Abstract
The elliptic curve-based Enhanced Privacy ID (EPID) signature scheme is broadly used for hardware enclave attestation by many platforms that implement Intel Software Guard Extensions (SGX) and other devices. This scheme has also been included in the Trusted Platform Module (TPM) specifications and ISO/IEC standards. However, it is insecure against quantum attackers. While research into quantum-resistant EPID has resulted in several lattice-based schemes, Boneh et al. have initiated the study of EPID signature schemes built only from symmetric primitives. We observe that for this line of research, there is still room for improvement. In this paper, we propose a new hash-based EPID scheme, which includes a novel and efficient signature revocation scheme. In addition, our scheme can handle a large group size (up to \(2^{60}\) group members), which meets the requirements of rapidly developing hardware enclave attestation applications. The security of our scheme is proved under the Universal Composability (UC) model. Finally, we have implemented our EPID scheme, which, to our best knowledge, is the first implementation of EPID from symmetric primitives.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The revocation code is available at: https://github.com/UoS-SCCS/HB_EPID_Revocation.
References
Baum, C., et al.: Publicly verifiable zero-knowledge and post-quantum signatures from VOLE-in-the-Head. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO. LNCS, vol. 14085, pp. 581–615. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-38554-4_19
Baum, C., de Saint Guilhem, C.D., Kales, D., Orsini, E., Scholl, P., Zaverucha, G.: Banquet: short and fast signatures from AES. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 266–297. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_11
Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4
Bernstein, D.J., HĂ¼lsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS\({}^{\text{+}}\) signature framework. In: ACM CCS, pp. 2129–2146 (2019)
Bhadauria, R., Fang, Z., Hazay, C., Venkitasubramaniam, M., Xie, T., Zhang, Y.: Ligero++: a new optimized sublinear IOP. In: ACM CCS, pp. 2025–2038 (2020)
Biswas, C., Dutta, R., Sarkar, S.: An efficient post-quantum secure dynamic EPID signature scheme using lattices. Multimedia Tools Appl. 85, 13791–13820 (2023)
Blanchet, B., et al.: Modeling and verifying security protocols with the applied Pi calculus and ProVerif. Found. Trends® Priv. Secur. 1(1-2), 1–135 (2016)
Boneh, D., Eskandarian, S., Fisch, B.: Post-quantum EPID signatures from symmetric primitives. In: CT-RSA, pp. 251–271 (2019)
Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: ACM CCS, pp. 168–177 (2004)
Bootle, J., Lyubashevsky, V., Nguyen, N.K., Sorniotti, A.: A framework for practical anonymous credentials from lattices. Cryptology ePrint Archive, Paper 2023/560 (2023). https://eprint.iacr.org/2023/560
Brickell, E.F., Camenisch, J., Chen, L.: Direct anonymous attestation. In: ACM CCS, pp. 132–145 (2004)
Brickell, E., Li, J.: Enhanced privacy ID: a direct anonymous attestation scheme with enhanced revocation capabilities. In: Proceedings of the 2007 ACM Workshop on Privacy in Electronic Society, pp. 21–30 (2007)
Brickell, E., Li, J.: Enhanced Privacy ID from bilinear pairing. Cryptology ePrint Archive, Paper 2009/095 (2009). https://eprint.iacr.org/2009/095
Brickell, E., Li, J.: Enhanced privacy ID from bilinear pairing for hardware authentication and attestation. Int. J. Inf. Priv. Secur. Integr. 2 1(1), 3–33 (2011)
Brickell, E., Li, J.: Enhanced privacy ID: a direct anonymous attestation scheme with enhanced revocation capabilities. IEEE Trans. Depend. Secur. Comput. 9(3), 345–360 (2012)
Camenisch, J., Chen, L., Drijvers, M., Lehmann, A., Novick, D., Urian, R.: One TPM to bind them all: fixing TPM 2.0 for provably secure anonymous attestation. In: IEEE Symposium on Security and Privacy, pp. 901–920. IEEE (2017)
Camenisch, J., Drijvers, M., Lehmann, A.: Universally composable direct anonymous attestation. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 234–264. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49387-8_10
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: ACM CCS, pp. 1825–1842 (2017)
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_22
Chen, L., Xu, Z., Tu, T., Wang, Z.: Lattice-based privacy enhanced identity protocol for SDO services. In: International Conference on Signal and Image Processing (ICSIP), pp. 609–613 (2023)
Chen, L., Dong, C., El Kassem, N., Newton, C.J., Wang, Y.: Hash-based direct anonymous attestation. In: Johansson, T., Smith-Tone, D. (eds.) PQCrypto. LNCS, vol. 14154, pp. 565–600. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-40003-2_21
Chen, L., Dong, C., Newton, C.J., Wang, Y.: Sphinx-in-the-head: group signatures from symmetric primitives. ACM Trans. Priv. Secur. 27, 1–35 (2023)
Chen, L., El Kassem, N., Lehmann, A., Lyubashevsky, V.: A framework for efficient lattice-based DAA. In: Proceedings of the 1st ACM Workshop on Workshop on Cyber-Security Arms Race, pp. 23–34 (2019)
Chen, M.S., et al: Preon: zk-SNARK based signature scheme. NIST PQ Signatures submissions (2023). https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/Preon-spec-web.pdf
Dall, F., et al.: Cachequote: efficiently recovering long-term secrets of SGX EPID via cache attacks. ICAR Trans. Cryptogr. Hardw. Embed. Syst. 171–191 (2018)
Dobraunig, C., Kales, D., Rechberger, C., Schofnegger, M., Zaverucha, G.: Shorter signatures based on tailor-made minimalist symmetric-key crypto. In: ACM CCS, pp. 843–857 (2022)
El Kassem, N.: Lattice-based direct anonymous attestation. Ph.D. thesis, University of Surrey (2020)
EL Kassem, N., Fiolhais, L., Martins, P., Chen, L., Sousa, L.: A lattice-based enhanced privacy ID. In: Laurent, M., Giannetsos, T. (eds.) WISTP 2019. LNCS, vol. 12024, pp. 15–31. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41702-4_2
Faonio, A., Fiore, D., Nizzardo, L., Soriente, C.: Subversion-resilient enhanced privacy ID. In: Galbraith, S.D. (ed.) CT-RSA 2022. LNCS, vol. 13161, pp. 562–588. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-95312-6_23
Free Software Foundation, Inc.: GCC, the GNU Compiler Collection (2022). https://ggcc.gnu.org
Fu, S., Gang, G.: Polaris: transparent succinct zero-knowledge arguments for R1CS with efficient verifier. In: Proceedings on Privacy Enhancing Technologies, pp. 544–564 (2022)
Giacomelli, I., Madsen, J., Orlandi, C.: Zkboo: faster zero-knowledge for boolean circuits. In: USENIX Security, pp. 1069–1083 (2016)
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: STOC, pp. 21–30 (2007)
ISO/IEC 10118-2:2010: Information technology - Security techniques - Hash-functions - Part 2: Hash-functions using an n-bit block cipher. Standard, International Organization for Standardization, Geneva, CH (2010). https://www.iso.org/standard/44737.html
ISO/IEC 20008-2:2013: Information technology - Security techniques - Anonymous digital signatures - Part 2: Mechanisms using a group public key. Standard, International Organization for Standardization, Geneva, CH (2013). https://www.iso.org/standard/56916.html
Kales, D., Zaverucha, G.: Efficient lifting for shorter zero-knowledge proofs and post-quantum signatures. Cryptology ePrint Archive, Paper 2022/588 (2022). https://eprint.iacr.org/2022/588
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: ACM CCS, pp. 525–537 (2018)
Kim, S., et al.: AIM: symmetric primitive for shorter signatures with stronger security. In: ACM CCS, pp. 401–415 (2023)
Lamport, L.: Constructing digital signatures from a one-way function. SRI International Computer Science Laboratory, Technical Report (1979)
Lyubashevsky, V., Nguyen, N.K., Plançon, M.: Lattice-based zero-knowledge proofs and applications: shorter, simpler, and more general. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO. LNCS, vol. 13508, pp. 71–101. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_3
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
NIST: Post-quantum cryptography standardization (2017–2022). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization
NIST: Nist announces first four quantum-resistant cryptographic algorithms (2022). https://nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms
de Saint Guilhem, C.D., De Meyer, L., Orsini, E., Smart, N.P.: BBQ: using AES in picnic signatures. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 669–692. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_27
de Saint Guilhem, C.D., Orsini, E., Tanguy, T.: Limbo: efficient zero-knowledge MPCitH-based arguments. In: ACM CCS, pp. 3022–3036 (2021)
Sardar, M.U., Fetzer, C., et al.: Towards formalization of enhanced privacy ID (EPID)-based remote attestation in Intel SGX. In: Euromicro Conference on Digital System Design (DSD), pp. 604–607 (2020)
TCG: TPM 2.0 library specification. https://trustedcomputinggroup.org/resource/tpm-library-specification/
Zaverucha, R., Kales, G.: Reference implementation of the Picnic post-quantum signature scheme (2020). https://github.com/Microsoft/Picnic
Zaverucha, G.: The Picnic signature algorithm specification (2020). Supporting Documentation in https://github.com/Microsoft/Picnic
Acknowledgments
We thank the European Union’s Horizon research and innovation program for support under grant agreement numbers: 779391 (FutureTPM), 952697 (ASSURED), 101019645 (SECANT), 101069688 (CONNECT), 101070627 (REWIRE) and 101095634 (ENTRUST). These projects are funded by the UK government’s Horizon Europe guarantee and administered by UKRI. We also thank the National Natural Science Foundation of China for support under grant agreement numbers: 62072132 and 62261160651. Finally, we appreciate the valuable comments from the anonymous reviewers; particularly, the suggestion that removing \(B_j\) values from a signature would improve the performance of our scheme.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Security Analysis: F-SPHINCS+
The standard security definition for digital signature schemes is existential unforgeability under adaptive chosen-message attacks (EU-CMA). It can be extended to a few-time signature by limiting the adversary’s call to the sign oracle to q times where q is the maximum number of signatures that the few-time signature scheme is allowed to generate for each signing key. Let \(SIG=(kg,sign,vf)\) be a q-time signature scheme, Fig. 4 shows the q-EU-CMA game.
Definition 1
(q-EU-CMA). Let SIG be a digital signature scheme. It is said to be q-EU-CMA secure, if for any adversary A, the following holds:
Theorem 1
For suitable parameters, n, d, k, h, q, the F-SPHINCS+ signature is \(q^h\)-EU-CMA secure if:
-
\(H_1\) is SM-TCR and SM-DSPR secure;
-
\(H_2\) is TSR secure with at most q queries;
-
\(H_3\) is ITSR secure with at most \(q^h\) queries;
-
\(\textsf {prf}\) is a secure pseudorandom function.
Proof
To successfully forge a group issuer’s signature on a message M chosen by the adversary, there are the following mutually exclusive cases:
-
1
Let \(MD||idx=H_3(M||gr)\) for some gr. In the forged signature, All secret strings corresponding to \(MD=p_0||\cdots ||p_{k-1}\), i.e. \(\{{\textbf {x}}^{(i)}_{p_i}\}_{i=0}^{k-1}\), are the same as generated from \(\texttt {leaf}_{idx}\)’s secret key. This case consists of the following sub-cases:
-
1.1
The adversary learns all secret strings from signatures obtained in the query phase.
-
1.2
Some secret strings are not leaked from previous signatures, and for each of them, the adversary either:
-
1.2.1
learns it by breaking the pseudorandom function that is used to expand the secret key into x\(_i\);
-
1.2.2
or learns it by looking at their \(H_1\) hash values and find the pre-images.
-
1.2.1
-
1.1
-
2
Let \(MD||idx=H_3(M||gr)\) for some gr. In the forged signature, some secret strings corresponding to \(MD=p_0||\cdots ||p_{k-1}\), i.e. \(\{{\textbf {x}}^{(i)}_{p_i}\}_{i=0}^{k-1}\), are NOT the same as generated from \(\texttt {leaf}_{idx}\)’s secret key. Then let S be the list of \(h+1\) M-FORS signatures in the forged signature, we can find i such that when verifying the i-th signature \((0\le i\le h)\), we obtain the same public key as would be generated by the signer, but for all \(0\le j<i\), we obtain a different public key as would be generated by the signer. This means:
-
2.1
The adversary has found at least one second-preimages of \(H_1\) so that some Merkle trees in the ith signature are computed with the second-preimages. They end up having the same roots as the trees computed by the group issuer.
-
2.2
The adversary knows all secret strings corresponding to the public key produced from verifying the \((i-1)\)th signature. This public key is different from the public key at the same location generated by the group issuer. This can be done by either:
-
2.2.1
learning all from previous signature queries;
-
2.2.2
or breaking the pseudorandom function;
-
2.2.3
or finding some pre-images of \(H_1\).
-
2.2.1
-
2.1
Given the above, we analyze the F-SPHINCS+ signature scheme through a series of games:
Game 0: The original EU-CMA game in which the adversary needs to forge a valid group issuer’s signature after \(q_s\) queries.
Game 1: Exactly as Game 0 except all output of prf are replaced by truly random n-bit strings. We eliminate from the above list Case 1.2.1 and 2.2.2 by this modification. Since each call to prf uses a secret key and a distinct value as input, assuming prf is a pseudorandom function, we have:
Game 2: Game 2 differs from Game 1 in that we consider the adversary lost if the adversary outputs a forgery by breaking the ITSR security of \(H_3\). This modification eliminates from the above list Case 1.1. The winning condition in Fig. 4 is changed to:
-
Return 1 iff \(ITSR(H_3,M^*)=0\wedge vf(pk,M^*,\sigma ^*)=1 \wedge M^*\not \in \{M_i\}_{i=1}^{q^h}\).
The predicate ITSR is defined as the following:
-
Let \(M^*\) be the message that the adversary chooses to generate the forgery on, and \(gr^*\) the random string used by the adversary to compute \(MD^*||idx^*=H_3(M^*||gr^*)\).
-
Parse \(MD^*=p_0^*||\cdots ||p_{k-1}^*\) where each \(p_j^*\in [0,2^d-1]\). From the above we obtain a set \(C^*=((idx^*,0,p_0^*),\cdots ,(idx^*,k-1,p_{k-1}^*))\).
-
For each message queried in the query phase \(M_i\) (\(1\le i\le q^h\)), and \(gr_i\) the random string, compute \(MD_i||idx_i=H_3(M_i||gr_i)\) and obtain \(C_i=((idx_i,0,p_{i,0}),\cdots ,(idx_i,k-1,p_{i,k-1}))\).
-
Return 1 iff \(C^*\subseteq \bigcup _{i=1}^{q^h}C_i\).
We can see that \(ITSR(H_3,M^*)=0\) iff the adversary can break the ITSR security of \(H_3\). Hence, we have:
Game 3: Game 3 differs from Game 2 in that we consider the adversary lost if the forgery contains a second preimage for an input to \(H_1\) that was part of a signature returned as a signing-query response. Here the second preimage can be included explicitly in the signature, or implicitly observed when verifying the signature. This eliminates from the above list Case 2.1. Then we have:
Game 4: Game 4 differs from Game 3 in that we consider the adversary lost if the adversary outputs a forgery by breaking the TSR security of \(H_2\), which allows the adversary to forge an intermediate signature in \({\textbf {S}}\), and then any signature earlier in the chain. This eliminates from the above list Case 2.2.1. The winning condition in Fig. 4 is changed to:
-
Return 1 iff \(TSR(H_2,M^*)=0\wedge ITSR(H_3,M^*)=0\wedge vf(pk,M^*,\sigma ^*)=1 \wedge M^*\not \in \{M_i\}_{i=1}^{q^h}\).
The predicate TSR is defined as the following:
-
The adversary chooses an intermediate node in the hyper-tree at address (a, b), and two n-bit string \(L^*,R^*\).
-
For each signature obtained in the query phase, if \({\textbf {S}}_i\) includes a signature generated using the secret key in node (a, b) over the public key in one of its child node, parse this public key into k blocks, each of d-bit \(pk_i=p_{i,0}||\cdots ||p_{i,k-1}\), and generate a set \(C_i=\{( j,p_{i,j})\}_{j=0}^{k-1}\).
-
Compute \(pk^*=H_2(\texttt {aux}||k||0||0||L^*||R^*)\), parse \(pk^*\) into \(p_{0}^*||\cdots ||p_{k-1}^*\), and generate a set \(C^*=\{( j,p_{j}^*)\}_{j=0}^{k-1}\).
-
Return 1 iff \(C^*\subseteq \bigcup _{i=1}^{q}C_i\).
Note that each M-FORS public key is the root of a Merkle tree generated from pseudorandom strings. Also for each intermediate node in a hyper-tree, it has at most q children, hence no more than q signatures signed by the secret key in this intermediate node can be obtained by the adversary. So \(TSR(H_2,M^*)=0\) iff the adversary can break the TSR security of \(H_2\). Hence, we have:
Now the cases in which the adversary can forge a signature are all eliminated except Case 1.2.2 and 2.2.3, which requires the adversary to find a pre-image of at least one hash values produced by \(H_1\). The success probability of finding a pre-image is as analyzed in [4]:
So overall, the advantage of the adversary is negligible. Â Â Â \(\square \)
TSR security of \(\boldsymbol{H_2}\). In any case, q signatures can be generated under the secret key of a non-leaf node in the hyper-tree. Assuming the adversary knows all of them, then for each block of the chosen \(pk^*\), the probability of the secret string has been leaked is \(1-(1-\frac{1}{2^d})^q\), so all secret string have been leaked is \((1-(1-\frac{1}{2^d})^q)^k\). For \(d={16},q=1024,k=68\), this probability is \(2^{-468.87}\), if \(k=35\), this probability is \(2^{-210.39}\).
ITSR security of \(\boldsymbol{H_3}\). For a leaf node of the hyper-tree, it may have been used to sign \(\gamma \) signatures out of the total \(q_s\) signature queries. So the probability that all secret string of a chosen message M being leaked through query is:
For \(d={16},q=1024,k=68, h=6, q_s=2^{60}\), this probability is \(2^{-407.32}\), if \(k=35\), this probability is \(2^{-208.95}\).
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, L., Dong, C., El Kassem, N., Newton, C.J.P., Wang, Y. (2024). A New Hash-Based Enhanced Privacy ID Signature Scheme. In: Saarinen, MJ., Smith-Tone, D. (eds) Post-Quantum Cryptography. PQCrypto 2024. Lecture Notes in Computer Science, vol 14771. Springer, Cham. https://doi.org/10.1007/978-3-031-62743-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-62743-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-62742-2
Online ISBN: 978-3-031-62743-9
eBook Packages: Computer ScienceComputer Science (R0)