On proofs of security for DAA schemes

Abstract

Direct anonymous attestation (DAA) is a mechanism for a remote user to provide a verifier with some assurance it is using software and/or hardware from trusted sets of software and/or hardware respectively. In addition, the user is able to control if and when a verifier is able to link two signatures: to determine whether or not they were produced by the same platform. The verifier is never able to tell which which particular platform produced a given signature or pair of signatures. We first address a problem with the proof of security for the original DAA scheme of Brickell, Camenisch and Chen. In particular, we construct an adversary that can tell if its in a simulation or not. We then provide the necessary changes to the simulator such that the adversary can no longer do this and prove this fact, hence repairing the proof. Our main contribution is a security analysis of the Chen, Morrissey and Smart (CMS) DAA scheme. This scheme uses asymmetric bilinear pairings and was proposed without a proof of security. We use the well established simulation based security model of Brickell, Camenisch and Chen and also use a similar proof technique to theirs. We prove the CMS scheme is secure in the random oracle model relative to the bilinear Lysyanskaya, Rivest, Sahai and Wolf (LRSW) assumption, the hardness of discrete logarithms in the groups used and collision resistance of the hash functions used in the scheme. © 2008 Springer Berlin Heidelberg.