For many modern communication systems, the reliability and security of exchanged information is a significant concern. To address this concern, the Trusted Computing Platform Alliance(TCPA) developed security solutions for platforms. In accordance with a TCPA specification entitled “Main Specification Version 1.1b,” published on or around Feb. 22, 2002, each personal computer (PC) is implemented with a trusted hardware device referred to as a Trusted Platform Module (TPM). Each TPM contains a unique endorsement key pair (EK), which features a public EK key (PUBEK) and a private EK key (PRIVEK). The TPM typically has a certificate for the PUBEK signed by the manufacturer.
During operation, the TPM records information about the software and hardware environment of its PC. In order for an outside party (referred to as a “challenger”) to learn about the software and/or hardware environment of the PC, a challenger can request the TPM to generate and provide a report. This creates two opposing security concerns.
First, the challenger needs to be sure that the report is really coming from a valid TPM. Second, the owner of the PC wants to maintain as much privacy as possible. In particular, the owner of the PC wants to be able to give reports to different challengers without those challengers being able to determine that the reports are coming from the same TPM.
One proposed solution to these security issues is to establish a Trusted Third Party (TTP). For instance, the TPM would create an Attestation Identify Key pair (AIK), namely a public AIK key and a private AIK key. The public AIK key would be placed in a certificate request signed with the PRIVEK, and subsequently sent to the TTP. The certificate for the PUBEK would also be sent to the TTP. The TTP would check that the signed certificate request is valid, and if valid, the TTP would issue a certificate to the TPM. The TPM would then use the public AIK and the TTP issued certificate when the TPM received a request from a challenger. Since the AIK and certificate would be unrelated to the EK, the challenger would get no information about the identity of the TPM or PC implemented with the TPM.
In practice, the above-identified approach is problematic because it requires TTPs to be established. Identifying and establishing various parties that can serve as TTPs has proven to be a substantial obstacle.
Another proposed solution is set forth in a co-pending U.S. application Ser. No. 10/306,336, which is also owned by the assignee of the present application. This technique utilizes two interactive proofs (IP1, IP2). Thus, in order to achieve a probability of cheating to be less than 1 in 220, the TPM would need to complete twenty (20) modular exponentiations with a 2048 bit modulus and a 2000-bit exponent for IP1, and twenty (20) modular exponentiations with a 2048-bit modulus and a 160-bit exponent for IP2. Since a TPM may require forty-five (45) seconds to compute a single modular exponentiation with a 2048-bit modulus and a 2000-bit exponent, the efficiency of the TPM computations has proven to be a substantial obstacle as well.