforms recently constructed the first pairing based DAA scheme [11]. private key has been revoked, i.e., placed in a revocation list, Later Chen, Morrissey, and Smart [26] showed that the DAA the user of the platform will know that he is revoked or scheme can be further optimized by transferring the underlying being traced. If the user finds that his platform is not in the pairing groups from the symmetric to the asymmetric settings. revocation list, then he is assured that nobody can trace him, Recently, Chen [25] and Brickell and Li [15] proposed DAA including the issuer and the revocation manager. Observe that, schemes built on top of this paper. Both DAA schemes [25], if the revocation manager does not have traceability and the [15] focus on the TPM implementation and outsourcing capa- signature cannot be opened, revocation based on signature is bility, but they do not have the additional revocation capability a much more challenging problem. as in the EPID schemes. B. Revocation of Hardware Devices D. Organization of This Paper The EPID scheme is mainly designed for hardware authen- Rest of this paper is organized as follows. We give a formal tication and attestation. Consider that a hardware manufacturer specification of EPID and present the corresponding security issues a unique EPID private key for each hardware device. model in Section II. We then define our notations and present Assume the hardware device has a secure storage to store security assumptions in Section III. We present our EPID the private key and a trusted execution environment to use scheme in Section IV. In Section V, we recommend two the private key for creating the signatures. We expect the choices of elliptic curves and security parameters, analyze the

769 efficiency of our scheme, and in the end compare our scheme verify it against a newer version of sRL,however, with the previous EPID scheme and the related schemes. he can verify it against any versions of pRL. Finally, we conclude the paper in Section VI. Revoke There are two types of revocations. Private-key based revocation: Given the group public II. SPECIFICATION AND SECURITY MODEL OF EPID key gpk and a private key sk, R updates pRL by In the rest of this paper, we use the following notations. Let adding sk to pRL. S be a finite set, x ← S denotes that x is chosen uniformly at pRL ← Revoke(gpk, pRL, sk) random from S.Letb ← A(a) denote an algorithm A that is given input a and outputs b.Letc, d←PA,Ba, b denote Signature based revocation: Given the group public an interactive protocol between A and B,whereA inputs a key gpk, a message m, and a signature σ on m, R and B inputs b; in the end, A obtains c and B obtains d. updates sRL by placing σ to sRL after verifying σ. A. Specification of EPID sRL ← Revoke(gpk, pRL, sRL,m,σ) In an EPID scheme, there are four types of entities: an In the usage model, the private-key based revocation is used issuer I, a revocation manager R, platforms P, and verifiers when a platform has been corrupted by the adversary, i.e., V. There are two revocation lists managed by R: a private- a private key gets extracted from the secure storage of the key based revocation list, denoted as pRL, and a signature platform and published widely. The signature based revocation based revocation list, denoted as sRL. An EPID scheme has is used when R identifies that a platform P has been corrupted, the following four algorithms Setup, Sign, Verify,andRevoke, but has not obtained P’s private key. and one interactive protocol Join. For private-key based revocation, the revocation list is not Setup This setup algorithm for the issuer I takes a security sent to the platform. This revocation method is known in the parameter 1k as input and outputs a group public key literature as verifier-local revocation [7] and has also been gpk andanissuingprivatekeyisk. used in the DAA schemes [10], [11]. One implication of this revocation method is that, given a signature on a message ( ) ← (1k) σ m gpk, isk Setup and a private key sk, a verifier can easily determine whether Join This join protocol is an interactive protocol between σ was generated using sk by putting sk into pRL. Another the issuer I and a platform P. I is given the group implication is that, once a platform has been revoked in pRL, public key gpk and the issuing private key isk. P it loses its privacy and anonymity as all its previous signatures is given gpk. In the end, P outputs a private key can be traced. We intentionally design this feature to penalize sk, while I outputs nothing. the revoked platform. Recall that, the issuer or the revocation manager cannot revoke a platform in pRL unless the platform’s ⊥, sk←JoinI,P (gpk, isk), gpk private key has been extracted and revealed by the attacker. In other words, the issuer cannot arbitrarily invade a platform’s Sign On input of the group public key gpk,aprivatekey privacy by revoking the platform into pRL as he does not sk, a message m, and a signature based revocation know the platform’s private key. list sRL, this sign algorithm outputs ⊥ if sk has been revoked in sRL, or outputs a signature σ otherwise. B. Security Definition of EPID ⊥/σ ← Sign(gpk, sk,m,sRL) An EPID scheme is secure if it satisfies the following three requirements: correctness, anonymity for unrevoked platforms, The sRL is used by the platform to prove that it has and unforgeability. not been revoked in sRL, i.e., it has not created any 1) Correctness: Loosely speaking, the correctness require- of the signatures in sRL. ment states that, every signature generated by a platform can Verify On input of the group public key gpk, a message m, be verified as valid, except when the platform is revoked. a private-key based revocation list pRL, a signature Formally speaking, let Σi be the set of all signatures generated based revocation list sRL, and a signature σ,thisver- by the platform Pi,wehave ify algorithm outputs valid, invalid,orrevoked. σ ← Sign(gpk, ski,m,sRL), valid/invalid/revoked ← Verify(gpk,m,pRL, sRL,σ)=valid Verify(gpk,m,pRL, sRL,σ) ⇐⇒ (ski ∈ pRL) ∧ (Σi ∩ sRL = ∅) Note that the verifier needs to use the same sRL 2) Anonymity for Unrevoked Platforms: An EPID scheme that is used in the signature creation to verify the satisfies the anonymity property for unrevoked platforms if signature, otherwise the verification would fail. It no adversary can win the following anonymity game. In the is not an issue in practice as the verifier will send anonymity game, the goal of the adversary is to determine the latest sRL to the platform as a challenge. Given which one of two private keys was used in generating a a signature already created, the verifier cannot later signature. As mentioned earlier, given a signature and a private

770 key, the adversary could determine whether the signature was 1) Setup. The challenger runs (gpk, isk) ← Setup(1k) generated using the private key, thus the adversary should not and sends gpk to the adversary A. The challenger sets be given access to either key. The anonymity game between a U := ∅, the set of platforms controlled by the adversary. challenger and an adversary A is defined as follows. 2) Queries. The adversary A can make the following 1) Setup. The adversary A runs (gpk, isk) ← Setup(1k) queries to the challenger. and sends gpk to the challenger. a) Join. A requests for creating a new platform Pi. 2) Queries. The adversary A can make the following The challenger makes sure that i has not been queries to the challenger. join requested before. There are two cases as A ⊥ ← a) Join. A requests for creating a new platform Pi. follows: (1) the challenger and run , ski The challenger makes sure that i has not been JoinI,A(gpk, isk), gpk,whereA gets ski requested before and then runs the join protocol as from the join protocol. A sends ski to the chal- Pi with A as the issuer. In the end, the challenger lenger who appends i to U, or (2) the challenger obtains ski. runs locally the join protocol and generates ski. b) Sign. A chooses a subset of the signatures obtained Note that A does not learn ski. from the challenger as sRL1. A may add signatures b) Sign. A chooses a subset of the signatures obtained that he computes to sRL. A requests a signature from the challenger as sRL. A requests a signature P on a message m with sRL for platform Pi.The on a message m with sRL for platform i.The P challenger makes sure Pi has been created, com- challenger makes sure i has been created, com- ← ( ) putes σ ← Sign(gpk, ski,m, sRL), and returns σ putes σ Sign gpk, ski,m,sRL , and returns σ to A. to A. A P c) Corrupt. A requests the private key of Pi.The c) Corrupt. requests the private key of i.The P challenger makes sure Pi has been created and then challenger makes sure i has been created before, responds with ski. responds with ski, and appends i to U. ∗ 3) Challenge. A outputs a message , a subset of the 3) Response. Finally, A outputs a message m ,aprivate m ∗ signatures obtained from the challenger as ,andtwo key based revocation list pRL , a signature based revo- sRL ∗ ∗ indices i0 and i1. A must have not made a corruption cation list sRL , and a signature σ . query on either index and sRL cannot include signa- The adversary wins the game if: (1) Verify(gpk, pRL∗, ∗ ∗ ∗)=valid ∈ ∈ tures from either Pi0 or Pi1 . The challenger chooses sRL ,σ ,m ; (2) for every i U, either ski ∗ ∗ ∗ a random bit b ←{0, 1}, computes a signature σ ← pRL or one of the signatures created by Pi is placed in sRL ; ( ) ∗ A A ∗ ∗ Sign gpk, skib ,m,sRL , and sends σ to . and (3) did not obtain σ by making a sign query on m .In 4) Restricted Queries. After the challenge phase, A can other words, the adversary wins if he can forge a valid group make additional queries to the challenger, restricted as signature that he has not queried the signature before, and all follows. the private keys he knows have been revoked. a) Join. A can make join queries as before. Definition 2: An EPID scheme is unforgeable, if for every ∗ A b) Sign. As before, except that A cannot include σ probabilistic polynomial-time adversary , the probability in in sRL. winning the unforgeability game is negligible. c) Corrupt. As before, but A cannot make corrupt Note that a signature scheme that satisfies the EPID security queries at i0 and i1. model above is unforgeable under chosen message attacks.  This follows immediately from the unforgeability game. 5) Output. Finally, A outputs a bit b . The adversary wins  = if b b. III. BACKGROUND AND BUILDING BLOCKS A We define ’s advantage in winning the anonymity game as A. Background on Bilinear Maps |Pr [b = b]−1/2|. The probability is taken over the coin tosses We follow the notation of Boneh, Boyen, and Shacham [6] of A, of the randomized setup, join, and sign algorithms, and to review some background on bilinear maps. Let G1 and G2 over the choice of b. to two multiplicative cyclic groups of prime order p.Letg1 Definition 1: An EPID scheme is anonymous for unrevoked be a generator of G1 and g2 be a generator of G2.Wesay platforms, if for every probabilistic polynomial-time adversary e : G1 ×G2 → GT is an admissible bilinear map, if it satisfies A, the advantage in winning the anonymity game is negligible. the following properties: 3) Unforgeability: We say that an EPID scheme is un- ∈ ∈ ∈ Z forgeable if no adversary can win the following unforgeability 1) Bilinear. For all u G1,v G2,andforalla, b , ( a b)= ( )ab game. In the unforgeability game, the adversary’s goal is to e u ,v e u, v . ( ) =1 forge a valid signature, given that all private keys known to the 2) Non-degenerate. e g1,g2 and is a generator of GT . adversary have been revoked. The traceability game between 3) Computable. There exists an efficient algorithm for ( ) ∈ ∈ a challenger and an adversary A is defined as follows. computing e u, v for any u G1,v G2. We sometimes call the two groups (G1,G2) in the above 1A may choose a different sRL for each sign query. a bilinear group pair. In the rest of this paper, we consider

771 k bilinear maps e : G1 × G2 → GT where G1, G2,andGT are Setup: Given 1 , this algorithm chooses a bilinear group multiplicative groups of prime order p. We could set G1 = G2. pair (G1,G2) of prime order p and a bilinear map function However, we allow for the more general case where G1 = e : G1 × G2 → GT . It also chooses a cyclic group G3 of G2 so that we are not limited to choose supersingular elliptic order p in which the DDH problem is hard. Let g1,g2,g3 curves, this allows us to take advantage of certain families of be the generators of G1, G2,andG3 respectively. It chooses ∗ γ elliptic curves in order to obtain the shortest possible private h1,h2 ← G1, γ ← Zp, and computes w := g2 . This algorithm keys and group signatures. outputs

(gpk, isk):=((e, p, G1,G2,G3,g1,g2,g3,h1,h2,w),γ) B. Cryptographic Assumptions : {0 1}∗ → Z 1) Strong Diffie-Hellman Assumption: Let G1 and G2 be Let H , p be a collision resistant hash function. two cyclic groups of prime order p, respectively, generated We treat H as a random oracle in the proof of security. In the ( ) by g1 and g2.Theq-Strong Diffie-Hellman (q-SDH) problem rest of this paper, we use T1,T2,T3,T4 to denote e g1,g2 , ( ) ( ) ( ) in (G1,G2) is defined as follows: Given a (q +3)-tuple e h1,g2 , e h2,g2 ,ande h2,w , respectively. T1,T2,T3,T4 γ (γq) γ can be pre-computed by the platforms and verifiers. of elements (g1,g1 ,...,g1 ,g2,g2 ) as input, output a pair 1/(γ+x) ∗ Join: The join protocol is performed by a platform P and (g1 ,x) where x ∈ Zp. An algorithm A has advantage  the issuer I. P takes gpk as input and I has gpk and isk. in solving q-SDH problem in (G1,G2) if   The protocol has the following steps: γ (γq) γ 1/(γ+x) P  ← Z := Pr A(g1,g1 ,...,g1 ,g2,g2 )=(g1 ,x) ≥  1) chooses at random f,y p and computes C f y h1 · h2 . where the probability is over the random choice of γ and the 2) P sends C to I, and performs the following proof of random bits of A. knowledge to I

( )  Definition 3: We say that the q, t,  -SDH assumption  f y PK {(f,y ):h · h = C} holds in (G1,G2) if no t-time algorithm has advantage at least 1 2  in solving the q-SDH problem. We can use the standard zero-knowledge proof protocols The q-SDH assumption was used by Boneh and Boyen [5] such as [23], [34]. Because the security proof requires to construct a short signature scheme without random oracles rewinding to extract f from an adversarial platform, this and was shown in the same paper that q-SDH assumption step can only be run sequentially. To support concurrent holds in the generic group in the sense of Shoup [35]. The q- join, we could use verifiable [20] of the f SDH assumption was later used in [6] for constructing a short value or use the concurrent join technique described group signature scheme. The security of the SDH problem was in [29] with some loss of efficiency. studied by Cheon [27].  3) I chooses at random x ← Zp and y ← Zp,and 2) Decisional Diffie-Hellman Assumption: Let G, gener- computes ated by g, be a cyclic group of prime order p. The Decisional y 1/(x+γ) Diffie-Hellman (DDH) problem in G is defined as follows: A := (g1 · C · h2 ) . Given a tuple of elements ( a b c) as input, output 1 if g,g ,g ,g  = and 0 otherwise. An algorithm A has advantage in 4) I sends (A, x, y ) to the platform. c ab    solving DDH problem in G if 5) P computes y := y + y (mod p) and verifies that x f y e(A, wg )=e(g1h h ,g2).   2 1 2 a b ab 6) P outputs sk := (A, x, y, f) where (A, x, y) is a |Pr g ← G, a, b ← Zp : A(g,g ,g ,g )=1 −   a b c membership certificate on f. Pr g ← G, a, b, c ← Zp : A(g,g ,g ,g )=1 |≥ Sign: On input of gpk, sk =(A, x, y, f), a message m ∈ {0 1}∗ where the probability is over the uniform random choice of , , and a signature based revocation list sRL,thissign the parameters to A and over the random bits of A. algorithm has the following steps: f Definition 4: We say that the (t, )-DDH assumption holds 1) It chooses B ← G3 and computes K := B . in G if no t-time algorithm has advantage at least  in solving 2) It chooses a ← Zp, computes that b := y + ax mod p := · a the DDH problem in G. and T A h2. 3) It runs the following signature of knowledge protocol

IV. OUR EPID SCHEME f SPK {(x, f, a, b):B = K ∧ −x f b a There are four types of entities in our construction of EPID: e(T,g2) · T2 · T3 · T4 = e(T,w)/T1}(m). an issuer I, a revocation manager R, platforms P, and verifiers V. Our EPID scheme has the following algorithms Setup, Sign, a) It randomly picks Verify,andRevoke and one interactive protocol Join which are ← Z ← Z ← Z ← Z defined as follows. rx p,rf p,ra p,rb p.

772 b) It computes 7) Let sRL = {(B1,K1), ...,(Bn2 ,Kn2 )}.Fori =1,..., n2, it verifies that σi is indeed a valid zero-knowledge := rf R1 B , proof −rx rf rb ra R2 := e(T,g2) · T2 · T3 · T4 , f f SPK{( ): = ∧ i = }( ) −rx rf rb−arx ra f K B K Bi m . := e(A, g2) · T2 · T3 · T4 . 8) If any of the above two steps fails, it outputs revoked, c) It then computes otherwise, outputs valid. Revoke: Initially, both revocation lists are empty, i.e., c := H(gpk,B,K,T,R1,R2,m). pRL := ∅ and sRL := ∅. d) It computes in Zp 1) Private-key based revocation:Givengpk, pRL,and aprivatekeysk =(A, x, y, f) to be revoked, R sx := rx + cx, sf := rf + cf, updates pRL as follows: R verifies the correctness of a := a + b := b + x s r ca, s r cb. sk by checking whether the equation e(A, g2 w)= f y e(g1h h ,g2) holds, then appends f to pRL. 4) It sets σ0 := (B,K,T,c,sx,sf ,sa,sb). 1 2 2) Signature based revocation:Givengpk, pRL, sRL,a 5) Let sRL = {(B1,K1),...,(Bn2 ,Kn2 )}.Fori =1, ..., message m, and corresponding signature σ, R updates n2, it proves in zero-knowledge that sk has not been =( ) R revoked in sRL, i.e., computes sRL as follows: Let σ σ0,σ1,...,σn2 . first verifies that σ is a valid signature on m, i.e., checks f f σi := SPK{(f):K = B ∧ Ki = Bi }(m). Verify(gpk,m,pRL, ∅,σ0)=valid, then appends (B,K) in σ0 to sRL. We can use the zero-knowledge proof protocol from Observe that steps 2-4 of the join algorithm and steps 2-4 Camenisch and Shoup [20]. Note that we could batch of the verify algorithm indeed form a signature of knowledge all the n2 zero-knowledge proofs together as follows x f y f using the techniques in [12], [39] to achieve additional PK{(A, x, y, f):e(A, g2 w)=e(g1h1 h2,g2) ∧ K = B }. efficiency, i.e., computes We first show the correctness of the signature of knowledge f ( ) SPK{(f):K = B ∧ protocol. Let A, x, y, f be a private key that satisfies the ( x )= ( f y ) f = f f equations e A, g2 w e g1h1 h2,g2 and B K.Step3of 1 = ∧ ∧ n = }( ) K B1 ... K 2 Bn2 m . the sign algorithm is a standard way of proving the following For the simplicity, we assume the sign algorithm com- two equations hold: f −x f b a putes n2 individual zero-knowledge proofs. B = K, e(T,g2) · T2 · T3 · T4 = e(T,w)/T1. 6) If any of the zero-knowledge proofs in the previous step fails, it outputs σ := ⊥. The second equation holds because := ( ) x 7) It outputs the signature σ σ0,σ1,...,σn2 . e(T,w) · e(T,g2) x a x x a x Verify: On input of gpk, a message m, a private-key based = e(T,g2 w)=e(Ah2,g2 w)=e(A, g2 w) · e(h2,g2 w) revocation list pRL, a signature based revocation list sRL,and f y a a x = e(g1h h ,g2) · e(h2,w) · e(h2,g2 ) a signature σ, the verify algorithm has the following steps: 1 2 f y a ax = e(g1,g2) · e(h1,g2) · e(h2,g2) · e(h2,w) · e(h2,g2) 1) Let σ =(σ0,σ1,...,σn2 ),whereσ0 =(B,K,T,c,sx, f y+ax a sf ,sa,sb). = e(g1,g2) · e(h1,g2) · e(h2,g2) · e(h2,w) f b a 2) It first verifies that = e(g1,g2) · e(h1,g2) · e(h2,g2) · e(h2,w) ? ? ? = · f · b · a B,K ∈ G3,T∈ G1,sx,sf ,sa,sb ∈ Zp. T1 T2 T3 T4 . 3) It computes Theorem 1: The EPID scheme is correct. Theorem 2: The EPID scheme is anonymous in the random ˆ sf −c R1 := B · K , oracle model under the DDH assumption in G3. s ˆ −sx f sb sa c Theorem 3: The EPID scheme is unforgeable in the random R2 := e(T,g2) · T2 · T3 · T4 · (T1/e(T,w)) , s oracle model under the q-SDH assumption in (G1,G2). := ( −sx −c) · f · sb · sa · c e T,g2 w T2 T3 T4 T1 . Due to the space limit, the detailed proofs of the above 4) It verifies that theorems are given in the technical report version of this paper [14]. ? ˆ ˆ c = H(gpk,B,K,T,R1, R2,m). V. I MPLEMENTATION OF THE EPID SCHEME 5) If any of the above verification fails, it outputs invalid In this section, we first suggest two choices of elliptic curves and quits. and security parameters. We then analyze the efficiency of the

6) Let pRL = {f1,...,fn1 }.Fori =1,...,n1, it verifies EPID scheme and compare our scheme with the original EPID that K = Bfi . scheme in [12] and other related schemes.

773 A. Choices of Elliptic Curves and Security Parameters the EPID scheme in [12] due to much smaller private key We suggest the following two choices of security parameters. size, as hardware devices typically have limited size of secure 1) To achieve 80-bit security level, we choose k =6 storage to hide the private key. and use a family of non-supersingular elliptic curves private signature size defined by Miyaji et al. [33] for Tate pairing. As in [6], Our scheme 80-bit security 86 bytes 171 bytes we choose p and q to be 170-bit prime integers. Each Our scheme 128-bit security 129 bytes 257 bytes EPID scheme [12] 670 bytes 2800 bytes element in G1 can be represented by a 171-bit string. We  then choose a 170-bit prime q and construct G3 as an TABLE I A COMPARISON BETWEEN OUR PAIRING EPID SCHEME AND THE RSA order-p cyclic subgroup of group E(Fq ). The security BASED EPID SCHEME strength of this setting is approximately the same as a standard 1024-bit RSA algorithm. 2) To achieve 128-bit security level, as suggested by Koblitz and Menezes [31], the minimum size of G1 Brickell, Chen, and Li [11] developed the first pairing- ∗ base DAA scheme. Their scheme is based on Camenisch and is 256-bit and the minimum size of Fqk should be at least 3072-bit. We choose embedding degree k =12for Lysyanskaya’s pairing based group signature scheme [19]. Tate pairing and use a method developed by Barreto Chen, Morrissey, and Smart further optimized the DAA and Naehrig [4]. We choose p and q to be 256-bit scheme [26] by transferring the underlying pairing groups prime integers and choose G3 to be an elliptic curve from the symmetric to the asymmetric settings. We now show group of order p. The security strength of this setting that our EPID scheme is more efficient than the pairing based is approximately the same as a standard 3072-bit RSA DAA schemes [11], [26]. See Table II for details. algorithm. Note that Chen [25] and Brickell and Li [15] recently proposed DAA schemes built on top of this paper, respectively. B. Efficiency of the EPID Scheme Both DAA schemes [25], [15] have similar complexity as our We now summarize the efficiency of the EPID scheme. In EPID scheme. Again, both DAA schemes focus on the TPM what follows, we use EXP to denote an exponentiation or a implementation and reduce the TPM workload by outsourcing multi-exponentiation which has similar efficiency. majority of the computation to the host. • For parameters with 80-bit security, p is a 170-bit prime, Tsang et al. recently proposed a Blacklistable Anonymous each element in G1 or G3 is 171-bit in length. The size Credentials (BLAC) scheme in which a misbehaved user can of the private key is 681 bits or 86 bytes. The size of the be revoked based on his previous signatures [39]. The BLAC signature is 1363 bits or 171 bytes. scheme [39] shares a similarity of construction as our EPID • For parameters with 128-bit security, p is a 256-bit prime, scheme. However, our EPID scheme is about twice efficient each element in G1 or G3 is 257-bit in length. The size than [39] in both signature creation and verification and size of the private key is 1025 bits or 129 bytes. The size of of the signatures. Regarding to revocation, the BLAC scheme the signature is 2051 bits or 257 bytes. does not support private-key based revocation and has the same • To sign a signature, the platform can pre-compute T2, T3, efficiency for signature based revocation. If the size of sRL T4,ande(A, g2). The sign algorithm only takes 1 EXP is 10 (recall that hardware revocation is a rare event), our in G1,2EXPsinG3,1EXPinGT . EPID scheme is still around 25% more efficient than the BLAC • To verify a signature, the verifier can pre-compute T1, scheme in sign and verify algorithms. T2, T3,andT4. The verify algorithm takes 1 EXP in G2, VI. CONCLUSION 1EXPinG3,1EXPinGT , and 1 pairing operation. • For each item in pRL, the platform needs to do nothing We have presented a new EPID scheme from bilinear pairing. Our EPID scheme is efficient (if revocation list is while the verifier needs to perform 1 EXP in G3. • For each item in sRL, the platform needs to compute 3 small) and provably secure in the random oracle model under the -SDH assumption and the DDH assumption. It is a good EXPs in G3 and the verifier needs to perform 2 EXPs q candidate for hardware remote authentication and attestation. in G3 if we use the zero-knowledge proof in [20]. If we apply the batched zero-knowledge proof in [39], the We expect revocation to be a rare event due to the difficulty platform needs to compute 2 EXPs and the verifier needs of hardware attacks that are not scalable. The future work to compute 1 EXP. includes developing new EPID schemes with more efficient revocation while maintaining maximum user’s privacy such C. Comparison with EPID, DAA, and BLAC Schemes that EPID scheme can be used beyond hardware authentication Brickell and Li developed an EPID scheme from the strong and used as a generic anonymous authentication method. RSA assumption [12]. Their scheme is derived from the REFERENCES original DAA scheme in [10]. Using 2048-bit RSA modulus which has about 100-bit security, the length of private key is [1] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Advances 670 bytes and the size of a signature is 2800 bytes in their in Cryptology — CRYPTO ’00, volume 1880 of LNCS, pages 255–270. scheme. Our EPID scheme offers significant advantage over Springer, 2000.

774 private key size signature size sign verify Our EPID scheme 86 bytes 171 bytes 4EXP 3EXP+1P BCL DAA scheme [11] 213 bytes 512 bytes 10 EXP 2EXP+5P CMS DAA scheme [26] 86 bytes 148 bytes 8EXP+1P 1EXP+5P DAA schemes based on this paper [25], [15] 64 bytes 171 bytes 5EXP 3EXP+1P BLAC scheme [39] 86 bytes 320 bytes 10 EXP 7EXP+2P TABLE II A COMPARISON BETWEEN OUR EPID SCHEME, THE PAIRING BASED DAA SCHEMES [11], [26], [25], [15], AND THE BLAC SCHEME [39] WITH 80-BIT SECURITY LEVEL, WHERE EXP DENOTES MULTI-EXPONENTIATION AND P DENOTES A PAIRING OPERATION.

[2] G. Ateniese, D. X. Song, and G. Tsudik. Quasi-efficient revocation in tion of discrete logarithms. In Advances in Cryptology — CRYPTO ’03, group signatures. In Proceedings of the 6th International Conference volume 2729 of LNCS, pages 126–144. Springer, 2003. on Financial , volume 2357 of LNCS, pages 183–197. [21] J. Camenisch and M. Stadler. Efficient group signature schemes for Springer, 2002. large groups. In Advances in Cryptology — CRYPTO ’97, volume 1296 [3] M. Backes, M. Maffei, and D. Unruh. Zero-knowledge in the applied pi- of LNCS, pages 410–424. Springer, 1997. calculus and automated verification of the direct anonymous attestation [22] D. Chaum. Security without identification: Transaction systems to make protocol. In Proceedings of IEEE Symposium on Security and Privacy, big brother obsolete. Communications of the ACM, 28(10):1030–1044, pages 202–215. IEEE Computer Society, 2008. 1985. [4] P. S. L. M. Barreto and M. Naehrig. Pairing-friendly elliptic curves [23] D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol of prime order. In Proceedings of the 12th International Workshop on for demonstrating possession of discrete logarithms and some general- Selected Areas in Cryptography, volume 3897 of LNCS, pages 319–331. izations. In Advances in Cryptology — EUROCRYPT ’87, volume 304 Springer, 2005. of LNCS, pages 127–141. Springer, 1987. [5] D. Boneh and X. Boyen. Short signatures without random oracles. In [24] D. Chaum and E. van Heyst. Group signatures. In Advances in Advances in Cryptology — EUROCRYPT ’04, volume 3027 of LNCS, Cryptology — EUROCRYPT ’91, volume 547 of LNCS, pages 257–265. pages 56–73. Springer, 2004. Springer, 1991. [6] D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In [25] L. Chen. A DAA scheme requiring less TPM resources. In Proceedings Advances in Cryptology — CRYPTO ’04, volume 3152 of LNCS, pages of the 5th China International Conference on Information Security and 41–55. Springer, 2004. Cryptology, LNCS. Springer, 2009. [7] D. Boneh and H. Shacham. Group signatures with verifier-local [26] L. Chen, P. Morrissey, and N. P. Smart. Pairings in trusted computing. revocation. In Proceedings of 11th ACM Conference on Computer and In Proceedings of the 2nd Internation Conference on Pairing-Based Communications Security, pages 168–177, Oct. 2004. Cryptography, volume 5209 of LNCS, pages 1–17. Springer, 2008. [8] S. A. Brands. Rethinking Public Key Infrastructures and Digital [27] J. H. Cheon. Security analysis of the strong diffie-hellman problem. In Certificates: Building in Privacy. MIT Press, Aug. 2000. Advances in Cryptology — EUROCRYPT ’06, volume 4004 of LNCS, [9] E. Bresson and J. Stern. Efficient revocation in group signatures. In pages 1–11. Springer, 2006. Proceedings of the 4th International Workshop on Practice and Theory [28] J. Furukawa and H. Imai. An efficient group signature scheme from in Public Key Cryptography, pages 190–206. Springer, 2001. bilinear maps. IEICE Transactions, 89-A(5):1328–1338, 2006. [10] E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. [29] A. Kiayias and M. Yung. Group signatures with efficient concurrent In Proceedings of the 11th ACM Conference on Computer and Commu- join. In Advances in Cryptology — EUROCRYPT ’05, volume 3494 of nications Security, pages 132–145. ACM Press, 2004. LNCS, pages 198–214. Springer, 2005. [11] E. Brickell, L. Chen, and J. Li. A new direct anonymous attestation [30] J. Kilian and E. Petrank. Identity escrow. In Advances in Cryptology — scheme from bilinear maps. In Proceedings of 1st International CRYPTO ’98, volume 1642 of LNCS, pages 169–185. Springer, 1998. Conference on Trusted Computing, volume 4968 of LNCS, pages 166– [31] N. Koblitz and A. Menezes. Pairing-based cryptography at high security 178. Springer, 2008. levels. In Proceedings of the 10th IMA International Conference [12] E. Brickell and J. Li. Enhanced Privacy ID: A direct anonymous on Cryptography and Coding, volume 3796 of LNCS, pages 13–36. attestation scheme with enhanced revocation capabilities. In Proceedings Springer, 2005. of the 6th ACM Workshop on Privacy in the Electronic Society, pages [32] A. Leung and C. J. Mitchell. Ninja: Non identity based, privacy 21–30. ACM Press, Oct. 2007. preserving authentication for ubiquitous environments. In Proceedings [13] E. Brickell and J. Li. Enhanced Privacy ID: A remote anonymous of 9th International Conference on Ubiquitous Computing, volume 4717 attestation scheme for hardware devices. Intel Technology Journal: of LNCS, pages 73–90. Springer, 2007. Advances in Internet Security, 13(2), 2009. [33] A. Miyaji, M. Nakabayashi, and S. Takano. New explicit conditions of elliptic curve traces for FR-reduction. IEICE Transactions on [14] E. Brickell and J. Li. Enhanced Privacy ID from bilinear pairing. Cryp- Fundamentals, E84-A(5):1234–1243, 2001. tology ePrint Archive, Report 2009/095, 2009. http://eprint.iacr.org/. [34] T. P. Pedersen. Non-interactive and information-theoretic secure verifi- [15] E. Brickell and J. Li. A pairing-based DAA scheme further reducing able secret sharing. In Advances in Cryptology — CRYPTO ’91, volume TPM resources. In Proceedings of 3rd International Conference on Trust 576 of LNCS, pages 129–140. Springer, 1991. and Trustworthy Computing, pages 181–195. Springer, 2010. [35] V. Shoup. Lower bounds for discrete logarithms and related problems. [16] J. Camenisch and J. Groth. Group signatures: Better efficiency and In Advances in Cryptology — EUROCRYPT ’97, volume 1233 of LNCS, new theoretical aspects. In Proceedings of 4th International Conference pages 256–266. Springer, 1997. on Security in Communication Networks, volume 3352 of LNCS, pages [36] D. X. Song. Practical forward secure group signature schemes. In Pro- 122–135. Springer, 2005. ceedings of the 8th ACM Conference on Computer and Communications [17] J. Camenisch and A. Lysyanskaya. An efficient system for non- Security, pages 225–234. ACM Press, 2001. transferable anonymous credentials with optional anonymity revocation. [37] Trusted Computing Group. TCG TPM specification 1.2, 2003. Available In Advances in Cryptology — EUROCRYPT ’01, volume 2045 of LNCS, at http://www.trustedcomputinggroup.org. pages 93–118. Springer, 2001. [38] Trusted Computing Group website. http://www.trustedcomputinggroup. [18] J. Camenisch and A. Lysyanskaya. Dynamic accumulators and appli- org. cation to efficient revocation of anonymous credentials. In Advances [39] P. P. Tsang, M. H. Au, A. Kapadia, and S. W. Smith. Blacklistable in Cryptology — CRYPTO ’02, volume 2442 of LNCS, pages 61–76. anonymous credentials: Blocking misbehaving users without TTPs. In Springer, 2002. ACM Conference on Computer and Communications Security, pages [19] J. Camenisch and A. Lysyanskaya. Signature schemes and anonymous 72–81. ACM Press, 2007. credentials from bilinear maps. In Advances in Cryptology — CRYPTO ’04, volume 3152 of LNCS, pages 56–72. Springer, 2004. [20] J. Camenisch and V. Shoup. Practical verifiable encryption and decryp-

775