As DAA scheme involves three types of entities: a DAA issuer, DAA signer, and DAA verifiers (herein respectively, Issuer, Signer, and Verifier). The Issuer is in charge of verifying the legitimacy of Signers to become members of a particular group (typically, all group members will possess a particular characteristic) and of issuing a membership credential, in the form of a signature of a Signer DAA secret, to each legitimate Signer to serve as an Issuer attestation of the Signer's group membership. A Signer can then prove its group membership to a Verifier by signing its membership credential to form a ‘DAA signature’. The Verifier can verify the Signer's membership credential from this DAA signature but he cannot learn the identity of the Signer.
The original DAA scheme, (described in the paper: “Direct anonymous attestation” E. Brickell, J. Camenisch, and L. Chen; Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 132-145. ACM Press, 2004 and herein incorporated by reference in its entirety) employs the Camenisch-Lysyanskaya signature scheme under the strong RSA assumption. The original DAA scheme also uses the Fiat-Shamir heuristic to turn knowledge proofs into signatures; this heuristic is described in the paper “How to prove yourself: Practical solutions to identification and signature problems” by A. Fiat and A. Shamir.—Advances in Cryptology; CRYPTO '86, volume 263 of LNCS, pages 186-194. Springer, 1987.
Although the original DAA scheme was devised for implementation by a Trusted Platform Module (‘TPM’—an on-board hardware security component with limited storage space and communication capability that is intended to provide roots of trust for a host computing platform) with Signer computation shared between the TPM and host, this scheme and other DAA schemes can be applied in many situations and are not limited to situations where the Signer's role is divided between two entities.
A form of DAA scheme based on bilinear maps has recently been proposed and is described in the paper “A New Direct Anonymous Attestation Scheme from Bilinear Maps” Ernie Brickell, Liqun Chen and Jiangtao Li; Proceedings of Trust 2008, Villach/Austria, March 2008. This bilinear-map DAA scheme uses the Camenisch-Lysyanskaya signature scheme under the Lysyanskaya, Rivest, Sahai, and Wolf assumption.
As already indicated, the present invention is concerned with effecting revocation in the context of DAA. Of course, if a system, such as one implementing a DAA scheme, possesses the property of user privacy whereby it allows all users to access the system anonymously, efficiently revoking a user is inherently going to be problematic as revocation and anonymity are in conflict with each other.
Currently, there are three types of revocation solution are known for DAA. In the original DAA paper, two solutions were proposed:                In the first solution, revocation is consequent upon a Signer's DAA secret becoming known; anybody believing they have come into possession of a Signer's DAA secret (which, of course, should not happen) can check if this is truly the case by carrying out a check to verify whether a DAA signature from the Signer was signed using the secret or not—if yes, the signature is rejected as the Signer's DAA secret has clearly been compromised. The problem with this solution is that it only works after a Signer's DAA secret is revealed, but it might never happen.        In the second solution, a Verifier builds his own black list of unwelcome Signers.        
In order to find whether a DAA signature was signed by a black-listed Signer, the Verifier must require the Signer to use a specific basename in his DAA signature, which destroys the interesting property of unlinkability.
A third solution has recently proposed by Brickell and Li (see ‘Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities’ 6th Workshop on Privacy in the Electronic Society (WPES), Alexandria, Va., October 2007), In this solution, in each DAA signature, a Signer is required to prove, in a zero-knowledge proof manner, that his private signing key is not listed in a black list maintained by a revocation manager. However, if the black list is quite large, which may well be the case, each DAA signature will be unduly large and complicated.