An anonymous attestation scheme with optional traceability

Abstract

Direct Anonymous Attestation (DAA) is a cryptographic scheme designed for anonymous attestation of a hardware device while preserving the privacy of the device owner. Signatures created by a DAA signer are anonymous and untraceable, i.e., cannot be opened to find out the identity of the signer. To prevent abuse of privacy, DAA has a feature called user-controlled-traceability in which the signer and verifier can negotiate whether or not the signatures from the signer can linked. This feature is a preventive mechanism against corrupted DAA signers because they can be prevented from making multiple anonymous authentications. However, it is not a proactive deterrent against such activity as nobody is able to identify the corrupted signer. In this paper, we introduce a new cryptographic scheme called Optionally Traceable Anonymous Attestation (OTAA), in which the signer and verifier can negotiate whether signatures from the signer are traceable to the issuer instead of just being linkable. In the OTAA scheme, if a corrupted signer has produced a traceable signature or published his private key widely, the issuer can identify the signer and effectively revoke him using the verifier-local revocation. We give a construction of an OTAA scheme from bilinear pairing. Our OTAA scheme is efficient and provably secure in the random oracle model under the strong Diffie-Hellman assumption and the external Diffie-Hellman assumption. © 2010 Springer-Verlag.