preisacm
/
masterthesis
1
0
Fork 0
Code Issues Releases Wiki Activity
Master Thesis as published at INS in 2022
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
28 Commits
1 Branch
0 Tags
200 MiB
 
 
Tree: 769d12369e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '769d12369e'
${ noResults }
masterthesis/thesis/02_concept.tex

486 lines
32 KiB
Raw Blame History

\chapter{Concept}
\label{cha:concept}
The theoretical tool that should be formed to one whole system implementation in this thesis.
\section{Definition of the Biometric Sensor}
\label{definitions}
What part fulfills the BS and what needs to be done.
Record Sensor data, Network Discovery, send sensor data via trusted channel to PIA
\subsection{What has the BS to do?}
\label{sec:bs-usecase}
\begin{enumerate}
\item Listen for a Trigger to start the Authentication Process
\item Collect Sensor Data (Picture, Fingerprint) and calculate a biometric representation
\item Start Network Discovery and find the PIA of this person
\item Create a trusted and secure channel and transmit the attributes for verification
\item Restore the state of the system as it was before this transaction
\end{enumerate}
\section{Attack Vectors and Threat Model}
The Biometric Sensor will work in an exposed environment.
Neither the user providing biometric data nor the network environment should be trusted for proper function.
There should only be a connection to the Digidow network for transmitting the recorded data.
This assumption of autonomy provides independence to the probably diverse target environments and use cases.
In addition to autonomy, the Biometric Sensor should also ensure proper handling of received and generated data.
The recorded dataset from a sensor is \emph{sensitive data} due to its ability to identify an individual (Who?).
Due to its narrow definition, it is affordable to protect sensitive data.
Besides that, \emph{metadata} is information generated during the whole transaction phase.
Timestamps and host information are metadata as well as connection lists, hash sums and log entries and much more (What? Where? When?)
There exists no exact definition or list of metadata which makes it hard to prevent any exposure of it.
Metadata does not directly identify an individual.
However huge notwork providers are able to combine lots of metadata to traces of individuals.
Eventually an action of those traced individuals might unveil their identity.
Consequently, a central goal of Digidow is to minimize the amount to minimize the risk of traces.
Privacy defines the ability of individuals to keep information about themselves private from others.
In context to the Biometric Sensor, this is related to the recorded biometric data.
Furthermore, to prevent tracking. any interaction with a Sensor should not be matched to personal information.
Only the intended and trusted way of identification within the Digidow network should be possible.
\subsection{Threat Model}
\label{ssec:threatmodel}
To fulfill the Sensor's use case in an exposed environment, we need to consider the following attack vectors.
\begin{itemize}
\item \emph{Rogue Hardware Components}: Modified components of the Biometric Sensor could, depending on their contribution to the system, collect data or create a gateway to the internal processes of the system.
Although the produced hardware piece itself is fine, the firmware on it is acting in a malicious way.
This threat addresses the manufacturing and installation of the system.
\item \emph{Hardware Modification}: Similar to rogue hardware components, the system could be modified in the target environment by attaching additional hardware.
With this attack, adversaries may get direct access to memory or to data transferred from or to attached devices,
\item \emph{Metadata Extraction}: The actual sensor like camera or fingerprint sensor is usually attached via USB or similar cable connection.
It is possible to log the protocol of those attached devices via Man in the Middle attack on the USB cable.
\item \emph{Attribute Extraction}: The actual sensor like camera or fingerprint sensor is usually attached via USB or similar cable connection.
It is possible to log the protocol of those attached devices via wiretapping the USB cable.
With that attack, an adversary is able to directly access the attributes to identify individuals.
\item \emph{Modification or aggregation of sensitive data within Biometric Sensor}: The program which prepares the sernsor data for transmission could modify the data before sealing it.
The program can also just save the sensible data for other purposes.
\item \emph{Metadata extraction on Network}: During transmission of data from the sensor into the Digidow network, there will be some metadata generated.
An adversary could use this datasets to generate tracking logs and eventually match these logs to individuals.
\item \emph{Retransmission of sensor data of a rogue Biometric Sensor}: When retransmitting sensor data, the authentication of an individual could again be proven.
Any grants provided to this individual could then given to another person.
\item \emph{Rogue Biometric Sensor blocks transmission}: By blocking any transmission of sensor data, any transaction within the Digidow network could be blocked and therefore the whole authentication process is stopped.
\item \emph{Rogue Personal Identity Agent}: A rogue PIA might receive the sensor data instead of the honest one.
Due to this error, a wrong identity and therefore false claims would be made out of that.
\end{itemize}
Given this threat model and the use cases described in \autoref{sec:bs-usecase}, we will introduce an approach to minimize most of the attack vectors.
\begin{itemize}
\item DONE Definition of sensitive data / privacy / metadata
\item This version of BS is not owned by the user, there is no personal data in the System
\item Rogue Personal Identity Agent (PIA)
\item Metadata Extraction
\item Attribute extraction
\item Sensor Data Modification/manipulation
\item Wiretap between Sensor and System (USB or network)
\item Physical Manipulation of the BS-System
\item Network - Retransmission of sensor data of a rogue BS
\item Network - Blocking Data transmission of a rogue BS
\item Rogue BS Sensor Data aggregation
\item Rogue BS Sensor data modification before transmission
\end{itemize}
\section{Trust and Security}
\label{sec:trust}
Trust is an essential term in this thesis.
In the world of IT security, the term \emph{trusted computing} defines a secured environment where special or confidential computing jobs are dispatched.
This environment or product usually meets the following requirements
\begin{itemize}
\item \emph{Minimalization.} The number of features and hence the complexity must be as low as possible.
\item \emph{Sound definitions.} Every function should be well defined. There should be no margin for interpretation left. Security Engineers should be involved in the development.
\item \emph{Complete testing.} Testing for trusted computing includes a threat analysis and exhaustive testing if possible.
\end{itemize}
Since software and hardware testing is never complete, it is hard to find a good balance between feature set and testing completeness.
However trust in IT is not equal to security.
It defines a subset of IT security where this small well defined environment is embedded in a larger system which is usually untrusted.
Claiming a system \emph{secure} spans the constraints of trust over the complete system, which is not affordable for commodity computers these days.
However it is possible to use the trusted environment to get some guarantees on the untrusted parts of a system as well
In Chapter 3 we will show how trust will be extended in a commodity PC.
%TODO reference to TPM section how to extend trust into untrusted parts of PC
%TODO describe verifiable trust in addition to the previous definition (with example of the ATM?)
Differentiation between trust and security --- and the problem that not everyone is using that right.
\section{Systems of Trust}
\label{sec:trustsystems}
All trust systems are built on the standards of Trusted Computing Group.
\subsection{Secure Boot, TXT, \ldots}
\label{ssec:secureboot-txt}
Trusted Boot is not the same as Secure Boot. Explain the difference
\subsection{TPM1.2}
\label{ssec:tpm12}
Initial Version of the crypto-coprocessor, successfully spread into many systems, but hardly any integration in Trust/security Software
%TODO this is an attempt to describe TPM from the beginning.
\subsection{TPM2.0}
\label{ssec:tpm20}
The \emph{Trusted Platform Module} (TPM) is a small cryptocoprocessor that introduces a variety of new features to the platform.
This module is part of a standard developed by the Trusted Computing Group (TCG), which current revision is 2.0\cite{tcg20}.
The hardware itself is strongly defined by the standard and comes in the following flavors:
%TODO find source of that claim (TPM variants)
\begin{itemize}
\item \emph{Dedicated device.} The TPM chip is mounted on a small board with a connector.
The user can plug it into a compatible compute platform. This gives most control to the end user since it is easy to disable trusted computing or switch to another TPM.
\item \emph{Mounted device.} The dedicated chip is directly mounted on the target mainboard. Therefore any hardware modification is impossible.
However most PC platforms provide BIOS features to control the TPM.
\item \emph{Firmware TPM (fTPM).} This variant was introduced with the TPM2.0 Revision.
Firmware means in this context an extension of the CPU instruction set which provides the features of a TPM.
Both Intel and AMD provide this extension for their platforms for several years now.
When activating this feature on BIOS level, all features of Trusted Computing are available to the user.
\item \emph{TPM Simulator.} For testing reasons, it is possible to install a TPM simulator. It provides basically every feature of a TPM but cannot be used outside the operating system. Features like Trusted Boot or in hardware persisted keys are not available.
\end{itemize}
Even the dedicated devices are small microcontrollers that run the TPM features in software which gives the manufacturer the possibility to update their TPMs in the field.
FTPMs will be updated with the Microcode updates of the CPU manufacturers.
The combination of well constrained hardware and features, an interface for updates and well defined software interfaces make TPMs trustworthy and reliable.
Since TCG published the new standard in 2014 only six CVE-Entries handled vulnerabilities with TPMs\footnote{\url{https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=\%22Trusted+Platform+Module\%22}}.
Only two of them had impact on the implementation of a dedicated chip:
\begin{itemize}
\item \emph{CVE-2017-15361}
\end{itemize}
\subsubsection{Using the TPM}
\label{sssec:tpm-usage}
On top of the cryptographic hardware, the TCG provides several software interfaces for application developers:
\begin{itemize}
\item \emph{System API (SAPI).} The SAPI is a basic API where the developer has to handle the resources within the application. However this API provides the full set of features.
\item \emph{Enhanced System API (ESAPI).} While still providing a complete feature set, the ESAPI makes some resources transparent to the application like session handling. Consequently, this API layer is built on top of the SAPI.
\item \emph{Feature API (FAPI).} This API layer is again built on top of the ESAPI. It provides a simple to use API but the feature set is also reduced to common use cases.
Although the Interface was formally published from the beginning, an implementation is available since end of 2019.
\end{itemize}
The reference implementation of these APIs is published at Github\cite{tpmsoftware20} and is still under development.
At the point of writing stable interfaces are available for C and C++, but other languages like Rust, Java, C\# and others will be served in the future.
The repository additionally provides the tpm2-tools toolset which provides the FAPI features to the command line.
Unfortunately, the command line parameters changed several times during the major releases of tpm2-tools\cite{pornkitprasan19-tpmtools}.
\subsubsection{The Hardware}
\label{sssec:tpm-hardware}
The TCG achieved with the previous mentioned software layers independence of the underlying hardware.
Hence, TCG provided different flavors of of the TPM
TCG defined with the TPM2.0 standard a highly constrained hardware with a small feature set.
It is a passive device with some volatile and non-volatile memory, which provides hardware acceleration for a small number of crypto algorithms.
The standard allows to add some extra functionality to the device.
However the TPMs used in this project provided just the minimal set of algorithms and also the minimal amount of memory.
Since TCG published its documents, several IT security teams investigated concept and implementations of TPMs.
\begin{itemize}
\item security problems with some implementations
\end{itemize}
\begin{itemize}
\item Hierarchies
\item Endorsement Key
\item Attestation Identity Key
\item Key management
\end{itemize}
\begin{figure}
\centering
\includegraphics[width=0.7\textwidth]{../resources/tpmcert}
\caption[TPM Certification]{The manufacturer certifies every TPM it produces}
\label{fig:tboot-overview}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=0.7\textwidth]{../resources/tpmattest}
\caption[DAA Attestation procedure]{The DAA attestation process requires 5 steps. The PIA may trust the Biometric Sensor afterwards.}
\label{fig:daa-attestation}
\end{figure}
\section{Trusted Boot}
A boot process of modern platforms consists of several steps until the Operating System taking over the platform.
During these early steps, the hardware components of the platform are initialized and some self tests are performed.
This is controlled by either the BIOS (for legacy platforms) or the UEFI firmware.
TCG introduced in 2004 their first standard for trusted computing.
As part in this standard, TCG defined a procedure, where every step in the early boot process is measured and saved in a \emph{Platform Configuration Register} (PCR).
The measuring part is a simple cryptographic extension function which works described in formula \ref{form:PCR-measurement}
\begin{equation}
\text{new\_PCR} = hash(\text{old\_PCR}\,||\,\text{data})
\label{form:PCR-measurement}
\end{equation}
The function of || represents a concatenation of two binary strings and the hash function is either SHA1 or SHA256.
In recent TPM-platforms, both hashing algorithms are performed by default in each measurement.
If there has to be measured more than one object in one PCR, the BIOS\,/\,UEFI has to perform the measurement in a deterministic way.
The function allows this feature since the current value of the PCR is also part of the hash for the value.
This feature is called \emph{hash chaining} and ensures with a deterministic measurement procedure, that the resulting values are always comparable as long as the measured components keep unchanged.
The procedure of measuring the boot process did not change over the years and is still vaild for the most recent TPM2.0 standard.
A TPM has at least 24 PCR registers in the PC platform.
Every PCR represents a different part of the platform.
When TCG introduced Trusted Boot in 2004, UEFI was not yet available for the ordinary PC platform.
Consequently, TCG standardized the roles of every PCR only for the BIOS platform.
Later, when UEFI became popular, the PCR descriptions got adopted for the new platform.
The most recent description of the registers, as defined in section 2.3.3 of the \emph{TCG PC Client Platform Firmware Profile}\cite{tcg-pc19}, is shown in table \ref{tab:PCR}.
\begin{table}[ht]
\centering
\begin{sffamily}
\caption{Usage of PCRs during an UEFI trusted boot process} \label{tab:PCR}
%\rowcolors{2}{lightgray}{white}
\begin{tabular}{rl}
\toprule
\multicolumn{1}{c}{\textit{PCR}} & \multicolumn{1}{p{5.8cm}}{\textit{Explanation}}\\
\midrule
0 & SRTM, BIOS, host platform extensions, embedded option ROMs and PI drivers \\
1 & Host platform configuration\\
2 & UEFI driver and application code \\
3 & UEFI driver and application configuration and data \\
4 & UEFI Boot Manager code and boot attempts \\
5 & Boot Manager code configuration and data and GPT\,/\,partition table\\
6 & Host platform manufacturer specific \\
7 & Secure Boot Policy \\
8-15 & Defined for use by the static OS \\
16 & Debug \\
17-23 & Application\\
\bottomrule
\end{tabular}
\end{sffamily}
\end{table}
The standard furthermore defines which part of the platform or firmware has to perform the measurement.
Since the TPM itself is a purely passive element in the platform, the BIOS\,/\,UEFI firmware itself has to initiate the measurement beginning by the binary representation of the firmware itself.
This procedure is well defined in the TCG standard and the platform user has to \emph{trust} the manufacturer, that it is performed as expected.
It is called the \emph{Static Root of Trust for Measurement} (SRTM) and is described in section 2.2 of the TCG PC Client Platform Firmware Profile\cite{tcg-pc19}.
The SRTM is a small immutable piece of the firmware which is executed by default after the platform was reset.
It is the first software that is executed on the platform and measures itself into PCR[0].
It furthermore must measure all platform initialization code like embedded drivers, host platform firmware, etc.\@ as they are provided as part of the PC motherboard.
If these measurements cannot be performed, the chain of trust is broken and consequently the platform cannot be trusted.
One may see a zeroed PCR[0] or a value representing a hashed string of zeros as a strong indicator of a broken chain of trust.
As the manufacturer of the motherboards do not publish their firmware code, one may have to reverse engineer the firmware to prove correct implementation of the SRTM.
This is the point where the platform user has to trust the manufacturer as well as the manufacturer of the TPM.
The PCR[1-7] are then written by the motherboard firmware itself.
As last step, the bootloader is measured into PCR[4] and PCR[5] and then executed.
Consequently, the bootloader and the OS are then responsible for continuing the chain of trust for this platform.
%TODO reference to GRUB and unified kernel in the practical part.
\section{Integrity Measurements}
As described in the previous section, when the boot process is eventually finished, the OS is then responsible for extending the chain of trust.
Given a valid trusted boot procedure, the binary representation of the kernel is already measured.
Therefore the Kernel itself has the responsibility to keep track of everything happening on the platform from the OS point of view.
Soon after the first TPM standard was published, the \emph{Integrity Measurement Architecture} (IMA) for the Linux Kernel was introduced.
Since Kernel 3.7 it is possible to use all IMA features, when the compiler options of the Kernel are set correspondingly.
IMA
Extend the Chain of Trust beyond the boot process.
The Kernel can measure many different types of Resources.
What is a useful set of measurements
\section{Verify Trust with DAA}
\subsection{Definitions}
For the definition of the algorithm, some notations and definitions are summarized in the following.
Greek letters denote a secret that is not known to the verifier whereas all other variable can be used to verify the desired properties.
The symbol $||$ is a concatenation of binary strings or binary representations of integers.
Given an integer $q$, $\mathbb{Z}_q$ denotes the ring of integers modulo $q$ and $\mathbb{Z}_q^*$ denotes the multiplicative group modulo $q$\cite{camenisch97}.
\subsection{Discrete Logarithm Problem}
Given a cyclic group $G = \langle g\rangle$ of order $n$, the discrete logarithm of $y\in G$ to the base $g$ is the smallest positive integer $x$ satisfying
\begin{math}
g^\alpha = y
\end{math}
if this $x$ exists.
For sufficiently large $n$ and properly chosen $G$ and $g$, it is infeasible to compute the reverse
\begin{math}
\alpha = \log_g{y}
\end{math}.
This problem is known as \emph{Discrete Logarithm Problem} and is the basis for the following cryptographic algorithms.
\subsection{Signatures of Knowledge}
Camenisch and Stadler\cite{camenisch97} describe an efficient scheme for proving knowledge of a secret without providing it.
They assume a collision resistant hash function $\mathcal{H}:\{0,1\}^*\rightarrow\{0,1\}^k$ for signature creation.
Furthermore, the algorithm is based on the Schnorr signature scheme\cite{schnorr91}.
For instance,
\begin{equation*}
SPK\{(\alpha):y=g^\alpha\}(m)
\end{equation*}
denotes a proof of knowledge of the secret $\alpha$, which is embedded in the signature of message $m$.
The one-way protocol consists of three procedures:
\begin{enumerate}
\item \emph{Setup.} Let $m$ be a message to be signed, $\alpha$ be a secret and $y:=g^\alpha$ be the corresponding public representation.
\item \emph{Sign.} Choose a random number $r$ and create the signature tuple $(c,s)$ as
\begin{equation*}
c:=\mathcal{H}(m\,||\,y\,||\,g\,||\,g^r) \quad\text{and}\quad s:=r-c\alpha \quad\text{(mod n) .}
\end{equation*}
\item \emph{Verify.} The verifier knows the values of $y$ and $g$, as they are usually public. The message $m$ comes with the signature values $c$ and $s$. She computes the value
\begin{equation*}
c':=\mathcal{H}(m\,||\,y\,||\,g\,||\,g^sy^c)\quad\text{and verifies, that}\quad c' = c\, .
\end{equation*}
The verification holds since
\begin{equation*}
g^sy^c = g^rg^{-c\alpha}g^{c\alpha} = g^r\, .
\end{equation*}
\end{enumerate}
Camenisch and Stadler\cite{camenisch97} state, that this scheme is extensible to proof knowledge of arbitrary number of secrets.
Furthermore, complex relations between secret and public values can be represented with that scheme.
\subsection{Bilinear Maps}
The Camenisch-Lysyanskaya (CL) Signature Scheme\cite{camenisch04} is used for the DAA-Protocol.
Furthermore, the CL-Scheme itself is based on Bilinear Maps.
Consider three groups $\mathbb{G}_1$, $\mathbb{G}_2$, with their corresponding base points $g_1$, $g_2$, and $\mathbb{G}_T$.
Let $e:\mathbb{G}_1 \times \mathbb{G}_2 \rightarrow \mathbb{G}_T$ that satisfies three properties\cite{camenisch04,camenisch16}:
\begin{itemize}
\item \emph{Bilinearity.} For all $P\in\mathbb{G}_1, Q\in\mathbb{G}_2$, for all $a,b \in\mathbb{Z}: e(P^a,Q^b) = e(P,Q)^{ab}$.
\item \emph{Non-degeneracy.} For all generators $g1\in\mathbb{G}_1, g2\in\mathbb{G}_2: e(g_1,g_2)$ generates $\mathbb{G}_T$.
\item \emph{Efficiency.} There exists an efficient algorithm that outputs the bilinear group\\
$(q, \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T, e, g_1, g_2)$ and an efficient algorithm for computing $e$.
\end{itemize}
\subsection{Camenisch-Lysyanskaya Signature Scheme}
The Camenisch-Lysyanskaya (CL) Signature Scheme…\cite{camenisch04} allows efficient proofs for signature posession and is the basis for the DAA scheme discussed in section XY. %TODO reference to DAA section
It is based on a bilinear group $(q, \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T, e, g_1, g_2)$ that is available to all steps in the protocol.
\begin{itemize}
\item \emph{Setup.} Choose $x\leftarrow\mathbb{Z}_q$ and $y\leftarrow\mathbb{Z}_q$ at random. Set the secret key $sk \leftarrow (x,y)$ and the public key $pk \leftarrow (g_2^x, g_2^y)=(X,Y)$
\item \emph{Sign.} Given a message $m$, and the secret key $sk$, choose $a$ at random and output the signature $\sigma\leftarrow(a, a^y, a^{x+xym}) = (a,b,c)$
\item \emph{Verify.} Given message $m$, signature $\sigma$ and public key $pk$, verify, that $a \neq 1_{\mathbb{G}_1}$, $e(a,Y) = e(b,g_2)$ and $e(a,X)\cdot e(b,X)^m = e(c,g_2)$
\end{itemize}
Camenisch et al.\@ stated in section 4.2 of their paper\cite{camenisch16} that one has to verify the equation against $e(g_1,b)$ and $e(g_1,c)$ which is proven wrong here.
\subsection{DAA History}
Direct Anonymous Attestation (DAA) is a cryptographic protocol, which aims to provide evidence that a device is a honest member of a group without providing any identification information.
Brickell, Camenisch and Chen\cite{BriCamChe04} introduce DAA and implement the protocol for the TPM 1.2 standard.
However it supports only RSA and has limitations in verifying attestation signatures.
Hence, DAA is not used with the TPM 1.2 standard.
Since the DAA protocol is quite complex, it is difficult to provide a sound security model for DAA and formally proof the security properties of it.
Chen, Morissey and Smart\cite{chen09} add linkability to the protocol.
Their approach for a formal proof is not correct, since a trivial key can be used for pass verification\cite{camenisch16}
%TODO Chronic of DAA until Camenisch16, Discussion about broken Proofs in previous papers.
Camenisch, Drijvers and Lehmann\cite{camenisch16} developed a DAA scheme for the new TPM 2.0 standard.
It supports linkability and the proofs for security and correctness still hold.
Furthermore, RSA and ECC cryptography is supported which makes it practicable for a wider variety of use cases.
However, Camenisch et.\,al.\cite{camenisch17} proposed a fix in the TPM 2.0 API to guarantee all requirements necessary for DAA.
Xaptum implemented this DAA-variant including the fixes in the TPM API.
The implementation will be discussed in Chapter 4.%TODO Reference to Xaptum discussion
Analyzing the security and integrity of this scheme would exceed the scope of this thesis.
Hence this thesis describes the DAA protocol and assumes the correctness and integrity.
\subsection{DAA Protocol}
\label{ssec:daa-protocol}
DAA is a group signature protocol, which aims to reveal no additional information about the signing host.
According to Camenisch et al.\cite{camenisch16} the DAA protocol consists of three parties.
\begin{itemize}
\item \emph{Issuer} \issuer. The issuer maintains a group and has evidence of hosts that are members in this group.
\item \emph{Host} \host. The Host creates a platform with the corresponding TPM \tpm\. Membership of groups are maintained by the TPM.
\item \emph{Verifier} \verifier. A verifier can check whether a Host with its TPM is in a group or not. Besides the group membership, no additional information is provided.
\end{itemize}
A certificate authority $\mathcal{F}_{ca}$ is providing a certificate for the issuer itself.
\texttt{bsn} and \texttt{nym} %TODO
Session ids $sid$ is already available with communication session on the network or on the link between host and TPM. %TODO check that
$\mathcal{L}$ is the list of registered group members which is maintained by \issuer. %TODO
%TODO describe \tau
\begin{itemize}
\item \emph{Setup.} During Setup \issuer is generating the issuer secret key $isk$ and the corresponding issuer public key $ipk$. The public key is published and assumed to be known to everyone.
\begin{enumerate}
\item On input \textsf{SETUP} \issuer
\begin{itemize}
\item generates $x,y \leftarrow \mathbb{Z}_q$ and sets $isk=(x.y)$ and $ipk\leftarrow(g_2^x,g_2^y) = (X,Y)$. Initialize $\mathcal{L} \leftarrow \emptyset$,
\item generates a prove $\pi \sassign SPK\{(x,y):X=g_2^x\wedge Y=g_2^y\}$ that the key pair is well formed,
\item registers the public key $(X,y,\pi)$ at $\mathcal{F}_{ca}$ and stores the secret key,
\item outputs \textsf{SETUPDONE}
\end{itemize}
\end{enumerate}
\item \emph{Join.} When a platform, consisting of host \host[j] and TPM \tpm[i], wants to become a member of the issuer's group, it joins the group by authenticating to the issuer \issuer.
\begin{enumerate}
\item On input \textsf{JOIN}, host \host[j] sends the message \textsf{JOIN} to \issuer.
\item \issuer\ upon receiving \textsf{JOIN} from \host[j], chooses a fresh nonce $n\leftarrow\{0,1\}^\tau$ and sends it back to \host[j].
\item \host[j] upon receiving $n$ from \issuer, forwards $n$ to \tpm[i]
\item \tpm[i] generates the secret key:
\begin{itemize}
\item Check, that no completed key record exists. Otherwise, it is already a member of that group.
\item Choose $gsk\sassign\mathbb{Z}_q$ and store the key as $(gsk, \bot)$.
\item Set $Q \leftarrow g_1^{gsk}$ and compute $\pi_1 \sassign SPK\{(gsk):Q=g_1^{gsk}\}(n)$.
\item Return $(Q,\pi_1)$ to \host[j].
\end{itemize}
\item \host[j] forwards \textsf{JOINPROCEED}$(Q, \pi_1)$ to \issuer.
\item \issuer\ upon input \textsf{JOINPROCEED}$(Q, \pi_1)$ creates the CL-credential:
\begin{itemize}
\item Verify that $\pi_1$ is correct.
\item Add \tpm[i] to $\mathcal{L}$. %TODO what is the representative of the TPM?
\item Choose $r\sassign\mathbb{Z}_q$ and compute $a\leftarrow g_1^r$, $b\leftarrow a^y$, $c\leftarrow a^x\cdot Q^{rxy}$, $d\leftarrow Q^{ry}$.
\item Create the prove $\pi_2\sassign SPK\{(t):b=g_1^t\wedge d=Q^t\}$.
\item Send \textsf{APPEND}$(a,b,c,d,\pi_2)$ to \host[j]
\end{itemize}
\item \host[j] upon receiving \textsf{APPEND}$(a,b,c,d,\pi_2)$
\begin{itemize}
\item verifies, that $a\neq 1$, $e(a,Y)=e(b,g_2)$ and $e(c,g_2) = e(a\cdot d, X)$.
\item forwards $(b,d,\pi_2)$ to \tpm[i].
\end{itemize}
\item \tpm[i] receives $(b,d,\pi_2)$ and verifies $\pi_2$. The join is completed after the record is extended to $(gsk, (b,d))$. \tpm[i] returns \textsf{JOINED} to \host[j].
\item \host[j] stores $(a,b,c,d)$ and outputs \textsf{JOINED}.
\end{enumerate}
\item \emph{Sign.}
After joining the group, a host \host[j] and TPM \tpm[i] can sign a message $m$ with respect to basename \texttt{bsn}.
\begin{enumerate}
\item \host[j] upon input \textsf{SIGN}$(m,\bsn)$ re-randomizes the CL-credential:
\begin{itemize}
\item Retrieve the join record $(a,b,c,d)$ and choose $r\sassign\mathbb{Z}_q$. Set $(a',b',c',d') \leftarrow (a^r,b^r,c^r,d^r)$.
\item Send $(m, \bsn, r)$ to \tpm[i] and store $(a',b',c',d')$.
\end{itemize}
\item \tpm[i] upon receiving $(m, \bsn, r)$
\begin{itemize}
\item checks, that a complete join record $(gsk, (b,d))$ exists, and
\item stores $(m, \bsn, r)$.
\end{itemize}
\item \tpm[i] completes the signature after it gets permission to do so. %TODO Why?
\begin{itemize}
\item Retrieve group record $(gsk, (b,d))$ and message record $(m, \bsn, r)$.
\item Compute $b'\leftarrow b^r, d'\leftarrow d^r$.
\item If $\bsn = \bot$ set $\nym\leftarrow\bot$ and compute \\$\pi \sassign SPK\{(gsk):d'=b'^{gsk}\}(m, \bsn)$
\item If $\bsn \neq \bot$ set $\nym\leftarrow H_1(\bsn)^{gsk}$ and compute $\pi \sassign SPK\{(gsk):\nym=H_1(\bsn)^{gsk}\wedge d'=b'^{gsk}\}(m, \bsn)$.
\item Send $(\pi,\nym)$ to \host[j].
\end{itemize}
\item \host[j] assembles the signature $\sigma \leftarrow (a', b', c', d', \pi, \nym)$ and outputs \textsf{SIGNATURE}$(\sigma)$
\end{enumerate}
\item \emph{Verify.}
Given a signed message, everyone can check whether the signature with respect to \bsn\ is valid and the signer is member of this group.
Furthermore a revocation list \RL\ holds the private keys of corrupted TPMs, whose signatures are no longer accepted.
\begin{enumerate}
\item \verifier\ upon input \textsf{VERIFY}$(m, \bsn, \sigma)$
\begin{itemize}
\item parses $\sigma\leftarrow(a,b,c,d,\pi,\nym)$,
\item verifies $\pi$ with respect to $(m,\bsn)$ and \nym if $\bsn\neq\bot$.
\item checks, that $a\neq 1$, $b\neq 1$ $e(a,Y)=e(b, g_2)$ and $e(c,g_2)=e(a\cdot d,X)$,
\item checks, that for every $gsk_i \in \RL: b^{gsk_i} \neq d$,
\item sets $f\leftarrow 1$ if all test pass, otherwise $f\leftarrow 0$, and
\item outputs \textsf{VERIFIED}$(f)$.
\end{itemize}
\end{enumerate}
\item \emph{Link.}
After proving validity of the signature, the verifier can test, whether two different messages with the same basename $\bsn \neq\bot$ are generated from the same TPM.
\begin{enumerate}
\item \verifier\ on input \textsf{LINK}$(\sigma, m, \sigma', m', bsn)$ verifies the signatures and compares the pseudonyms contained in $\sigma, \sigma'$:
\begin{itemize}
\item Check, that $\bsn\neq\bot$ and that both signatures $\sigma, \sigma'$ are valid.
\item Parse the signatures $\sigma\leftarrow(a,b,c,d,\pi,\nym)$, $\sigma'\leftarrow(a',b',c',d',\pi',\nym')$
\item If $\nym = \nym'$, set $f\leftarrow 1$, otherwise $f\leftarrow 0$.
\item Output \textsf{LINK}$(f)$
\end{itemize}
\end{enumerate}
\end{itemize}
%TODO: Discussion: sid removed, RL only works with private keys, etc.