Bill Martin
2016-12-20 21:18:14 UTC
Are the DAA Anonymity Revocation algorithms valid in "TCG Software Stack (TSS) Specification Version 1.2 Level 1 Errata A"?
Background:
I have just made implementation changes to my copy of 0.3.13 Trousers to where the Direct Anonymous Attestation commitment calculations and anonymity revocation works according to the specification (TCG Software Stack (TSS) Specification Version 1.2 Level 1 Errata A). I found that Jan Camenisch has patents (e.g. US20050268103 A1) on some of these algorithms and they correspond well with the specification. This was a difficult search for references, since the reference section in the specification was very sparse on DAA and dated in 2004. I also am aware there have been many discussions of shortcomings of the anonymity revocation - which I wonder about in this post.
Brickell and Li wrote "Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities" in 2007. This offered an approach to solve some shortcomings in anonymity revocation.
I also know the late Hal Finney implemented the DAA Sign and Join operations up to commitments and anonymity revocation in August of 2008, roughly a year later, but I'm not aware if Hal knew about the weakness in anonymity revocation - since he did not get to the point of implementing it.
Now Trousers 0.3.10 was released in 2010. It's a mystery that a lot of discussion of security flaws in DAA has happened in those three years or so since the Errata spec, yet the TrouSerS group went ahead and added the basic functionality and a #ifdef'ed section on anonymity revocation. Why do that if there are flaws and why not mention the flaws in the release notes? So I don't know if the anonymity revocation security issues are relevant or not, however the spec follows the guide in Camenisch's patent. I wonder if anyone out there can tell me?
I would release my copy into the open source however, like Hal Finney wrote back in 2008 I might not have the rights to it based on my employment commitments. It's basically a personal exercise for the time being that got me familiarization with the Camenisch-Lysyanskaya signature and Cramer-Shoup encryption scheme.
The white papers were implying the basic DAA of the Errata specification are fine. I would hope? I fear that the DAA_Sign and DAA_Join operations would possibly require modification if not, and that would be a change in platform.c
I would like to tell my employer about having the basic anonymity revocation with commitments and the basic commands for anonymity revocation all implemented. I don't think it is worthwhile unless someone can say the AR algorithms in Tspi_DAA_ARA_GenerateKey, Tspi_DAA_ARA_RevokeAnonymity and Tspi_Tpm_DAA_Sign are valid.
thanks
?
Bill
Background:
I have just made implementation changes to my copy of 0.3.13 Trousers to where the Direct Anonymous Attestation commitment calculations and anonymity revocation works according to the specification (TCG Software Stack (TSS) Specification Version 1.2 Level 1 Errata A). I found that Jan Camenisch has patents (e.g. US20050268103 A1) on some of these algorithms and they correspond well with the specification. This was a difficult search for references, since the reference section in the specification was very sparse on DAA and dated in 2004. I also am aware there have been many discussions of shortcomings of the anonymity revocation - which I wonder about in this post.
Brickell and Li wrote "Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities" in 2007. This offered an approach to solve some shortcomings in anonymity revocation.
I also know the late Hal Finney implemented the DAA Sign and Join operations up to commitments and anonymity revocation in August of 2008, roughly a year later, but I'm not aware if Hal knew about the weakness in anonymity revocation - since he did not get to the point of implementing it.
Now Trousers 0.3.10 was released in 2010. It's a mystery that a lot of discussion of security flaws in DAA has happened in those three years or so since the Errata spec, yet the TrouSerS group went ahead and added the basic functionality and a #ifdef'ed section on anonymity revocation. Why do that if there are flaws and why not mention the flaws in the release notes? So I don't know if the anonymity revocation security issues are relevant or not, however the spec follows the guide in Camenisch's patent. I wonder if anyone out there can tell me?
I would release my copy into the open source however, like Hal Finney wrote back in 2008 I might not have the rights to it based on my employment commitments. It's basically a personal exercise for the time being that got me familiarization with the Camenisch-Lysyanskaya signature and Cramer-Shoup encryption scheme.
The white papers were implying the basic DAA of the Errata specification are fine. I would hope? I fear that the DAA_Sign and DAA_Join operations would possibly require modification if not, and that would be a change in platform.c
I would like to tell my employer about having the basic anonymity revocation with commitments and the basic commands for anonymity revocation all implemented. I don't think it is worthwhile unless someone can say the AR algorithms in Tspi_DAA_ARA_GenerateKey, Tspi_DAA_ARA_RevokeAnonymity and Tspi_Tpm_DAA_Sign are valid.
thanks
?
Bill