Direct Anonymous Attestation (DAA) is a digital signature algorithm that supports anonymity by providing a group public verification key associated with many unique private signing keys. Intel® EPID enhances DAA by enabling a private key to be revoked given a signature created by that key, even if the key itself is still unknown.
In elliptic curve cryptography, an elliptic curve is an algebraic structure used to create a function whose output is easy to compute, but whose input is difficult to compute given the output. Elliptic curve cryptography requires smaller keys compared to non-elliptic curve cryptography (based on Galois fields) to provide equivalent security.
An elliptic curve point is a point along an elliptic curve. The security of elliptic curve cryptography depends on the ability to compute a point multiplication and the inability to compute the multiplicand given the original and product points.
An Intel® EPID group represents a set of trusted entities called members.
Issuers create groups and manage group membership. For each group, the issuer creates a group public key simultaneously with the corresponding issuing private key. The issuer uses the issuing private key to create unique member private keys for each group member, and makes the group public key available to verifiers.
All groups have the following:
If a signature based revocation list or private key based revocation list does not exist, it is assumed to be empty.
The group certificate contains the group public key. The group certificate is created by the issuer and obtained by the verifier. When the issuer creates groups, it generates one issuing private key and one group certificate for each group.
The group public key is the key used by the verifier to confirm that a member belongs to a group in good standing. Each member private key in a group is associated with the group's public key.
When a group is created, the group public key and the issuing private key are simultaneously generated by the issuer. The verifier obtains the group public key from the issuer.
Enhanced Privacy ID (Intel® EPID) is a cryptographic protocol for attestation of a trusted platform while preserving the user's privacy. Intel® EPID can be used as a foundational building block for a multitude of security solutions.
An Intel® EPID signature is a type of digital signature that preserves anonymity of the signer, while still proving the signer is a member of a trusted group.
The issuer is the entity in the Intel® EPID scheme that is responsible for managing group membership. An example of an issuer is the Intel Key Generation Facility.
The issuer manages groups by doing the following:
The issuing private key is the key used by the issuer to generate unique private keys for each member of a given group. For every group public key, there is a corresponding issuing private key. The issuing private key remains with the issuer and is kept private.
The member is the entity that attempts to prove its group membership to the verifier. Members are authorized by the issuer as part of a group and each group member has a unique Intel® EPID private key. The member uses its member private key to sign a message to prove group membership without revealing its identity. An example of a member is a PC with an embedded Intel® EPID member private key.
A name-based signature is a type of signature that gives the verifier the ability to link Intel® EPID signatures from the same member, reducing the member's privacy.
A name-based signature is created using the additional parameter of a basename. If a basename is not specified, a random number is chosen as the basename. If the member uses the same basename, the verifier can mathematically link signatures generated by the member, showing that the signatures are from the same member.
The member private key is the key used by the member to digitally sign a message when attempting to prove to the verifier that the member belongs to the group and is in good standing.
Unique member private keys are generated by the issuer for each member of a given group. The same group public key corresponds to each member private key in the group.
A non-revoked proof is part of an Intel® EPID signature that proves that the member is not a specific revoked entity in the signature based revocation list. The member provides the signature with a number of non-revoked proofs, one per revocation list entry, to prove to the verifier that the member does not correspond to any entry in the revocation list.
Pairing is a mathematical operation that maps two elliptic curve groups to a third multiplicative group.
Revocation lists are data structures used by the verifier to identify members that are no longer approved members of the group.
The verifier obtains the member private key based revocation list (PrivRL), signature based revocation list (SigRL), and group based revocation list (GroupRL) from the issuer. The verifier can also maintain its own verifier blacklist (VerifierRL).
The verifier is the entity that checks an Intel® EPID signature to establish whether it was signed by an entity or device that is a member in good standing.
The verifier acts on behalf of a party that needs to know it is communicating with a trusted device. Verifiers obtain group certificates and revocation lists from issuers and negotiate details of signature protocol with members.