CN101359986A - Apparatus and method for direct anonymous attestation from bilinear maps - Google Patents

Apparatus and method for direct anonymous attestation from bilinear maps Download PDF

Info

Publication number
CN101359986A
CN101359986A CNA2008101336283A CN200810133628A CN101359986A CN 101359986 A CN101359986 A CN 101359986A CN A2008101336283 A CNA2008101336283 A CN A2008101336283A CN 200810133628 A CN200810133628 A CN 200810133628A CN 101359986 A CN101359986 A CN 101359986A
Authority
CN
China
Prior art keywords
key
group
anonymous
credible
hardware device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2008101336283A
Other languages
Chinese (zh)
Other versions
CN101359986B (en
Inventor
E·F·布里克尔
J·李
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intel Corp
Original Assignee
Intel Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/778,804 external-priority patent/US8078876B2/en
Application filed by Intel Corp filed Critical Intel Corp
Publication of CN101359986A publication Critical patent/CN101359986A/en
Application granted granted Critical
Publication of CN101359986B publication Critical patent/CN101359986B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms

Abstract

Provided is a method and an apparatus for direct anonymous attestation from bilinear maps. In one embodiment, the method includes the creation of a public/private key pair for a trusted membership group defined by an issuer; and assigning a unique secret signature key to at least one member device of the trusted membership group defined by the issuer. In one embodiment, using the assigned signature key, a member may assign a message received as an authentication request to prove membership within a trusted membership group. In one embodiment, a group digital signature of the member is verified using a public key of the trusted membership group. Accordingly, a verifier of the digital signature is able to authenticate that the member is an actual member of the trusted membership group without requiring of the disclosure of a unique identification information of the member or a private member key to maintain anonymity of trusted member devices. Other embodiments are described and claimed.

Description

Be used for apparatus and method according to the direct anonymous proof of bilinearity mapping
Technical field
One or more embodiment of the present invention relates generally to the password field.More specifically, one or more embodiment of the present invention relates to the method and apparatus that is used for according to the direct anonymous proof of bilinearity mapping.
Background technology
For many Modern Communication System, the reliability and the fail safe of exchange message are quite paid close attention to.In order to solve this concern, credible calculating platform alliance (TCPA) has developed the way of resolving safely that is used for this platform.According to probably in standard issue, that be entitled as the TCPA of " Main SpecificationVersion 1.1b (master ga(u)ge model version 1.1b) " on February 22nd, 2002, realize each personal computer (PC) by the trusted hardware equipment that is called credible platform module (TPM).
During operation, external side (being called " validator ") may need the discriminating of TPM.This produces two opposite due cares.The first, validator need guarantee that the authentication information of asking comes from effective TPM really.The second, comprise that the owner of the PC of TPM wants to keep as much as possible privacy.Especially, the owner of PC wants and can provide authentication information to different validators, and those validators need not to determine that this authentication information is from same TPM.
REAL ID Act in 2005 (true ID bill) is that US Congress's publication No. is 109-13, the division B of the bill that is entitled as " Emergency Supplemental AppropriationsAct for Defense; the Global War on Terror; and Tsunami Relief; 2005 (the urgent supplementary appropriations bill that is used for national defence, global war on terror and tsunami relief, 2005) " in (119Stat.231 on May 11st, 2005).True ID bill in 2005 has been created the standard that is used to provide national driving license.True ID bill is the law that is used for putting teeth in federal technical standard and verification step on national driving license and identity card, and orders the whole nation to be observed in May, 2008, has wherein manyly all exceeded federal current capacity.National driving license is realized a kind of privacy sensitive information of attempting to expose usually the certificate holder of true ID bill.Unfortunately, these security information are not sold through under the situation of possessory agreement through being everlasting, and are not usually carrying out fraudulent transactions through under the situation of possessory agreement with possessory name.These behaviors are commonly referred to as identity theft, and it is a universal phenomenon of destroying not guilty victim's prestige day by day.
Description of drawings
By accompanying drawing, exemplary and show various embodiment of the present invention without limitation, wherein:
Fig. 1 is according to an embodiment, shows the block diagram of the system that is characterised in that the platform of realizing by credible platform module (TPM).
Fig. 2 is according to an embodiment, further shows the block diagram of the platform of Fig. 1.
Fig. 3 is according to an embodiment, further shows the block diagram of the TPM among Fig. 1 and 2.
Fig. 4 is according to an embodiment, further shows the block diagram of the logic of authentication among Fig. 3.
Fig. 5 is according to an embodiment, shows the flow chart of the credible member relation group's who is used to set up credible member device method.
Fig. 6 is according to an embodiment, show be used for generated group public/private cipher key to the flow chart of the method for one or more common parameters.
Fig. 7 is according to an embodiment, shows the flow chart of method of the adding agreement of the member device that is used to authenticate credible member relation group.
Fig. 8 is according to an embodiment, shows the flow chart that generates the method for private signature key in response to the authentication request that receives.
Fig. 9 is according to an embodiment, shows the group's digital signature that is used for authentication equipment, equipment is differentiated the flow chart for the method for credible member relation group's credible member device.
Figure 10 is according to an embodiment, shows to be used for the flow chart that private signature key that authentication is used to generate the signature of reception has comprised the method for non-invalid privately owned member's key.
Embodiment
The method and apparatus that is used for according to the direct anonymous proof of bilinearity mapping has been described.In one embodiment, this method comprises: public/private cipher key of creating the defined credible member relation group of publisher is right; And at least one anonymous member device of unique secret signature key being distributed to the defined credible member relation group of publisher.In one embodiment, by using the signature key of this distribution, the member can sign to form group's digital signature to the message that receives as differentiating request.In one embodiment, can use credible member relation group's public keys to verify group's digital signature of member.The result, the validator of group's digital signature can differentiate that this member is real (believable) member of credible member relation group, and need not any unique identifying information of open member or unique privately owned or public member's key, so that credible member device can keep anonymous with respect to validator.
In one embodiment, form secret (privately owned) signature key by the publisher, anonymous hardware device participates in authentication (adding) program to become credible member relation group's member.In one embodiment, member device comprises credible platform module (TPM), to come digitally signature information with private signature key.At an embodiment, be used to form private signature key and digitally the TPM functional configuration of signature information be firmware.Yet, understand, can be specialized hardware or software with this functional configuration.To be used to form the instruction of firmware or software or code storage on machine readable media.
Herein, " machine readable media " can comprise, but be not limited only to floppy disk, hard disk, CD (as, CD-ROM, DVD, mini DVD etc.), the programmable read only memory of magneto optical disk, semiconductor memory, random-access memory (ram) and any type as read-only memory (ROM) (as, programmable read only memory " PROM ", EPROM (Erasable Programmable Read Only Memory) " EPROM ", EEPROM (Electrically Erasable Programmable Read Only Memo) " EEPROM " or flash memory), magnetic or optical card, or the like.Understand,, perhaps store between date of seeding temporarily, so signal itself and/or communication link can be considered as machine readable media at communication links because software can be stored as the part of the signal of download temporarily.
In the following description, use particular term to describe the special characteristic of one or more embodiment of the present invention.For example, " platform " is defined as the communication equipment of any type that is applicable to the transmission and the information of reception.The example of various platforms includes, but are not limited to or is confined to: computer, personal digital assistant, cell phone, set-top box, facsimile machine, printer, modulator-demodulator, router, smart card, USB token, identity card, driving license, credit card or comprise other analogous shape factor equipment of integrated circuit or the like.The information that " communication link " is defined as widely one or more suitable platforms is carried medium.The example of various types of communication links includes, but are not limited to or is confined to: electric wire, optical fiber, cable, bus tracking or wireless signaling technology.
" validator " be meant from any entity of the checking of another entity requests authenticity or power (as, individual, platform, system, software and/or equipment).Usually, open or information requested is provided before carry out checking." certifier " is meant requested any entity, wherein asks this entity that some proofs of its power, validity and/or identity are provided.When the certifier came signature information to differentiate request with response by using private signature key, " certifier " was also referred to as " signer "." publisher " defined credible member relation group, and engages with hardware device, to add credible member relation group." equipment manufacturers " are meant and make or any entity of the platform of configuration or equipment (as, credible platform module) that it can alternately use with " manufacturer of authentication ".The publisher can be equipment/authentication manufacturer.
As used herein, to validator " proof " or " be sure oing " certifier have or grasp some encrypted messages (as, signature key, private cipher key etc.) mean that based on to disclosed information of validator and proof, this certifier probably has encrypted message.To validator proof and do not prove to validator " leakages " or " disclose " encrypted message and mean, based on to the disclosed information of validator, validator can not be determined encrypted message by calculating.Hereinafter this proof is called direct proof.
Run through hereinafter description and the explanation of the various embodiment that discuss, by identical mark or title come with reference to coefficient, variable and other symbol (as, " h ").Therefore, when appearring in equational different piece and different equation or functional descriptions, same-sign uses identical mark.
Fig. 1 shows system 100 according to an embodiment, it is characterized in that coming implementation platform by trusted hardware equipment (being called " credible platform module " or " TPM ").First platform 102 (validator) sends the request of discriminating 106 via network 120 to second platform 200 (certifier).Provide authentication information 108 in response to request 106, the second platforms 200.In one embodiment, network 120 forms part local or wide area network, and/or classical network infrastructure, for example corporate intranet, internet or other similar network.
In addition, in order to improve fail safe, first platform 102 may need to verify that prover platform 200 is by device fabrication quotient group (hereinafter referred to as " equipment manufacturers (publisher) the 110 ") manufacturing of equipment manufacturers of selecting or selection.In one embodiment, first platform 102 to the challenge of second platform 200 to show its encrypted message that has publisher 110 and generated (as, private signature key).Second platform 200 is replied second platform 200 by authentication information is provided, by the mode of replying, make first platform 102 be sure of that second platform 200 has the encrypted message that publisher 110 is generated, and need not to leak encrypted message or any apparatus/land identification information, be referred to herein as and be used to make credible member device to keep anonymous " unique device identifying information " to the verifier.
Fig. 2 is the block diagram that further shows the example of the anonymous platform 200 that comprises TPM 220 and privately owned memory key, wherein TPM 220 has group members and concerns certificate, and privately owned memory key is used to provide digital signature, wherein the group identical with TPM 220 as in this group members concern that certificate is general to all TPM, and can use this group members to concern this digital signature of certification authentication.
In one embodiment, TPM 220 combines with platform 200, use privately owned unique signature key 230 to generate authentication information, with to validator proof platform 200 be publisher 110 (as, equipment manufacturers) defined credible member relation group's member, and need not openly to comprise any unique equipment identity information of privately owned unique signature key, so that credible platform 200 can keep anonymous (Fig. 1) to validator 102.Typically, computer system 200 comprises processor system bus (Front Side Bus (FSB)) 204, is used for the communication information between processor (CPU) 202 and chipset 210.As described herein, in some sense, term " chipset " is used for jointly describing and is coupled to CPU 202 to carry out the various device of the systemic-function of wishing.
Typically, graphical boxes 218 and hard disc apparatus (HDD) 214 and main storage 212 are coupled to chipset 210.In one embodiment, graphical boxes 218 comprises the graphic chips collection, or replacedly, chipset 210 can comprise graphical boxes 218, and operates as graphic memory controller center (GMCH).In one embodiment, chipset 210 is configured to comprise Memory Controller and/or I/O (I/O) controller, so as with I/O equipment 216 (216-1 ..., 216-N) communicate.In one embodiment, main storage 212 can comprise, but be not limited to, random-access memory (ram), dynamic ram (DRAM), static RAM (SRAM) (SRAM), synchronous dram (SDRAM), Double Data Rate (DDR) SDRAM (DDR-SDRAM), RambusDRAM (RDRAM) maybe can support any apparatus of the buffering of data at a high speed.
Fig. 3 further shows the credible platform module (TPM) 220 of second platform 200 according to an embodiment.TPM 220 is encryption devices that equipment manufacturers make.In one embodiment, TPM 220 comprises processor unit 222, and it has the on-chip memory in the grouping of being encapsulated on a small quantity.In one embodiment, can use the memory of this encapsulation to be stored in the privately owned unique member relation key 230 that generates during the adding program with publisher 110.TPM 220 is used for providing authentication information to first platform 102, makes it can determine that authentication information sends from effective TPM.Employed authentication information is randomized data, and these data make very possible TPM's or second platform the identity determined.
In one embodiment, TPM220 further comprises nonvolatile memory 224 (as, flash memory) allowing the storage encrypted message, as following one or more: and key, cryptographic Hash, signature, certificate, or the like.In one embodiment, encrypted message is the private signature key that receives from the publisher 110 who for example authenticates manufacturer.As shown in hereinafter, can represent cryptographic Hash " X " with " Hash (X) ".Certainly, understand, can not change these information of external memory storage 280 stored at platform 200 at flash memories 224.If especially be stored in the outside of TPM 220, then can encrypt encrypted message.
In one embodiment, TPM 220 comprises logic of authentication 240, is used to respond the discriminating request from the validator platform.In one embodiment, logic of authentication 240 uses private signature key 230 to calculate digital signature according to receiving message, so that the validator platform is be sure of or stored credible member relation group's the encrypted message that the publisher generated to validator platform proof TPM 220, and need not to leak unique equipment/platform identity information arbitrarily.As a result, logic of authentication 240 is carried out the discriminating of being asked, and the identity of protecting prover platform simultaneously is to keep the anonymity of platform 200.With reference to figure 4 logic of authentication 240 is shown further.
In one embodiment, logic of authentication 250 forms private signature key 230 during taking turns prover with the publisher's of private signature key 230.In one embodiment, signature logic 260 can be signed to differentiate the message of the part of request from the conduct that validator received.Typically, cancellation cipher key logic 270 is be sure of the validator platform or is proved that to the validator platform privately owned member's key component of the private signature key 230 that platform 200 is held is not invalid (divulging a secret) privately owned member's key.In interchangeable embodiment, validator is carried out the checking that private signature key is not invalid signature key.Recognize that specific realization is wished than still less mentioned above or more computer equipment.
In one embodiment, the publisher distributes unique, privately owned signature key to each hardware device as credible member relation group's a member.Typically, the credible member device with private signature key of distribution can be signed to differentiate the message of the part of request from the conduct that validator received.Yet, to compare with the conventional digital signature system, the group's public keys that is used for the defined credible member relation group of publisher is verified the group's digital signature of being created unique, private signature key with member device.By using its private signature key, credible member relation group's member device is with member's the indication that the equipment of being restricted to is the credible member relation group of trusted hardware equipment that discloses of unique equipment identity information, and this indication can be defined by authentication manufacturer.
In one embodiment, logic of authentication 240 makes a people can prove that he is a member among the group, and need not to leak any information about his identity.Group's member has the certificate (" group members concerns certificate ") of the member relation that can be used for proving the group.In one embodiment, this certificate concerns that with privately owned member's key and group members certificate forms.This private signature key is unique to group's different member, and each member selects the privately owned member key of secret random value as the member, and this key is unknown for the publisher.Yet group's public keys of credible member relation group all is identical to all members of this group.
As described herein, be to be used for determining that personnel's (or entity) are group's member and the entity of certificate that is used to form member's private signature key then to member's issue such as publisher 110 publisher.As further described herein, the certifier is personnel or an entity of attempting to prove the member relation among the group.If the certifier is the member among the group and has effective certificate that then proof should be successful really.As further described herein, validator is to attempt to determine whether the certifier is group's member's entity.So the certifier attempts to validator proof member relation.
As showing among Fig. 4, in order to prove member relation, the validator request certifier exist, for example, and some message of digitally signing in the digital signature logic 260.If validator need know that validator will be created random value (nonce) so, give the certifier to be included in the signature with this value in the current time message of having signed.This certifier uses private signature key to come signature information, and this signature is sent to validator.As described herein, this signature is called as group digital signature, verifies because it is group's public keys of the announcement by credible member relation group.
In one embodiment, validator can use group public keys to come certifying signature, and if be proved to be successful, then validator knows that the certifier is credible group's member.If used nonce, then validator knows that group's signature is to send the moment of nonce and receive between the moment of signing at it to produce.Therefore, validator does not know which member produces the anonymity that group digital signature is kept group's credible member.
In one embodiment, TPM 220 can merge on the smart card, the formative factor that comprises the pcmcia card that is used for being inserted into the PCMCIA notch, or merge on the identification equipment, for example driving license, identity card, credit card, or have the formative factor of standard driving license/credit card and comprise the similar configuration of the integrated circuit that is used to carry out described one or more password programs.Yet, recognize, can calculate the specific cryptosystem function by the attached main frame of for example platform 200.According to this configuration, on driving license for example, use TPM 220 with compound 2005 true ID bill, as mentioned above, and need not the private information of open sensitivity.
According to this configuration, division of motor vehicle or DMV are the publishers, and its participation creation facilities program (CFP), to create group's public keys and mass-sending private cipher key.This publisher announces public keys and keeps the mass-sending private cipher key is privately owned.According to this program,, follow general program and come to provide the user private signature key from publisher's (privately owned member's key component that comprises publisher's the unknown) for the driving license of each issue.Therefore, this user's private signature key and group's public keys are the user certificates that is used for this group.
According to this embodiment, as shown in Figure 4, when TPM 220 and logic of authentication merge on the card of the formative factor with standard driving license, credit card or other similar smart card device, so that in the time of access bank machine or the like, it is not invalid member with the owner who proves card that the holder of card can carry out proving program, and need not requirement, for example, publisher (DMV) has the duplicate of the private cipher key of divulging a secret.
Fig. 5 is according to an embodiment, shows the flow chart of the method 400 that is used to form credible member relation group public keys.The publisher can define " credible member relation group " to comprise one or more types of platform or equipment.For example, credible member relation group can be the set of all platforms (member) with common element of security related information, for example group's public keys.This security related information can comprise the manufacturer and the module number of special platform or equipment.For each credible member relation group, the publisher creates the cryptographic parameter that is used for this credible member relation group.The publisher creates private signature key during the adding program, its member device that is used to sign (as, platform 200 or TPM 220) message that received is credible member relation group's member so that validator is be sure of this equipment.
In one embodiment, the publisher creates credible member relation group, and it comprises that at least one trusted hardware equipment is as member device (square frame 310).In one embodiment, the publisher to utilize public key cryptographic function (as, Elliptic Curve Cryptography) to create the public/private cipher key of group right.This can use known method to create, Bruce Schneier for example, John Wiley ﹠amp; Those (ISBN:0471117099) described in the Applied Cryptography that Sons showed (applied cryptography) second edition (1996).
Publisher's generated group member relation certificate, it comprises common parameter, credible member relation group's security related information.In case generated the platform group public/private cipher key, then carry out the authentication procedure (square frame 350) of each member device of credible group.As the part of authentication processing, the publisher provides group members to concern member from certificate to credible group or equipment.Can concern of the distribution of the relevant encryption parameter of certificate by the group members that many modes are finished from certifier's (as, second platform 220 among Fig. 1) to validator.Yet, should make validator be sure of that group members concerns that certificate is generated by the publisher, so that distribute these encryption parameters to validator.
For example, an acceptable method is directly to the validator distribution parameters.Another kind of acceptable method is that the group members that distribution certification authority (for example publisher) is signed concerns certificate.In this back method, should be distributed to validator to the public keys of certification authority, and can concern that certificate gives each member among the credible group (prover platform) to the group members of signature.Then, this prover platform can provide the group members of signature to concern certificate to validator.
Fig. 6 is the flow chart that shows method 322 according to an embodiment, and it is right that this method 322 is used to generate the platform group's public/private cipher key of group, comprises one or more common parameters of the processing square frame 320 of Fig. 5.Public/private cipher key makes member device they itself can be identified as credible member to the generation with platform group's platform parameter, and need not leak unique equipment identity information arbitrarily.In one embodiment, as described with reference to figure 6, this paper that is created on of group's common parameter is called as and sets up agreement.
In one embodiment, hardware manufacturer (publisher) uses this to set up agreement, and to create public/private cipher key right, and other cryptographic parameter of manufacturer's needs, this parameter is used for authenticating member device so that generate unique private signature key at defined credible group of each member devices of team of publisher.
Refer again to Fig. 6, handling square frame 324, the publisher generates (q, G, g, G T, g T, e), wherein q is a prime number, G and G TBe q rank group, e:G * G → G TBut the bilinearity mapping function of efficient calculation, g are the generators of crowd G, g TBe crowd G TGenerator.In one embodiment, use digital signature in groups in private signature key next life, to allow checking based on the bilinearity mapping.For example, suppose that two group G=<g are arranged〉and G T=<g T, have the rank q of prime number.The bilinearity mapping e of nonsingular efficient calculation, e:G * G → G TBe function as defined below:
1, for all P, Q ∈ G, for all a, b ∈ Z, e (P a, Q b)=e (P, Q) Ab
2, have some P, Q ∈ G makes that (P, Q) ≠ 1,1 is G to e here TSign.
3, there is the highly effective algorithm that is used to calculate e.
Refer again to Fig. 6, handling square frame 326 places, the publisher selects random value x and y.In case selected x and y, handling square frame 328 places, the publisher calculates X=g xAnd Y=g yHandling square frame 330 places, group's public keys is (q, G, g, G T, g T, e, X, Y), publisher's private cipher key be the publisher export (x, y).In one embodiment, by selecting random seed value and generation to have the value x of pseudorandom quantity generator and the selection at random that y carries out platform parameter x and y.In one embodiment, publisher's privacy key be (x, y).
In case formed the platform group public/private cipher key, the publisher can according to as the adding program that further illustrates with reference to figure 7 come each member of authentication platform group.Typically, Fig. 7 is according to an embodiment, shows the flow chart of method 352 of the defined member device of credible member relation group of the processing square frame 350 that is used to authenticate Fig. 5.
Typically, platform and publisher interact to add the group.Handling square frame 354 places, the DAA seed that TPM equipment does not leak to the publisher from it obtains privately owned member's key f, and F=g is set fHandling square frame 356 places, TPM sends F and proves log to the publisher to the publisher gThe knowledge of F.Handling square frame 358 places, the publisher verifies the proof of the knowledge that TPM is performed.Handling square frame 360, the publisher selects random quantity r and calculates a=g r, b=a yAnd c=a xF RxyHandling square frame 362 places, the publisher will (c) the member relation certificate as platform sends it back main frame for a, b.Handling square frame 364 places, main frame will (a, b c) be forwarded to TPM.In one embodiment, the private signature key of member device comprise privately owned member's key f and member relation certificate (a, b c), be designated as (f, a, b, c).
In one embodiment, the also following signature from knowledge (SPK) to the publisher that carry out of TPM proves (it is corresponding to handling square frame 356 and 358):
SPK{(f):F=g f}。
1, TPM selects r ∈ Z at random qAnd calculate T=g r
2, TPM calculates c=H (q ‖ g ‖ g T‖ G ‖ G T‖ e ‖ X ‖ Y ‖ T).
3, TPM calculates s=r+c.f mod q.
4, TPM will (F, c s) send to the publisher.
5, the publisher calculates T '=g sF -c
6, publisher's checking:
c=H(q‖g‖g T‖G‖G T‖e‖X‖Y‖T’)。
Fig. 8 is according to an embodiment, shows the flow chart that is used for calculating by platform group's member device the method 400 of private signature key.Handling square frame 410 places, TPM selects cardinal B.For signature information m, TPM will (f, a, b, c) as secret signature key, and main frame have (a, b, c).In the random bases option, TPM is randomly from group G TSelect B.In the radix option of appointment, TPM obtains B from the radix-title of validator.Then, TPM calculates assumed name K=B fHandling square frame 420 places, TPM selects two random number r and r ', and they are sent to main frame.Handling square frame 430 places, main frame calculates a '=a R ', b '=b R 'And c '=c R ' r, calculate v then x=e (X, a '), v Xy=e (X, b ') and v s=e (g, c ').Handling square frame 440 places, and the main frame general (a ', b ', c ', v x, v Xy, v s) send it back TPM.Handling square frame 450 places, (ri, zero-knowledge proof f) make v to the TPM calculation knowledge s Ri=v xv Xy fAnd K=B f, and need not leak ri and f, wherein ri is the inverse of r modulus q.We use ∑ to represent the signature of the knowledge of above proof.Handling square frame 460 places, the signature of establishment is (a ', b ', c ', B, K, ∑).
In one embodiment, TPM can select B from any group G, and wherein the decisive Diffie-Hellman problem in group G is difficult.Can be on G rather than G TLast execution cancellation is checked.
In one embodiment, TPM calculate in advance e (X, a), e (X, b) and e (g, c ').TPM selects two random number r and r ', then they is sent to main frame.This main frame only calculates a '=a R ', b '=b R 'And c '=c R ' rTPM calculates v then x=e (X, a) R ', v Xy=e (X, b) R 'And v s=e (g, c) R ' rMain frame sends it back TPM with (a ', b ', c ').
In one embodiment, the following calculating of TPM " signature of knowledge ":
SPK{(r,f):v s ri=v x?v xy f∧K=B f}(m)
(a) TPM selects two random integers rr, rf ∈ Z qAnd calculate
T 1=v s rr?v xy -rf T 2=B rf
(b) TPM calculates
c=H(q‖g‖g T‖G‖G T‖e‖X‖Y‖a’‖b’‖c’‖v x‖v xy‖v s‖B‖K‖T 1‖T 2‖m)
TPM calculates
ri=r -1?mod?q,sr=rr+c·ri?mod?q,sf=rf+c·fmod?q
TPM will (c, sr sf) send to main frame.
Main frame with signature sigma=(B, K, a ', b ', c ', sr sf) sends to validator, wherein ∑=(sr, sf).
Therefore, use private signature key (f, a, b, c), allowing trusted hardware equipment is group's a member who is called publisher's the defined credible anonymous hardware device of authentication manufacturer by for example this paper by indicating equipment, and itself is identified as trusted hardware equipment.In one embodiment, each hardware device is platform group's member, distributes unique private signature key to it.Typically, the trusted hardware equipment with private signature key of distribution can be signed to differentiate the message of the part of request from the conduct that validator received.Yet, to compare with the conventional digital signature system, the group's public keys that is used for the defined platform group of publisher is verified the digital signature of being created unique, private signature key with member device.
Fig. 9 is according to an embodiment, show be used to check signature for the flow chart of group's common data key to the method 500 of the checking computing of validity.Group signature comprises (a ', b ', c ', B, K, ∑).Handling square frame 510 places, validator at first calculates v x=e (X, a '), v Xy=e (X, b '), v s=e (g, c ').Handling square frame 520 places, the correctness of the signature ∑ of validator validates knowledge; Otherwise the failure of square frame 522 places is being handled in checking.In case verified signature, handling square frame 530 processing, validator inspection e (a ', Y)=e (g, b ') is effective; Otherwise the failure of square frame 532 places is being handled in checking.Handling square frame 540 places, whether the validator inspection has cancelled signature, and promptly to each the invalid member's key fi in the blacklist, validator is checked K ≠ B Fi
For example, for verify m go up σ=(B, K, a ', b ', c ', sr, group's signature sf), validator is carried out following steps:
1, validator validates e (a ', Y)=e (g, b ') and B ∈ G T
2, validator calculates
v x=e(X,a’) v xy=e(X,b’) v s=e(g,c’)
Validator
T’ 1=v s srv xy -sfv x -c T’ 2=B sfK -c
Validator validates
c=H(q‖g‖g T‖G‖G T‖e‖X‖Y‖a’‖b’‖c’‖v x‖v xy‖v s‖B‖K‖T’ 1‖T’ 2‖m)。
At each fi in the blacklist, validator checking as shown in Figure 10 K ≠ B FiIf detect the cancellation member key of coupling, then handling square frame 560 place's authentication faileds; Otherwise 570 places are proved to be successful at the processing square frame.
Figure 10 is according to an embodiment, shows the private signature key that is used to guarantee member device and be the flow chart of the method 542 of the private signature key that is not disabled.Therefore, handling square frame 544 places, determined whether to receive malice key list.Handling square frame 546 places,, then selecting invalid member's key from malice key list in case received.Handling square frame 548 places, whether the assumed name value K as the part of digital signature that determines to be received is not equal to K=B FiThe equation of form.If assumed name value K equals this equation, then handling square frame 552 places refusal signature.Otherwise, handling square frame 550 places, at each the invalid member's key reprocessing square frame 546-548 in the cancellation key list, till each key in having handled cancellation key list.Therefore, the value K that the supposes group signature B that do not match Fi, then accept the digital signature that receives from member device.
In one embodiment, member or trusted hardware equipment for example can use the conventional cipher agreement of ECC generate standard public/private cipher key is right.Therefore, in one embodiment, can use the private signature key of the member device common ECC key of signing, be that trusted hardware equipment generates with the explanation public keys.Therefore, can use tradition public/private cipher key ECC is right, and immediately following initial discriminating of platform group's trusted hardware equipment is member device, thereby carries out follow-up processing.
Although be appreciated that the many characteristics and the advantage that have proposed various embodiment of the present invention in the aforementioned description, and the detail of the 26S Proteasome Structure and Function of various embodiment of the present invention, the disclosure only is exemplary.In some cases, only describe certain components in detail with a this embodiment.Yet will recognize and expect this parts can be with in other embodiments of the invention.Within the indicated principle the most widely of the extensive general meaning by the term that is used to express appended claims of embodiments of the invention, can be in detail, especially structure problem and component management change.
Use disclosed exemplary embodiment and best pattern, can in the scope of the defined enforcement of the present invention of claim, disclosed embodiment be made amendment and change.

Claims (25)

1, a kind of method of using elliptic curve calculations to carry out anonymous proof comprises:
The anonymous hardware device of requests verification is credible member relation group's a credible member device;
According to the encrypted message of announcing from described credible member relation group, differentiate the checking that receives from described anonymous hardware device; And
Blacklist according to privately owned member's key component of the private signature key of described hardware device and member's key of divulging a secret, verify that described anonymous hardware device remains credible platform group's credible member device, and need not determine any unique device identifying information of described privately owned member's key or described hardware device, so that credible member device keeps anonymous to validator.
2, use elliptic curve calculations as claimed in claim 1 is carried out the method for anonymous proof, and wherein requests verification further comprises:
Give out information to described anonymous hardware device, with the described checking of the credible member device that to ask described anonymous hardware device be described credible member relation group; And
Receive group's digital signature from described anonymous hardware device, described group's digital signature that described anonymous hardware device generated is used the sign message of described issue of the described private signature key of described anonymous hardware device, and described private signature key comprises that the group members of described privately owned member's key and described anonymous hardware device concerns certificate.
3, use elliptic curve calculations as claimed in claim 1 is carried out the method for anonymous proof, differentiates that wherein the checking of described reception further comprises:
Discern group's public keys of described credible member relation group; And
Differentiate group's digital signature of reception according to described group's public keys of described credible member relation group, described group's digital signature that described anonymous hardware device generates uses the described private signature key of described anonymous hardware device to come the message of issuing described anonymous hardware is signed, and described private signature key comprises that the group members of described privately owned member's key and described anonymous hardware device concerns certificate.
4, use elliptic curve calculations as claimed in claim 1 is carried out the method for anonymous proof, further comprises:
If described privately owned member's key component of the described private signature key of described hardware device is complementary with invalid privately owned member's key from the blacklist of described member's key of divulging a secret, then deny the discriminating of described anonymous hardware device.
5, use elliptic curve calculations as claimed in claim 4 is carried out the method for anonymous proof, wherein denies differentiating further comprising:
Whether described group's digital signature of determining described hardware device is that apparatus has the private signature key of invalid member's key component to generate; And
If described group's digital signature is to create with invalid member's key, then described hardware device is identified as incredible hardware device.
6, use elliptic curve calculations as claimed in claim 4 is carried out the method for anonymous proof, wherein denies differentiating further comprising:
(a) select invalid member's key from described blacklist;
(b) if K ≠ B FiAssumed name, the cryptographic parameter K that then verifies the described group digital signature of described hardware device is not with invalid member's key generation of described selection, wherein fi is described selection, invalid member's key, B is the cryptographic parameter of described group's digital signature of described hardware device, i is the integer from 1 to n, n is the integer greater than 1, and K is K=B fForm, wherein f is described privately owned member's key of described hardware device;
(c) each invalid member's key fi to listing in the described blacklist repeats (a)-(b); And
(d) if described group's digital signature is to use from invalid member's key of described blacklist to create, then described hardware device is identified as incredible hardware device.
7, a kind of method of using elliptic curve calculations to carry out anonymous proof comprises:
It is right that establishment is used for the defined credible member relation group's of the publisher public/private cipher key of group;
Verify that anonymous hardware device has generated crypto's key component of secret signature key, and need not disclose described crypto's key of described hardware device to described publisher;
Distribute unique group members to concern certificate so that described credible member relation group's credible member device to be provided to described hardware device to described hardware device, described signature key comprises that the described group members of described privately owned member's key and described anonymous hardware device concerns certificate; And
Announce described group's public keys, so that the described anonymous hardware device of validator validates is described credible member relation group's a credible member device, the checking of described group's public keys is with group's digital signature that described secret signature key generated, so that credible member device keeps anonymous to described validator.
8, use elliptic curve calculations as claimed in claim 7 is carried out the method for anonymous proof, and wherein said publisher is the manufacturer of the authentication of described trusted hardware equipment.
9, use elliptic curve calculations as claimed in claim 7 is carried out the method for anonymous proof, and wherein checking further comprises:
Receive described F=g fThe assumed name F of form, wherein f is described privately owned member's key, and g is the cryptographic parameter of described group's public keys;
Receive proof from described hardware device, be stored in the described hardware device to verify described private signature key, described proof comprises described log gThe proof of the knowledge of F form.
10, use elliptic curve calculations as claimed in claim 9 is carried out the method for anonymous proof, further comprises:
Described publisher selects random value r;
Described publisher calculates a=g r, b=a yAnd c=a xF Rxy, wherein (x y) is described publisher's described private cipher key, and (a, b are that described group members concerns certificate c).
11, use elliptic curve calculations as claimed in claim 7 is carried out the method for anonymous proof, wherein distributes group members to concern that certificate comprises:
(a, b c), concern certificate as described group members, wherein a=g to described publisher to the main frame transmission of described credible member device r, b=a yAnd c=a xF Rxy, wherein (x y) is described publisher's described private cipher key, and F is described F=g fThe assumed name of form, f are that described privately owned member's key and g are the cryptographic parameter of described group's public keys; And
Described main frame concerns certificate with described group members, and (a, b c) are forwarded to described credible member device, and wherein (b c) is the described cryptographic signatures key of described credible member device for f, a.
12, a kind of method of using elliptic curve calculations to carry out anonymous proof comprises:
Anonymous hardware device is signed to the message that receives from validator, and the message of described signature is used the private signature key of described anonymous hardware device;
Send the message of digital signature to validator, the group's digital signature that comprises described anonymous hardware device, described validator is differentiated described group's digital signature, verifies that with the group's public keys that uses described credible platform group described anonymous hardware device is credible member relation group's a credible member device; And
If privately owned member's key component of the described private signature key of described anonymous hardware device does not match with any invalid member's key from the blacklist of member's key of divulging a secret, then receive invalid denying, and need not disclose any unique device identifying information of described privately owned member's key and described anonymous hardware device, so that credible member device keeps anonymous to described validator.
13, use elliptic curve calculations as claimed in claim 12 is carried out the method for anonymous proof, and wherein before signature, described method comprises:
If described privately owned member's key of described anonymous hardware device and invalid member's cipher key match from the blacklist of described member's key of divulging a secret, then Receipt Validation denies.
14, use elliptic curve calculations as claimed in claim 12 is carried out the method for anonymous proof, and wherein before signature, described method comprises:
According to the proof seed, obtain value f at random, secret;
Calculate described F=g fThe value F of form, wherein g is the cryptographic parameter of group's public keys of credible member relation group;
Described value F is sent to described credible platform group's publisher, as the request that adds described credible platform group;
Proof is sent to described publisher, be stored in the described hardware device to verify privately owned member's key, described proof comprises described F=g fThe proof of the knowledge of form; And
If described publisher has verified the correctness of the proof of described knowledge, then receive group members and concern certificate (a, b, c), wherein said value f at random, secret is described private signature key (f, a of described credible member device, b, c) described privately owned member's key component, and verify according to described group public keys, so that described credible member device keeps anonymous to any validator.
15, use elliptic curve calculations as claimed in claim 12 is carried out the method for anonymous proof, and wherein signature further comprises:
The credible platform module of described anonymous hardware device (TPM) is selected radix value B;
Described TPM calculates described K=B fThe assumed name value K of form, wherein f is described privately owned member's key of described anonymous hardware device;
Described TPM sends to two random number r and r ' in the main frame of described anonymous hardware device;
Described main frame calculates a '=a R ', b '=b R 'And c '=c R ' r, wherein a, b and c are the cryptographic parameter that described credible member relation group's group members concerns certificate; And
Described main frame calculates v x=e (X, a '), v Xy=e (X, b ') and v s=e (g, c '), wherein X and Y are the cryptographic parameter of group's public keys of described credible member relation group, q is a prime number, G and G TBe the group on q rank, e:G * G → G TBut be the bilinearity mapping function of efficient calculation, g is the generator of crowd G, and g TBe crowd G TGenerator.
16, use elliptic curve calculations as claimed in claim 15 is carried out the method for anonymous proof, further comprises:
From described main frame receive (a ', b ', c ', v x, v Xy, v s);
(ri, zero-knowledge proof f) make v to described TPM calculation knowledge s Ri=v xv Xy fAnd K=B f, and need not leak ri and f, wherein ri is the contrary of r mould q; And
Will (a ', b ', c ', B, K, ∑) send to described validator, as the described digital signature of described anonymous hardware device, wherein ∑ is represented the zero-knowledge proof of knowledge.
17, a kind of device comprises:
Flash memory is used to store the private signature key that the publisher distributes to described device; And
Credible platform module, be used for the message of the described private signature key of use that receives from validator is signed, and send the message of digital signature to described validator, the message of wherein said digital signature comprises group's digital signature of described device, described validator differentiates that described group's digital signature is to verify that described anonymous hardware device is credible member relation group's a credible member device, and the blacklist according to privately owned member's key component of the described private signature key of described anonymous hardware device and member's key of divulging a secret is carried out invalid denying, and need not disclose unique arbitrarily equipment identity information of described privately owned member's key or described anonymous hardware device, so that credible member device keeps anonymous to the described validator that uses elliptic curve to calculate.
18, device as claimed in claim 17, wherein said device comprises identity card, it has the integrated circuit that comprises described TPM.
19, device as claimed in claim 18, wherein said identity card are national driving licenses, and described publisher is national division of motor vehicle.
20, a kind of system comprises:
Be coupled to the validator platform of network; And
Be coupled to the anonymous prover platform of described network, comprise:
Bus,
Be coupled to the processor of described bus,
Be coupled to the chipset of described bus; Comprise credible platform module; Described credible platform module is signed to the message of the private signature key of the described prover platform of use that receives from described validator platform; And send the message of digital signature to described validator platform; The message of wherein said digital signature comprises group's digital signature of described validator platform; Described validator differentiates that described group's digital signature is to verify that described anonymous attestation person platform is credible member relation group's credible member device
Wherein said validator platform verifies that with the blacklist of member's key of divulging a secret described anonymous prover platform remains described credible member relation group's credible member device according to privately owned member's key component of the described private signature key of described prover platform, and need not determine any unique equipment identity information of described privately owned member's key or described prover platform, so that credible member uses the described validator of elliptic curve calculations to keep anonymous for equipment.
21, system as claimed in claim 20, wherein said validator platform comprises:
Logic of authentication, be used for determining whether described group's digital signature of described prover platform is to generate with invalid member's key, if and described group digital signature is with described invalid member's key establishment, then described hardware device is identified as incredible hardware device.
22, system as claimed in claim 20, if wherein described privately owned member's key of described anonymous hardware device does not match with any invalid privately owned member's key from the blacklist of member's key of divulging a secret, then described prover platform receives invalid denying from described validator, and need not disclose any unique equipment identity information of described privately owned member's key or described anonymous prover platform, so that credible member device keeps anonymous to described validator.
23, system as claimed in claim 20, wherein said prover platform comprises:
Cipher key logic is used for generating secret member's key f according to predetermined seed;
Add logic, be used to calculate the group members that is used to receive described prover platform and concern certificate (a, b, c) cryptographic parameter, described private signature key (f, a of described prover platform, b, c) the described group members that comprises described crypto's key f and described prover platform concern certificate cryptographic parameter (a, b, c).
24, system as claimed in claim 20, wherein said chipset comprises graphics controller.
25, system as claimed in claim 20, wherein said network comprises wide area network.
CN 200810133628 2007-04-30 2008-07-16 Apparatus and method for direct anonymous attestation from bilinear maps Expired - Fee Related CN101359986B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US91503507P 2007-04-30 2007-04-30
US11/778,804 US8078876B2 (en) 2007-04-30 2007-07-17 Apparatus and method for direct anonymous attestation from bilinear maps
US11/778,804 2007-07-17

Publications (2)

Publication Number Publication Date
CN101359986A true CN101359986A (en) 2009-02-04
CN101359986B CN101359986B (en) 2013-05-29

Family

ID=39888447

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810133628 Expired - Fee Related CN101359986B (en) 2007-04-30 2008-07-16 Apparatus and method for direct anonymous attestation from bilinear maps

Country Status (1)

Country Link
CN (1) CN101359986B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101834853A (en) * 2010-04-02 2010-09-15 中国科学院软件研究所 Method and system for sharing anonymous resource
CN103339957A (en) * 2011-01-05 2013-10-02 英特尔公司 Method and apparatus for building a hardware root of trust and providing protected content processing within an open computing platform
CN107455012A (en) * 2015-03-23 2017-12-08 高通股份有限公司 Establish safe NAN data link
CN110278082A (en) * 2018-03-14 2019-09-24 西安西电捷通无线网络通信股份有限公司 A kind of the group member dissemination method and equipment of group's digital signature
CN113383512A (en) * 2018-12-24 2021-09-10 奥兰治 Method and system for generating keys for anonymous signature schemes

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1925390A (en) * 2005-11-17 2007-03-07 胡玉莲 Practical unexposed public key encrypting system

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101834853A (en) * 2010-04-02 2010-09-15 中国科学院软件研究所 Method and system for sharing anonymous resource
CN101834853B (en) * 2010-04-02 2012-11-21 中国科学院软件研究所 Method and system for sharing anonymous resource
CN103339957A (en) * 2011-01-05 2013-10-02 英特尔公司 Method and apparatus for building a hardware root of trust and providing protected content processing within an open computing platform
CN103339957B (en) * 2011-01-05 2017-02-15 英特尔公司 Method and apparatus for building a hardware root of trust and providing protected content processing within an open computing platform
US10028010B2 (en) 2011-01-05 2018-07-17 Intel Corporation Method and apparatus for building a hardware root of trust and providing protected content processing within an open computing platform
CN107455012A (en) * 2015-03-23 2017-12-08 高通股份有限公司 Establish safe NAN data link
CN107455012B (en) * 2015-03-23 2021-05-14 高通股份有限公司 Establishing secure NAN data links
CN110278082A (en) * 2018-03-14 2019-09-24 西安西电捷通无线网络通信股份有限公司 A kind of the group member dissemination method and equipment of group's digital signature
CN110278082B (en) * 2018-03-14 2021-11-16 西安西电捷通无线网络通信股份有限公司 Group member issuing method and device for group digital signature
CN113383512A (en) * 2018-12-24 2021-09-10 奥兰治 Method and system for generating keys for anonymous signature schemes

Also Published As

Publication number Publication date
CN101359986B (en) 2013-05-29

Similar Documents

Publication Publication Date Title
US8078876B2 (en) Apparatus and method for direct anonymous attestation from bilinear maps
US8356181B2 (en) Apparatus and method for a direct anonymous attestation scheme from short-group signatures
US7844614B2 (en) Apparatus and method for enhanced revocation of direct proof and direct anonymous attestation
US7490070B2 (en) Apparatus and method for proving the denial of a direct proof signature
US8924728B2 (en) Apparatus and method for establishing a secure session with a device without exposing privacy-sensitive information
US20080307223A1 (en) Apparatus and method for issuer based revocation of direct proof and direct anonymous attestation
JP4155712B2 (en) How to verify the use of a public key generated by an onboard system
JP5680115B2 (en) Transaction auditing for data security devices
JP4851497B2 (en) Apparatus and method for direct anonymous authentication from bilinear maps
Hajny et al. Unlinkable attribute-based credentials with practical revocation on smart-cards
US20100169650A1 (en) Storage minimization technique for direct anonymous attestation keys
US20050135606A1 (en) Method and apparatus for verifiable generation of public keys
US9832018B2 (en) Method of generating a public key for an electronic device and electronic device
CN101296075B (en) Identity authentication system based on elliptic curve
US8595505B2 (en) Apparatus and method for direct anonymous attestation from bilinear maps
JP4740253B2 (en) A secure delegation method for computing bilinear applications
CN101359986B (en) Apparatus and method for direct anonymous attestation from bilinear maps
CA2303450C (en) Method for publishing certification information representative of selectable subsets of rights and apparatus and portable data storage media used to practice said method
Parameswarath et al. A privacy-preserving authenticated key exchange protocol for V2G communications using SSI
CN111311264A (en) Method and system for supervising transaction sender
CN115860750B (en) Electric automobile electric power transaction identity authentication privacy protection method
CN116432167A (en) Device authentication method, device and storage medium
JP2005252349A (en) Certifying simulated zero-knowledge method of

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130529

Termination date: 20210716