Are the DAA Anonymity Revocation algorithms valid in "TCG Software Stack (TSS)
Specification Version 1.2 Level 1 Errata A"?
Background:
I have just made implementation changes to my copy of 0.3.13 Trousers to where
the Direct Anonymous Attestation commitment calculations and anonymity
revocation works according to the specification (TCG Software Stack (TSS)
Specification Version 1.2 Level 1 Errata A). I found that Jan Camenisch has
patents (e.g. US20050268103 A1) on some of these algorithms and they correspond
well with the specification. This was a difficult search for references, since
the reference section in the specification was very sparse on DAA and dated in
2004. I also am aware there have been many discussions of shortcomings of the
anonymity revocation - which I wonder about in this post.
Brickell and Li wrote "Enhanced Privacy ID: A Direct Anonymous Attestation
Scheme with Enhanced Revocation Capabilities" in 2007. This offered an approach
to solve some shortcomings in anonymity revocation.
I also know the late Hal Finney implemented the DAA Sign and Join operations up
to commitments and anonymity revocation in August of 2008, roughly a year
later, but I'm not aware if Hal knew about the weakness in anonymity revocation
- since he did not get to the point of implementing it.
Now Trousers 0.3.10 was released in 2010. It's a mystery that a lot of
discussion of security flaws in DAA has happened in those three years or so
since the Errata spec, yet the TrouSerS group went ahead and added the basic
functionality and a #ifdef'ed section on anonymity revocation. Why do that if
there are flaws and why not mention the flaws in the release notes? So I don't
know if the anonymity revocation security issues are relevant or not, however
the spec follows the guide in Camenisch's patent. I wonder if anyone out there
can tell me?
I would release my copy into the open source however, like Hal Finney wrote
back in 2008 I might not have the rights to it based on my employment
commitments. It's basically a personal exercise for the time being that got me
familiarization with the Camenisch-Lysyanskaya signature and Cramer-Shoup
encryption scheme.
The white papers were implying the basic DAA of the Errata specification are
fine. I would hope? I fear that the DAA_Sign and DAA_Join operations would
possibly require modification if not, and that would be a change in platform.c
I would like to tell my employer about having the basic anonymity revocation
with commitments and the basic commands for anonymity revocation all
implemented. I don't think it is worthwhile unless someone can say the AR
algorithms in Tspi_DAA_ARA_GenerateKey, Tspi_DAA_ARA_RevokeAnonymity and
Tspi_Tpm_DAA_Sign are valid.
thanks
?
Bill
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
