[messaging] Encrypted Pulic Contact Discovery

Mike Hearn mike at plan99.net
Wed Aug 26 05:26:53 PDT 2015

TXT lets you do dynamic roots of trust as well. It's somewhat similar to
SGX except that it relies on the TPM and doesn't have any kind of memory
encryption. But the software / documentation / support is extremely poor;
so far SGX is shaping up to have much better tooling and generally be TXT
done right.

> I'd be interested to know if the group sig scheme is the same, or
> substantially similar to the, one as used in Direct Anonymous Attestation.

It's not the same. The presentation goes into the differences.

The scheme is very clever. tl;dr summary:

   - Extension of BBS group signatures and Furukawa/Imai group signatures
   - Single public key, many private keys. There are no certificates
   involved, just a single group public key.
   - Private key issuance is blinded: Intel themselves do not know the
   private keys to the chips they manufacture.
   - Signatures are unique and don't reveal the private key used to sign,
   thus, anonymous.
   - Despite that, signers can provide a "proof I did not create this
   signature" and thus private keys can be anonymously revoked in the event
   that the hardware security is beaten and a key is extracted.
   - Relies on Strong DH assumption for security and Decisional DH
   assumption for anonymity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150826/a82dbeb4/attachment.html>

More information about the Messaging mailing list