[messaging] Encrypted Pulic Contact Discovery

[Justin King-Lacroix]

On 26 August 2015 at 13:26, Mike Hearn <mike at plan99.net> wrote:

> TXT lets you do dynamic roots of trust as well. It's somewhat similar to
> SGX except that it relies on the TPM and doesn't have any kind of memory
> encryption. But the software / documentation / support is extremely poor;
> so far SGX is shaping up to have much better tooling and generally be TXT
> done right.
>

Yeah, that was the whole point of Flicker. (I actually used it in a side
project at one point.) The thing is, the performance of the DRTM operations
is *so* bad that actually trying to use the dynamism is basically
pointless. Bootloading (and kexec-like operations, which are basically
bootloading) is one of the few applications for which that performance
issue doesn't kill you.


>
>> I'd be interested to know if the group sig scheme is the same, or
>> substantially similar to the, one as used in Direct Anonymous Attestation.
>>
>
> It's not the same. The presentation goes into the differences.
>
> The scheme is very clever. tl;dr summary:
>
>    - Extension of BBS group signatures and Furukawa/Imai group signatures
>    - Single public key, many private keys. There are no certificates
>    involved, just a single group public key.
>    - Private key issuance is blinded: Intel themselves do not know the
>    private keys to the chips they manufacture.
>    - Signatures are unique and don't reveal the private key used to sign,
>    thus, anonymous.
>    - Despite that, signers can provide a "proof I did not create this
>    signature" and thus private keys can be anonymously revoked in the event
>    that the hardware security is beaten and a key is extracted.
>    - Relies on Strong DH assumption for security and Decisional DH
>    assumption for anonymity.
>
>
Huh, very cool..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150826/5acad76a/attachment.html>