A Framework for Efficient Lattice-Based DAA

Currently standardized Direct Anonymous Attestation (DAA) schemes have their security based on the factoring and the discrete logarithm problems, and are therefore insecure against quantum attackers. This paper presents a quantum-safe lattice-based Direct Anonymous Attestation protocol that can be suitable for inclusion in a future quantum-resistant TPM. The security of our proposed scheme is proved in the Universal Composability (UC) model under the assumed hardness of the Ring-SIS, Ring-LWE, and NTRU problems. The signature size of our proposed DAA scheme is around 2MB, which is (at least) two orders of magnitude smaller compared to existing post-quantum DAA schemes.


INTRODUCTION
Direct Anonymous Attestation (DAA) is a cryptographic protocol that allows a Trusted Platform Module (TPM) to serve as a trust anchor for a host platform it is embedded in. To do so, the TPM chip creates attestations about the state of the host system, e.g., certifying the boot sequence the host is running on. These attestations convince a remote verifier that the platform it is communicating with is running on top of trusted hardware and using the correct software. A main design goal of DAA is that attestations are made in a privacy-preserving manner. That is, the verifier can check that attestations originate from a certified hardware token, but it does not learn anything about the identity of the particular TPM. Another important feature of DAA is that it supports user-controlled linkability which is steered by a basename bsn. If a platform uses a fresh or empty basename, the resulting attestations cannot be linked whereas repeated use of the same basename makes the transactions linkable.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. CYSARM ' Overall, DAA can be seen as a special variant of group signatures with a central issuer controlling membership to the group of certified TPMs, and TPMs being able to sign anonymously on behalf of the group. Instead of the opening capabilities provided in group signatures, DAA controls privacy through the use of basenames and user-controlled linkability.
DAA has been developed for the Trusted Computing Group (TCG), which is the industry group that designs the TPM. The first RSA-based DAA protocol got standardized in the TPM 1.2 specification [45] in 2004 [14], whereas the newer TPM 2.0 standard [46] published in 2014 supports a suite of elliptic-curve based DAA protocols [11,12,20] that are specified in the complementing ISO standard ISO/IEC 20008-2 [30,31]. As reported by TCG, more than a billion devices include TPM technology; in particular almost all enterprise PCs, many servers and embedded systems rely on such trusted hardware anchors. Since the first proposal of DAA, many extensions and works to improve security and efficiency have been proposed [7, 15, 17-19, 21, 48]. A variant of DAA called Enhanced Privacy ID (EPID) is used in Intel SGX [13], the most advanced development in the area of trusted computing.
Recently, the practical interest in DAA has revived, as providing authenticity of attestations while preserving the privacy of senders is enjoying increased attention and awareness. Anonymity of attestations is particularly important in automotive applications such vehicle-to-vehicle communication, wherein tracking of drivers should be prevented but authenticity of the communication must be guaranteed too [47]. A DAA protocol has also been integrated into the Fast IDentity Online (FIDO) authentication framework [16]. In this application, the TPM creates a new authentication key, and outputs a DAA signature in order to certify that the key is properly stored in the TPM. Another DAA-based application is a privacy-enhancing cloud service architecture to protect user's data, using DAA to let users control the extent of data sharing among their service accounts [29].
The existing DAA schemes that are currently supported by the TPMs are based on either the factorization problem in the RSA setting or the discrete logarithm problem in the Elliptic Curve (EC) setting. Since the factorization problem and discrete logarithm problem are known to be vulnerable to quantum computer attacks, all standardized DAA protocols are not post-quantum secure, i.e. an adversary with a powerful quantum computer could break the TPM's security.
Thus, there is a need to update the cryptographic primitives of current privacy-preserving schemes to be quantum resistant. Many proposed post-quantum cryptographic primitives are build on the top of code-, hash-, lattice-and multivariate-based problems, and could possibly be used as the basis for the development of post-quantum DAA protocols. Among these, lattice-based cryptography seems to be the most flexible one, supporting several variants of anonymous signature schemes, such as lattice-based group signatures [22,35,37], and ring signatures [8,27]. Recently, El Kassem et al. [32] and El Bansarkhani and El Kaafarani [3] proposed two post-quantum DAA scheme from lattice assumptions, however both schemes require massive storage and computation resources, which makes them not suitable for inclusion in the future quantum-resistant TPM.

Our Results
Our DAA is related to the recently-proposed group signature scheme [22], which at the time of this writing is the most efficient quantumsafe scheme for large group sizes. The high-level idea of the group signature scheme is for the issuer to create user secret keys by outputting signatures (where messages are the user's identity) of the ABB lattice-based signature scheme [1]. More precisely, the secret key of a group member with identity i ∈ Z * q is an ABB signature s of the message i. In other words, s was a small-norm polynomial satisfying where A, B, G, and u are public parameters over some polynomial ring. To construct a signature of a message µ, the group member encrypts (a part of) s and gives a non-interactive ZKPoK (using µ in the hash of the challenge) to prove knowledge of the i ∈ Z * q and s satisfying (1) 1 as well as the fact that (a part of) s was encrypted.
DAA schemes differ from basic group signatures in three ways: (1) extra privacy properties are required for users in case of a malicious issuer, (2) the user in a DAA scheme is split into two parts -the TPM and the host -and they do signing in a way that doesn't reveal the TPM's secret (even to the host), (3) there is no opener, but there is instead a linking procedure that should allow anyone to link two signatures for a common basename Notice that in the above group signature description, the issuer needs to know the i in order to produce the group member's secret key and so there is nothing preventing a malicious issuer from impersonating a group member. This would not satisfy the security definitions of an analogous DAA scheme. To remedy this, instead of directly using the selectively-secure ABB scheme, we use the idea in the Ducas-Micciancio scheme [25], which modifies the ABB signature to include a tag τ when signing a low-norm message m. We further modify their scheme to a selectively-secure one (with a small tag domain to still ensure security) which is more efficient. A signature s of a message m under a tag τ satisfies where a is now an additional public parameter and τ is chosen fresh for every signature that is created. 2 The way in which we utilize this 1 Actually, one proves a "relaxed" version of (1) involving a lot of extra small-norm polynomial multiplicands due to the fact that the most efficient zero-knowledge proofs for commitments (c.f. [4]) only prove knowledge of approximate solutions. 2 The scheme of [22] is only proved non-adaptive security of their signature schemes where the adversary needs to choose the messages he wants to see the signatures construction by observing that if the group member sends v = am, along with a proof of knowledge of m, then the authority can create a signature on m without its knowledge. In this way, the group signature scheme of [22] can be modified to satisfy the stronger definition of dynamic group signatures in which a malicious issuer cannot impersonate a group member. The above-described dynamic group signature issuance procedure can now be easily converted to an issuance procedure of a DAA scheme. In particular, m (or at least a part of it) will be the TPM secret key, while s is the secret membership credential of the host. This information, together with τ , is then used by the TPM and the host to create a ZKPoK, much in the same way as the ZKPoK of (1) was generated in [22], of (2) to sign messages.
The other difference between group signatures and DAA schemes is that DAA schemes have a "linking" procedure instead of an opening. So instead of encrypting the TPM's secret, we will instead create a Ring-LWE instance (b, nym = bm 1 + e) where b is the basename, m 1 is part of the TPM's secret, and e is an error term that's an output of a PRF evaluated at b and m 1 . 3 . To allow efficient linking (i.e. there should be a public procedure that allows to determine whether the same TPM signed under the same basename) we need to take care about how the TPM proves knowledge of m 1 , e satisfying nym = bm 1 + e. If we use the most efficient proof that also proves knowledge of a low-normc,m 1 ,ē such that c · nym = bm 1 +ē, then linking would require guessing thec (which could come from an exponentially-large space). Instead, we use the slightly less-efficient proof from [6] which proves the knowledge ofm 1 ,ē satisfying 2 · nym = bm 1 +ē. Putting this proof together with the proof of (2) (and using the message µ in the hash of the challenge), as well as making several small adjustments to allow the UC proof to go through, completes the signature.
1.1.1 Comparison to Existing Lattice-Based DAA Schemes. In our proposed scheme, the TPM's secret key consists of two short polynomials in the ring R q = Z q [X ]/(X d +1). In the LDAA scheme [32], the TPM's secret key consists of m = 24 polynomials, and there are 2m + 1 = 49 polynomials in [3]. The degree of our ring should be set to 4096 (as in [22]), whereas it's possible that the degree of the ring in the other schemes could be 2048 or 1024. Still, our scheme should be faster in terms of the TPM's computation costs in the join and sign interfaces, and have smaller TPM keys and signature sizes.
In our proposed scheme, the signature consists of around 45 polynomials in R q . Using the same values of q ≈ 2 70 and d = 4096 as in [22] and also account for the fact that most polynomials in R q have coefficients smaller than q, a rough estimate for the size of the signatures is 2MB.
The LDAA signature includes c responses to the Fiat-Shamir challenges, where each response is comprised of approximately km(2ℓ + 2) polynomials provided by the host and k(m ′ + 1) provided by the TPM. In [3], the size of the response for each round is bounded by km(2ℓ + 2) polynomials for both the host and the TPM (where ℓ = 32, m ′ = 24, k = 8, c = 8).
of before seeing the signatures. It is converted to a standard signature scheme using a chameleon hash. We show in our proof how to go around the requirement of the chameleon hash. 3 The reason for using a PRF to generate the error is that it would be insecure to output bm 1 + e and bm 1 + e ′ for e e ′ Even if the degree of the rings in [32] and [3] are 4× smaller (i.e. the ring dimension is 1024) than in our scheme and the bit-length of the polynomial coefficients are also 4× smaller (the modulus q is less than 2 18 ), the signature produced by our scheme is still more than two order of magnitudes shorter. We should point out that this is still around 5 -6 orders of magnitude longer than discrete logarithm based DAA schemes (e.g. [18,19]).

PRELIMINARIES 2.1 Notation
x ← S means that x is a uniformly random sample drawn from a set S. If D is a distribution, then x ← D means that x is drawn according to the distribution D. We define the ring of polynomials R q = Z q [X ]/⟨X d + 1⟩, where d is the dimension of R q which is a power of 2. We write c = c 0 + c 1 x + · · · + c d−1 x d−1 to represent a polynomial in R q with integer coefficients, ∥c ∥ ∞ denotes the infinity norm of polynomial c, with ∥c ∥ ∞ = max 0≤j ≤n |c j |. We will always assume that q ≡ 3 (mod 8), which implies [40, Lemma 2.2] that all (non-zero) elements in R q whose infinity norm is less than q/2 are invertible. Additionally, with probability almost 1, a random element in R q is also invertible. a = (a 1 , . . . , a k ) represents a vector of polynomials in R k q , for some positive integer k and polynomials a 1 , . . . , a k in R q . A ∈ R k ×ℓ q is a matrix whose entities are polynomials a i j ∈ R q for 1 ≤ i ≤ k and 1 ≤ j ≤ ℓ. ∥A∥ ∞ is the infinity norm of the matrix of polynomials A defined by ∥A∥ ∞ = max i ∥a i j ∥ ∞ .

Lattice Problems and Sampling
For x, c ∈ R d and ξ ∈ R + , we define the Gaussian function ρ c ,ξ (x) = exp − ∥x −c ∥ 2 2ξ 2 , and for a lattice L, we define the distribution D L,c ,ξ (x) to be 0 whenever x L and when x ∈ L. When we omit the L from the above equation, it is assumed that the lattice is Z d (where d is evident from context).
Omitting the c implies that c = 0.
As an additive group, the polynomial ring R = Z[X ]/(X d + 1) has an obvious mapping to Z d and so we can write v ← D ξ to signify sampling a random centered element from R.
For a polynomial vector a = (a 1 , . . . , a k ) ∈ R k q and t ∈ R q , we can define a k-dimensional shifted lattice 4 L ⊥ a,t = {s ∈ R k : a 1 s 1 + . . . + a k s k = t mod q} and we define the distribution D ⊥ a,t ,ξ (x) to be 0 whenever x L ⊥ The Ring-SIS problem [39] is defined as finding a short linear combination s 1 , . . . , s m ∈ R q satisfying a 1 s 1 + . . . + a m s m = 0 for a given set of randomly-chosen a i ∈ R q . The decisional Ring-LWE problem [41] is, for random a i , s ← R q and random smallcoefficient polynomials e i ∈ R q , to distinguish tuples (a i , a i s + e i ) from uniformly random tuples in R q . Note that because random elements in R q are invertible with probability close to 1, the triples (a i , b i , a i s + b i e i ) are also indistinguishable from uniform triples based on Ring-LWE.
In general, given a random a, t, it is hard (as hard as the Ring-SIS problem) to sample according to D ⊥ a,t ,ξ for small ξ . One can do such sampling, however, when given a special trapdoor basis for the lattice L ⊥ a,0 . The smaller the vectors in the trapdoor, the smaller the ξ can be in the distribution.

Lattice Trapdoor Sampling
The trap-door sampler that will be used in our scheme defines a as a 4-element vector (a ′ , a ′ R + (τ , τ ⌈ √ q⌋)), where a ′ = (a, 1) for a uniformly-random a ∈ R q , R ∈ R 2×2 q consists of polynomials with random coefficients in {−1, 0, 1} and τ is some non-zero element in Z q . It was shown in [42,Lemma 5.3] that one can sample, again using [26,28], elements from D ⊥ a,t ,ξ , for any t ∈ R q , for ξ ≈ 2(s 1 (R) For the R generated as above, s 1 (R) is concentrated around 3 √ d, and so one can sample from D ⊥ a,t ,ξ with ξ ≥ 6 dq. We will refer to this algorithm as the MP-Sampler.

Zero Knowledge Proofs
Given a matrix A ∈ R n×m q , and a vector t ∈ R n q satisfying for some vector r with a bounded norm, there are several protocols for proving knowledge of this short r satisfying a possibly "relaxed" version of (5). The most expensive, in terms of proof size, is a proof that proves exactly the knowledge of (5) for an ℓ ∞ bound on r. This is the adaptation of Stern's proof [44] working over larger rings [33,36], and the proof sizes are on the order of megabytes. There have been some recent improvements [5,9,10,49], but the proofs are still on the order of several hundred kilobytes for even relatively short vectors. In our protocol, we will use these proofs in places where a large proof size is not important because the procedure is only done once -i.e. when the issuer registers his public key to the CA and when TPMs perform the join. A more efficient (in terms of proof size) proof system can prove the knowledge of a slightly larger vectorr satisfying Ar = 2t. This scheme from [6] is presented in Figure 2. The most efficient proof system is based on the digital signature from [38] and proves knowledge of a vectorr and a small polynomial c satisfying Ar = ct. This scheme is presented in Figure 1.
All our protocols use a rejection sampling subroutine from [38] to produce outputs that are distributed as gaussians with distributions independent of the secret key (and the challenge). This is crucial for showing that the protocols are zero-knowledge.  38]). Let V be a subset of R n with elements of norm less than T, let h be a distribution of V. b ∈ R n . Consider a procedure that samples a y ← D n ξ and then returns the output of rej(z := y + b, b, ξ ) where ξ ≥ 11∥b∥. The probability that this procedure outputs 1 is ≈ 1/3. The distribution of z, conditioned on the output being 1, is within statistical distance 2 −100 of D n ξ .

Lattice-Based Commitments
In this paper we use the version of the commitment scheme from [4] that commits to k ring elements. Define the public parameter C as where A is the top row and B is the rest of the matrix. The commit- , consists of creating an r with small (e.g. −1, 0, 1)coefficients and outputting From the above definitions, observe that we have t A = Ar and t B = Br + m. Given a public C and a commitment t to messages m 1 , . . . , m k ∈ R q , there is a zero-knowledge proof of knowledge of anm ∈ R k q ,r with ∥r∥ ≤ 2β z (as defined in Figure 3) andc ∈C satisfying Obtaining the above proof is a slight generalization of the proof system from [4]. What we will need in our proof, however, is additionally to show that m i ∈ Z q . That is, m i are polynomials in R q that are only non-zero in their constant coefficient. Proving this additional restriction onm involves using the "automorphism stability" modification from [22]. The latter work uses the fact that an element m ∈ R q is in Z q if and only if it satisfies m = σ −1 (m) = σ 5 (m), where σ j (m(X )) = m(X j ) [22]. The proof modification therefore also needs to prove that for allm i composingm,m i = σ −1 (m i ) = σ 5 (m i ). We present this proof in Figure 3. Figure 3 is a proof of knowledge of (8).

Lemma 2.2. The protocol in
Sketch. To prove zero-knowledge in the case that z, z 1 , z 2 are sent, we observe that due to the rejection sampling procedure the distribution of z, z 1 , z 2 is exactly D ξ . Therefore one can simulate the view of the verifier by generating z, z 1 , z 2 ← D ξ , c ← C and setting w, To show that the protocol is a proof of knowledge, note that the usual rewinding of the prover after the first step allows us to extractz,z 1 ,z 2 ,c satisfying We would like to now prove that (9) and (11), along with the SIS assumption, imply that To show the above, multiply (9) by σ 5 (c), multiply σ 5 ((11)) byc and subtract to obtain Since we assumed that the SIS problem is hard, then the above can only be true if (15) holds. Becausec is invertible, it is possible to definem such that Using (13), we also obtain Applying the automorphism σ 5 to the above equation and multiplying byc, and then applying (15), we get Subtracting the above from σ 5 (c) times (17), we obtain that and since bothc and σ 5 (c) are invertible, this implies that σ 5 (m) = m. Exactly the same proof yields that σ −1 (m) =m and som ∈ Z k q . Also note that combining (9) with (17) gives (8). Now, combining (14) and (17), we obtain

THE DAA FRAMEWORK
Before presenting our new lattice-based DAA protocol, we recall how DAA works and what the desired security properties are.

DAA Functionality and Properties
In a DAA scheme, we have four main entities: a number of trusted platform modules (TPM), a number of hosts, an issuer, and a number of verifiers. A TPM and a host together form a platform which performs the join protocol with the issuer who decides if the platform is allowed to become a member. Once being a member, the TPM and host together can sign messages with respect to basenames bsn. If a platform signs with bsn = ⊥ or a fresh basename, the signature must be anonymous and unlinkable to previous signatures. That is, any verifier can check that the signature stems from a legitimate platform via a deterministic verify algorithm, but the signature does not leak any information about the identity of the signer. Only when the platform signs repeatedly with the same basename bsn ⊥, it will be clear that the resulting signatures were created by the same platform, which can be publicly tested via a (deterministic) link algorithm. DAA also supports key-based revocation, i.e., it assumes the availability of a revocation list RL which contains the secret keys of rogue TPMs. Verification will be done with respect to such a revocation list and lets signatures of revoked TPMs fail.
Intuitively, DAA must satisfy the following high-level security and privacy properties. The formal security model for DAA exists in form of an ideal functionality F l DAA in the UC framework [18]. Anonymity: An adversary that is given two signatures, w.r.t. two different basenames or bsn = ⊥, cannot distinguish whether both signatures were created by one or two different honest platforms. (One-More) Unforgeability: When the issuer is honest, an adversary controlling n TPMs can create at most n unlinkable signatures for the same basename bsn ⊥. Non-Frameability: No adversary can create signatures on a message m w.r.t. basename bsn that links to a signature created by an honest platform, when this honest platform never signed m w.r.t. bsn.
Anonymity and non-frameability must hold even when the issuer is corrupt.   For the sake of simplicity, we present our DAA scheme in an algorithmic manner and discuss the additional UC-specific wrappers and inputs that are needed to satisfy F l DAA in Section 4.

Protocol Description
Let q be a prime and the ring R q = Z q [X ]/⟨X d + 1⟩. We will denote by R α for some positive integer α a subset of R q with coefficients in the range between −α and α. For some domain D, we will denote H D to be a domain extension function (e.g. SHAKE) that takes an element from {0, 1} * and maps onto D.
The issuer secret key is a matrix R ← R 2×2 1 , and his public key is a uniformly-random polynomial h ← R q and a vector b = [h 1]·R. By the Ring-LWE assumption, (h, b) is indistinguishable from uniform. For convenience, we will write the public matrix associated to the issuer as where h = [h 1]. We will assume that when the issuer registers his public key with the CA, he also proves the knowledge of his secret key R in an extractable manner. Because the efficiency of this step is not very important, it can be performed using a standard Stern-type scheme (e.g [36]).
If g = [1 √ q] ∈ R 2 q , then using the Micciancio-Peikert inversion algorithm, for any nonzero τ ∈ Z q and u ∈ R q , it is possible to use the trapdoor R to find a short, Gaussian distributed, vector s ∈ R 4 q satisfying [h | b + τ g] · s = u. The issuer will also keep state of one integer tag τ ∈ Z q . He will initialize τ = 1 and increment it by one with every new join. Since the prime q in our scheme will be somewhat large (around 2 70 ), every join procedure will have a unique tag -this is crucial for security.
We also define a = [a 1 a 2 ] ← R 2 q and u ← R q to be random public parameters.
Join Procedure. A TPM's secret consists of a polynomial vector e = e 1 e 2 ← R 2 3 and a secret key sk ∈ {0, 1} 256 . 5 The TPM computes u 1 = a · e = a 1 e 1 + a 2 e 2 (21) and sends u 1 along with a proof of knowledge π 1 of short e satisfying (21). Since the TPM will do the join only once, it's not important for this proof to be very efficient, and so it can be done using a zero-knowledge proof system that proves exact knowledge of e. The issuer, upon receiving u 1 , π 1 , will check the proof and then use the Micciancio-Peikert sampling algorithm to compute an s with small norm satisfying where τ is a fresh tag which the issuer tracks as described above.
The issuer sends τ and s to the TPM as the credential. The TPM keeps his secret e and sk, while the host stores the credential s and τ .
For DAA it is crucial that only legitimate TPMs can join in a controlled manner, which is handled via endorsement keys which are preinstalled on each TPM and their public keys are known to the issuer. We use the same abstraction as Camenisch et al. [18] and simply assume an authenticated channel F * auth between the TPM (via the host) and the issuer. That is, during join the issuer learns the TPM identity M i in an authenticated manner and should only proceed if M i is a legitimate TPM. The issuer should also keep track of already joined TPMs, and ensure that each can join at most once.
Signing. To sign a message µ with respect to basename bsn (if the basename is ⊥, the TPM picks a random bsn from the domain of all basenames, but doesn't reveal it) the TPM creates a value d = H R q (bsn) and an error polynomial e ′ = H R 3 (sk, bsn) and outputs the pseudonym nym = de 1 + e ′ ∈ R q . Notice that d is (and needs to be) publicly computable, while e ′ is only computable by the TPM. The reason that the e ′ is generated deterministically based on bsn (and sk) rather than just chosen arbitrarily at random is that the TPM might be asked to create a pseudonym with respect to the same basename multiple times, and it would be insecure to send de 1 + e ′ 1 , . . . , de 1 + e ′ κ for different e ′ κ . Thus, for the TPM's safety, the same basename should lead to the same pseudonym.
At this point, the TPM and the Host know short e, s, e ′ and τ ∈ Z q satisfying Ideally, the signature would consist of nym as well as a proof of knowledge of short e, s, e ′ and τ ∈ Z q satisfying the above two equations. The main problem with creating the above proof is that it's unclear how to efficiently keep secret the τ inside the matrix [h | b + τ g] and, even ignoring the τ , giving an exact proof of r, e, s, r ′ is very costly in terms of proof size (at least dozens of megabytes). We instead use the techniques from Figures 1 and 2 to prove the above equations approximately as well as the proof of automorphism stability from 3 to prove that τ ∈ Z q .
The Host commits to τ and τ √ q using the commitment scheme from Section 2.5 as Define C 1 and C 2 to be the second and the third row of the matrix C in (6) (i.e. the rows corresponding to the commitments of messages m 1 and m 2 in (7). The Host and the TPM then jointly give a zero-knowledge proof π (using the message µ inside the random oracle in the Fiat-Shamir transformation) of small-normed r,s,v 1 ,v 2 ,ē, and c ∈C satisfying: Equations (26), (27), and (28) are proved simultaneously (to ensure that the values ofc andē 1 are consistent throughout) and jointly by the TPM and the Host. In particular, (26) is proved using the "automorphism stability" proof from Figure 3 to ensure that τ ∈ Z q , while the other two equations are proved using the standard "Fiat-Shamir with Aborts" technique using Gaussian sampling from Figure 1. The TPM needs to additionally prove (29) because having ac in front of the nym is not sufficient for linking since one would actually have to know c in order to perform the linking operation. This proof (which is less compact than the one in Figure  1 is done via the protocol in Figure 2. While it's obvious that the fact that the TPM and Host satisfying (23) and (25) allows them to prove (26), (28), and (29), the validity of (27) is a little less straight-forward. But observe that replacing τ g = [τ τ √ q] in (24) with τ = t 1 − C 1 r and √ qτ = t 2 − C 2 r from (25) gives us the equation where we have conveniently rewritten b = [b 1 b 2 ] and the vector where s 0 is multiplied with h, s 1 is multiplied by b 1 +t 1 and s 2 is multiplied by b 2 + t 2 . Since s 1 , s 2 and r have small coefficients, it's now evident that one can give a proof of the equation in (27) using the protocol in Figure 1. The goal of obtaining proofs of (26) and (27) is to combine them into one proof as follows: by multiplying (27) byc and substitutinḡ ct i with C ir +cτ , we obtain which can be rewritten as where The final signature output by the host is t 0 , t 1 , t 2 , nym, d together with the proof π . Since C is a 3 × 4 matrix, the non-interactive proof of (26) consists of 4 · 3 = 12 polynomials (i.e. the size of the response in Figure 3. In the proof of (27),s andv i each consist of 4 polynomials, whileē consists of 2, for a total of 14. The proof of (28) does not include any extra polynomials because one does not need to send anything corresponding toē ′ if one does an approximate check of the linear equation in the verification of Figure 1 (as in e.g. [2,23]). To prove (29), one needs to set ℓ in Figure 2 to around 12, and so the output will be 12 polynomials (since one again does not need to output anything related toê ′ ). One should note that the polynomials corresponding to theē 1 andê 1 have rather small coefficients, so they will be less costly to output than the others. For a rough estimate, we ignore this savings. So the total number of elements of R q in the proof π is 40, which makes the total number of polynomials in the signature 45.
Verification: The verifier, having message µ, basename bsn, signature σ = (nym, d, π ), and issuer public key ipk checks the proof π . If bsn ⊥, it also checks that d = H R q (bsn). Further, DAA requires verification to be done with respect to a revocation list RL which contains all the rogue TPM's secret keys. Thus, for every e 1 ∈ RL, the verifier checks that ∥2(nym − de 1 )∥ is not small. If all checks pass, it outputs 1 and 0 otherwise.
Linking. The link algorithm on input two signatures (µ 1 , bsn, σ 1 ) and (µ 2 , bsn, σ 2 ) for the same basename bsn checks whether both pseudonyms nym 1 , nym 2 (which are part of the signatures) match. Given pseudonyms nym 1 and nym 2 for the same basename bsn, we will say that they are linked to the same TPM if 2(nym 1 − nym 2 ) is a polynomial in R q with small norm.
To prove linkability, note that from (29) we have 2(nym 1 − nym 2 ) = d(ē 1,1 −ē 1,2 ) + (ē ′ 1 −ē ′ 2 ), where the left side has small norm and all the coefficients except for d on the right side also have small norm. This implies that there exist polynomials f 1 , f 2 such that d f 1 + f 2 = 0. One can show that, for a random choice of d, the probability that such non-zero f 1 , f 2 exist is close to 0 (c.f. [34, Proof of Lemma 4.8]). Therefore f 1 and f 2 must both be 0, which implies thatē 1,1 =ē 1,2 .

Security Intuition
The security intuition is that under the hardness of Ring-SIS and Ring-LWE, proving the knowledge of (31) implies thatē = ec, where e = [e 1 , e 2 ] is one of the TPM secret keys from (21) used during some Join session (Lemmas 3.1 and 3.2). For linking and revocation-checking, the presence of thec poses a problem because this value can only be obtained by the extractor, but not the verifier. For this reason, we obtain proofs (28) and (29), which then imply thatē 1 = 2e 1 for some e 1 used during join. This then allows us to be certain that every nym is connected to some join session and, if given the secret key for the session, be able to link the nym to that secret key.
Our first lemma shows that one can construct a public key and a sampling algorithm, which are indistinguishable under certain computational assumptions from the real public key and sampling algorithm, that are conducive to extracting a solution to Ring-SIS via the procedure in Lemma 3.2.

Lemma 3.1. Consider the public key
generated as follows: Choose a random τ * ∈ Z q , Then there exists an efficient sampling algorithm producing s ∼ D η such that no adversary can distinguish, based on the Ring-LWE and NTRU assumptions, between the real public key and the sampling algorithm, and the above public key and its sampling algorithm.
Proof. The terms a and u in the real and the fake public key have the same distribution by the leftover hash lemma. Notice that the only difference between the real public key and the one in 32 is the extra τ * g term being added to b. Through a series of games, we can show that, together with the sampling algorithm we describe below, the distribution of the public key and the sampling output is indistinguishable from the real public key and the real output.
Note that we cannot naively say that by the Ring-LWE assumption the real public key [h | hR] is indistinguishable from the key [h | hR − τ * g] used in the reduction. The reason is that to use Ring-LWE, one needs to go through an intermediate distribution [h | b] for a uniform b, and in this case we do not know how to do any pre-image sampling since there is no trapdoor.
Instead, we will also be modifying the left side of the public key to create an NTRU trapdoor which we can use to do sampling when we change the right-hand side of the trapdoor to be uniform. The optimal way of selecting an NTRU trapdoor is outlined in [24], and it allows for sampling pre-images with standard deviation less than the Micciancio-Peikert sampler (and so it can sample that standard deviation as well). We will also be making the decisional NTRU assumption that the NTRU public key f /д is indistinguishable from uniform. For f and д that are large with respect to q, as in [24], this appears to be a reasonably safe assumption as slightly larger f and д result in truly random quotients [43]. We do not go into much detail here because the NTRU problem only appears in the proof and is not used anywhere in the scheme.
The reason that one must also modify the sampling algorithm is that in the real public key, one is always sampling an s satisfying [h | hR + τ g]s = u + a · e where τ 0. This can be done with the Micciancio-Peikert sampling technique. With the public key in 32, on the other hand, if τ = τ * , then we need to sample an s satisfying [h | hR]s = u + a · e. Since the trapdoor g "vanishes", we can no longer use the aforementioned sampling algorithm. The way that this problem is generally overcome (e.g. in the original ABB selectively secure signature scheme) is that one sets the right-hand side of the equation (u + a · e) to be [h | hR]s. In our case, this is not possible because e is chosen by the adversary after he sees the public key. Our sampling algorithm for the special case of τ = τ * deals with this specific issue. Game 1: h ← R, R ← R 2×2 1 , b = hR. Sample using trapdoor R.
Sample using trapdoor R. Indistinguishable by the NTRU assumption.
Sample using trapdoor R or the special procedure for τ * . Statistical Indistinguishability.
Sample using trapdoor R or the special procedure for τ * . Indistinguishability by NTRU.
Sampling. For all τ τ * and any e, we use the Micciancio-Peikert sampling algorithm to sample an s satisfying [h | hR+(τ −τ * )g]·s = u + a · e. This is possible because τ − τ * 0 and so the trapdoor does not vanish.
When τ = τ * , then our trapdoor vanishes and so we cannot use it to do pre-image sampling. When asked to sign a message e * with tag τ * , the authority computes (33) This is a valid signature because [h | hR]s * = u + a · e * , but its distribution is incorrect because it's a shifted gaussian. Nevertheless, if ∥R ′ e * ∥ ≪ ∥s u ∥, then one can use rejection sampling to transform the shifted gaussian distribution s u − R ′ e * into one that has the same distribution as s u -i.e. D ξ . If a reject happens, we abort the whole reduction and start over. Otherwise, the signature s * has exactly the right distribution D ξ . Recall that the authority will only need to sign for tag τ * at most once and so as long as rejects don't happen with overwhelming probability, the success of the reduction only goes down by a polynomial factor with respect to the success probability of the forger. In order for the rejection probability to not be overwhelming, we need that ∥R ′ e * ∥ < √ 4d ∥s u ∥ (see Lemma 2.1). This will always be the case in our scheme. □ The below lemma shows that that everyē 1 extracted from the signer in (28) must be equal to e * 1c for some e * 1 that the authority created a credential on in the Join procedure. Lemma 3.2. Suppose the public key is as in Lemma 3.1. If there is an adversary that after choosing, for 1 ≤ i ≤ κ, e (i) and receiving s (i) satisfying [h | b + τ g] · s (i) = u + a · e (i) is able to output a τ ∈ Z q , an s ∈ R 4 q with ∥s∥ ≤ βs , ac ∈C, and anē s.t. ∀ iē ce (i) , satisfyinḡ (where all the notation is as in (31)) then there exists another algorithm that can solve a Ring-SIS instance [h | C 1 | C 2 ] with probability approximately 1/q smaller than the success probability of the adversary.
Proof. With probability 1/q the tag τ that the adversary forges on is τ * . In other words, the adversary returns as,c,w satisfyinḡ Multiplying (36) byc 2 and subtracting from (35), and then plugging in a = [h b]R ′ , we obtain (37) Because everything being multiplied by h, b ′ , C 1 , and C 2 has small coefficients, this will be a SIS solution to [h | b ′ | C 1 C 2 ] (and therefore to [h | C 1 | C 2 ] since b ′ = hR) unless all the multiplicands are 0. Because the adversary cannot predict the exact value of R ′ (because the entropy of each column of R ′ is larger than of each column of a), in order to force the extractor to extract a zerosolution, the adversary would needēc = e * c2 . By the invertibility ofc, this implies thatē = e * c . □ The below lemma proves that (28) and (29), together with the knowledge thatē 1 = e * 1c , imply thatê 1 = 2e * 1 .
Proof. Multiplying (39) by 2 and (40) byc, subtracting, and plugging in (38), we obtain Because all the variables except d in the above equation are ≪ q/2, by [34,Lemma 4.8] we know that it's highly unlikely that a nonzero solution du 1 + u 2 = 0 exists for small, non-zero u i . Therefore 2e * 1c =ê 1c , and becausec is invertible, we get the claim in the lemma. □

SECURITY
We now show that our DAA protocol satisfies the desired DAA security guarantees captured through the ideal functionality F l DAA [18]. Before presenting our proof sketch, we first discuss how the protocols and algorithms presented in Section 3 have to be "UC-fied".

UC Wrapper for our Protocol
To date, the only sound security notion for DAA is an ideal functionality in the Universal Composability framework. Describing protocols in the UC framework requires some extra care to include session identifiers, explicit party inputs in interactive protocols, as well as to reflect the abstract modeling of keys and secure channels. We start by describing the necessary sub-functionalities our protocol relies on, and then discuss how to map our protocols to the interfaces required by F l DAA .
Sub-Functionalities. We assume that a common reference string functionality F crs and a certificate authority functionality F ca are available to all parties. The later allows the issuer to register his public key, and F crs is used to provide all entities with the system parameters comprising of the random seed to generate the commitments, and a of the issuer's public key.
For the communication between the TPM and issuer (via the host) in the join protocol, we use the semi-authenticated channel F * auth introduced in [18]. For all communication between a host and TPM we assume the secure message transmission functionality F smt (enabling authenticated and encrypted communication). In practice, F smt is naturally guaranteed by the physical proximity of the host and TPM forming the platform, i.e., if both are honest an adversary can neither alter nor read their internal communication.
In the description of the protocol, we assume that parties call F crs and F ca to retrieve the necessary key material whenever they use a public key of another party. Further, if any of the checks in the protocol fails, the protocol ends with a failure message ⊥.
The protocol also outputs ⊥ whenever a party receives an input or message it does not expect (e.g., protocol messages arriving in the wrong order.) F l DAA Interfaces. The F l DAA functionality considers an issuer I and the platform consisting of a TPM M i and a host H j . In UC, different instances of a protocol are separated through unique session identifiers sid = (I, sid ′ ). In the real-world these are mapped to the issuer public key, and all parties use the sid to link their stored key material to the particular issuer.
Setup: I upon input (SETUP, sid) generates his key pair (ipk, isk). It registers the public key (sid, ipk) at F ca , stores the secret key as (sid, isk) and ends with output (SETUPDONE, sid).
Join: To distinguish several join sessions that might run in parallel, we use a unique sub-session identifier jsid that is given as additional input to all parties. The join protocol starts when H j receives the input (JOIN, sid, jsid, M i ) upon which it triggers M i to generate u 1 along with the proof π 1 , and send it via F * auth to I. When I receives the message it outputs (JOINPROCEED, sid, jsid, M i ). The join session is completed when the issuer receives an input telling him to proceed with join session jsid, upon which it returns cred = (s, τ ). This explicit interaction with the issuer allows the issuer to perform some additional check to decide whether M i is allowed to join. The host stores the credential as (sid, M i , cred) and the TPM stores its secret key as (sid, H j , tsk) i.e., both "remember" with whom they joined with. The join ends with M i outputting (JOINED, sid, jsid).
Sign: Signing is a protocol run between a TPM M i and a host H j . Again, we use a unique sub-session identifier ssid to allow for multiple sign sessions and unique identification of the particular session in the UC interfaces. The host H j upon input (SIGN, sid, ssid, M i , µ, bsn), retrieves its join record (sid, M i , cred) and aborts if no such record is found. It sends (ssid, µ, bsn) to the TPM which then checks that a key record (sid, H j , tsk) exists and outputs (SIGNPROCEED, sid, ssid, µ, bsn). The signature is completed when M i receives the input (SIGNPROCEED, sid, ssid), upon which it computes the SPK and nym. The explicit input from the TPM is necessary to ensure that the TPM in fact "approved" the attestation of µ and bsn. Finally, the host outputs the jointly computed signature as (SIGNATURE, sid, ssid, σ ).

Proof Sketch
Theorem 4.1. The protocol Π daa presented in Section 3 securely realizes F l DAA [18] in the (F * auth F ca , F smt , F crs )-hybrid and random oracle model under static corruptions, if the Ring-LWE, Ring-SIS, and the NTRU assumption hold.
To show that no environment E can distinguish the real world, in which it is working with Π daa and adversary A, from the ideal world, in which it uses F l DAA with simulator S, we use a sequence of games. We start with the real world protocol execution. In the next game we construct one entity C that runs the real world protocol for all honest parties. Then we split C into two pieces, a functionality F and a simulator S, where F receives all inputs from honest parties and sends the outputs to honest parties. We start with a useless functionality, and gradually change F and update S accordingly, to end up with the full F l DAA and a satisfying simulator. The proof closely follows the structure of the UC proof by Camenisch et al. in [18], with the crucial steps occurring in Game 7, where the signatures of honest platforms are replaced by signatures on "dummy" keys (guaranteeing anonymity), and Games 12-15 where we let the functionality enforce the expected unforgeability and non-frameability properties. For unforgeability we rely on the security of signatures created by the issuer, which we have shown to hold in Lemma 3.1-3.3.
Game 1: This is the real world protocol.

Game 2:
The challenger C now receives all inputs and simulates the real world protocol for honest parties. Since C gets all inputs, it can simply run the real world protocol. It also simulates all hybrid functionalities, but does so honestly, so E does not see any difference. By construction, this is equivalent to the previous game.

Game 3:
We now split C into a "dummy functionality" F and simulator S. F receives all inputs, and simply forwards them to S. S simulates the real world protocol and sends the outputs it generates to F , who then outputs them to E. This game only restructures the previous game.

Game 4:
In this game we let our intermediate F handle the setup related interfaces using the procedure specified in F l DAA . Consequently, F expects to receive the algorithms (ukgen, sig, ver, link, identify) from the simulator. For ukgen, ver, and link, S can simply provide the algorithms from the real-world protocol, where it omits the revocation check from ver. The sig algorithm will be a combination of the join and sign procedure though, as it will be used to create anonymous signatures for honest platforms for which it uses a fresh TPM key whenever the platform signs w.r.t. a new basename.
Thus, to internally create signatures via sig, the algorithm must first create a valid membership credential for the freshly chosen tsk and then sign with this new credential. So sig must contain the issuer's private key, which the simulator S has to be able to get.
When I is honest, S is running the issuer, i.e., it knows its secret key and sets the sig algorithm accordingly.
When I is corrupt, S starts the simulation when the issuer registers his key with F ca that is controlled by the simulator. Since the public key comes with a proof of knowledge of the issuer's secret key, S can extract the secret key from there and define the sig algorithm accordingly. By the simulation soundness of the proof system, this game hop is indistinguishable for the adversary.
Finally, for identify which is used to check whether a signature (σ, µ, bsn) belongs to a certain tsk, we use roughly the same procedure as for revocation checks. That is, the algorithm parses σ = (nym, d, bsn), tsk = (e 1 , * ), and checks that ∥2(nym − de 1 )∥ is small. If so it outputs 1, and 0 otherwise. Recall that we compute pseudonyms for random d when bsn = ⊥, so this check works for all cases.
Game 5: F now handles the verify and link queries using the provided algorithms ver and link from the previous game, rather than forwarding the queries to S. We do not let F perform the additional checks (Checks (ix) -(xvi)) done by F l DAA , though, but add these only later. For Check (xii), F rejects a signature when a matching tsk ′ ∈ RL is found, but does not exclude honest TPMs from this check yet.
Because verify and link do not involve network traffic, the simulator does not have to simulate traffic either, we must only make sure supplied, and S supplied them in such a way that they are equivalent to the real world algorithms, so the outcome will clearly be equivalent.
Game 6: In this step we change F to also handle the join-related interfaces, meaning it will receive the inputs and generate the outputs. We let F run the same procedure as F l DAA , but again omit the additional checks (Checks (ii)-(iv)).
In the final join interface JOINCOMPLETE, the simulator has to provide the secret key tsk of the TPM. When the TPM is honest, S knows the key anyway and uses it towards F . If the TPM is corrupt and either the issuer or host is honest, S extracts the vector e 1 from the proof π 1 that it receives in the role of the honest I or H j and sets tsk ← (e 1 , ⊥). Note that we do not extract nor set the part sk of the TPM's secret key. This has no impact though, as tsk will only be used for internal checks by identify for which only e 1 is used.
Finally, note that F sets tsk ← ⊥ when both the TPM and host are honest. However, this has no impact yet, as the signatures are still created by the simulator and the verify and link interfaces of F do not run the additional checks that make use of the internally stored records and keys.
Overall, this game hop is indistinguishable by the simulation soundness of the SPK π 1 .
Game 7: We now transform F such that it internally handles the signing queries of honest platforms instead of merely forwarding them to S. Thus, this game hop proves the anonymity of our DAA scheme. When both the TPM and the host are honest, F creates the signatures internally in an unlinkable way: It chooses a new tsk per basename and TPM, or per signature when bsn = ⊥ and then runs the sig algorithm for that fresh key. As described earlier, sig starts by internally "issuing" a membership credential on tsk using the issuer's secret key that is included in sig. F keeps the internally chosen keys ⟨M i , bsn, tsk⟩ in a list DomainKeys to ensure consistency if a TPM wishes to reuse the basename.
This change is indistinguishable under the Ring-LWE assumption, the reduction can be done in a straightforward manner, using a hybrid argument to to replace the signatures one-by-one.

Game 8:
We change F such that it no longer informs S which message and basename are being signed. Thus, when the TPM and host are both honest, S does not learn µ, bsn but only its leakage l(µ, bsn). Recall, that signatures for honest platforms are generated by the functionality now, so S merely as to mimic communication between the honest TPM and host.

Game 9:
We now add the constraint that when I is honest, F only allows platforms that joined to sign, which is checked via the list Members. Note that for our simulation we only care about platforms that are at least "partially" honest, i.e., the host and/or TPM are honest, as otherwise there is nothing to simulate. For such platforms, this check will not change the view of E using the simulator S from the previous game: in the real world, an honest host and TPM both check that they have a joined before signing. In the ideal world, S makes join queries towards F ensuring that the joined platforms (with honest entities) are in Members, and thus F still allows any signing that could take place in the real world.
Game 10: In this game we let F additionally check the validity of every new tsk that is generated or received in the join and sign interface.
If the TPM is corrupt, F checks that CheckTskCorrupt(tsk) = 1 for the tsk that the simulator extracted from π 1 (Check (iv)). This check prevents the adversary from choosing different keys tsk tsk ′ that both fit to the same signature. By the It is easy to see that there exists only one secret e 1 satisfying the nympart of the signature (also for the "random" pseudonyms when bsn = ⊥). As there is only a single tsk for every valid signature where identify(σ, µ, bsn, tsk) = 1, this check will never fail.
For keys of honest TPMs, F verifies that CheckTskHonest(tsk) = 1 whenever it receives or generates a new tsk (Check (iii) and (v)). With these checks we avoid the registration of keys for which matching signatures already exist. Since keys for honest TPMs are chosen uniformly at random from an exponentially large group and every signature has exactly one matching key, the chance that a signature under that key already exists is negligible.
Game 11: We now add the checks to F that F l DAA runs in the sign interfaces when internally generating signatures for honest platforms. After creating a signature, F checks whether the signature verifies and matches the right key (Check (vi) and (vii)). As S supplied proper algorithms and the signature scheme is complete, these checks will obviously always succeed.
F also checks with the help of its internal key records Members and DomainKeys that no one else already has a key which would match this newly generated signature (Check viii). As signatures match only a single TPM key and we choose keys of honest platforms at random from a large domain, this can happen only with negligible probability.
In the next four game hops, we let F perform the four additional checks that are done by F l DAA in the verification interface, i.e., we rely on F to enforce the desired unforgeability and nonframeability guarantees. We now show that this check does not change the verification outcome, as any signature that would previously pass will still pass.
Game 12: F now performs an additional check during verification, it checks whether it finds multiple tsk values matching this signature, and if so, it rejects the signature. It is easy to see that there is only tsk per signature for which identify will output 1, as there is only one e 1 that can lead to the pseudonym nym.
Game 13: When I is honest, F now only accepts signatures on tsk values that I has issued a membership credential on. Under the existential unforgeability of the membership credential, this check changes the verification outcome only with negligible probability. The unforgeability of our signature scheme used by the issuer to (blindly) sign the TPM's key is based on the Ring-SIS and Ring-LWE problem as shown in Lemma 3.1-3.3.
Game 14: F now prevents forging signatures using an honest TPM's tsk. If the environment can distinguish this game hop, i.e., it can create a valid signature σ for message µ and basename bsn that traces via identify to an honest TPM, but that TPM has never signed µ, bsn we can use this to break the Ring-LWE problem. Again, the reduction can be done in a straight-forward manner: We use the Ring-LWE challenge as u 1 for a randomly chosen honest TPM during the join protocol (with the possibly corrupt issuer). DAA Signature for this honest TPM are merely simulated. If we see a valid signature that we never created, we extract e 1 from there and use it to break the Ring-LWE problem.
Game 15: Check (xii) is added to F , this ensures that honest TPMs are not being revoked. If an honest TPM is simulated by means of the Ring-LWE problem instance, if a proper key RL is found, it must be the secret key of the target instance. This is again equivalent to solving the Ring-LWE problem.
Game 16: We now let F perform all the additional checks F l DAA makes for link queries. The output of F based on these checks is still consistent with the output which the link algorithm would give: If there is a tsk that matches one signature but not the other, by soundness of π we have that the pseudonyms are not based on the same tsk, and thus must differ which results in link outputting 0. If there is a tsk that matches both signatures, by soundness of π we have that the pseudonyms are based on the same tsk and must be equal, resulting in link outputting 1. Now F is equal to F l DAA , concluding our proof sketch. □