A DAA scheme involves three types of entities: a DAA issuer, DAA signer, and DAA verifiers (herein respectively, Issuer, Signer, and Verifier). The Issuer is in charge of verifying the legitimacy of Signers to become members of a particular group (generally, all group members will possess a particular characteristic), and of issuing a membership credential, in the form of a signature of a Signer DAA secret, to each legitimate Signer to serve as an Issuer attestation of the Signer's group membership (possession of a particular characteristic). A Signer can prove its group membership to a Verifier by signing a DAA signature. The Verifier can verify the membership credential from the signature but he cannot learn the identity of the Signer.
Although DAA schemes can be applied in many situations, the original DAA scheme, (described in the paper: “Direct anonymous attestation” E. Brickell, J. Camenisch, and L. Chen; Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 132-145. ACM Press, 2004) was devised for implementation by a Trusted Platform Module (TPM), an on-board hardware security component with limited storage space and communication capability that is intended to provide roots of trust for a computing platform (herein referred to as a “host”). For this application, the role of the Signer is spilt between a TPM and the host with the TPM being the real signer and holding the secret signing key,—the host, which has more computing resources, simply helps the TPM with the computation required of the Signer but is not allowed to learn the secret signing key.
A version of the original DAA scheme as applied to TPMs has been adopted by the Trusted Computing Group (TCG) an industry standardization body that aims to develop and promote an open industry standard for trusted computing hardware and software building blocks; the DAA scheme was standardized in the TCG TPM Specification 1.2, available at http://www.trustedcomputinggroup.org.
As is described in the above-referenced paper by Brickell, Camenisch, and Chen, the original DAA scheme employs the Camenisch-Lysyanskaya signature scheme under the strong RSA assumption (see: J. Camenisch and A. Lysyanskaya. “Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation” B. Pfitzmann, editor, Advances in Cryptology, EUROCRYPT 2001, volume 2045 of LNCS, pages 93-118. Springer Verlag, 2001). The original DAA scheme also uses the Fiat-Shamir heuristic to turn knowledge proofs into signatures; this heuristic is described in the paper “How to prove yourself: Practical solutions to identification and signature problems” by A. Fiat and A. Shamir.—Advances in Cryptology; CRYPTO '86, volume 263 of LNCS, pages 186-194. Springer, 1987.
One limitation of the original DAA scheme is that the lengths of private keys and DAA signatures are quite large (typically around 670 bytes and 2800 bytes, respectively) which can be a significant drawback when implemented for devices with limited resources such as a small TPM.
A form of DAA scheme based on bilinear maps has recently been proposed by Ernie Brickell and Jiangtao Li (Intel Corporation). This bilinear-map DAA scheme is described in US published Patent Application US 2008/020786 and permits the use of shorter private keys and DAA signatures. The bilinear-map DAA scheme uses the Camenisch-Lysyanskaya signature scheme under the Lysyanskaya, Rivest, Sahai, and Wolf assumption and is referred to hereinafter simply as the “CL-LRSW” signature scheme. The CL-LRSW signature scheme is described in the paper “Signature schemes and anonymous credentials from bilinear maps”, J. Camenisch and A. Lysyanskaya; Advances in Cryptology, CRYPTO '04, volume 3152 of LNCS, pages 56-72. Springer, 2004.
The present invention concerns an improved form of DAA scheme based on bilinear maps.