International Association
for Cryptologic Research

In TPM2.0, a single signature primitive is proposed to sup-

port various signature schemes including Direct Anonymous Attestation

(DAA), U-Prove and Schnorr signature. This signature primitive is im-

plemented by several APIs. In this paper, we show these DAA-related

APIs can be used as a static Diffie-Hellman oracle thus the security

strength of these signature schemes can be weakened by 14-bit. We pro-

pose a novel property of DAA called forward anonymity and show how

to utilize these DAA-related APIs to break forward anonymity. Then we

propose new APIs which not only remove the Static Diffie-Hellman oracle

but also support the forward anonymity, thus significantly improve the

security of DAA and the other signature schemes supported by TPM2.0.

We prove the security of our new APIs under the discrete logarithm

assumption in the random oracle model. We prove that DAA satisfy for-

ward anonymity using the new APIs under the Decision Diffie-Hellman

assumption. Our new APIs are almost as efficient as the original APIs

in TPM2.0 specification and can support LRSW-DAA and SDH-DAA

together with U-Prove as the original APIs.