Direct Anonymous Attestation - a Signature Scheme Designed for TCG

Liqun Chen
HP Labs, Bristol

This talk will give an introduction to a signature scheme called DAA (direct anonymous attestation) which is concerned with both security and privacy issues. A DAA signature convinces a verifier that the corresponding message was signed by a qualified signer. It does this without revealing the identity of the signer. Compared with some existing signature schemes, such as group signatures, ring signatures etc, this scheme provides a variety of balances between security and privacy. Users are allowed to choose whether or not a particular verifier is able to link different signatures from the same signer for this verifier. The scheme has a security proof in the random oracle model based on the strong RSA assumption and the decision Diffie-Hellman assumption.

The scheme was designed for the Trusted Computing Group (TCG), formerly known as the Trusted Computing Platform Alliance (TCPA). Each TCG platform has a Trusted Platform Module (TPM). The TPM is a tamper-resistant piece of hardware. The scheme offers assurance to an external partner that an attestation came from a genuine TPM without identifying the TPM. The scheme has been used in TCG TPM specification version 1.2. This is available at

The content of the talk is joint work with Ernie Brickell and Jan Camenisch.