[messaging] Encrypted Pulic Contact Discovery
justin.king-lacroix at cs.ox.ac.uk
Wed Aug 26 05:51:36 PDT 2015
On 26 August 2015 at 13:26, Mike Hearn <mike at plan99.net> wrote:
> TXT lets you do dynamic roots of trust as well. It's somewhat similar to
> SGX except that it relies on the TPM and doesn't have any kind of memory
> encryption. But the software / documentation / support is extremely poor;
> so far SGX is shaping up to have much better tooling and generally be TXT
> done right.
Yeah, that was the whole point of Flicker. (I actually used it in a side
project at one point.) The thing is, the performance of the DRTM operations
is *so* bad that actually trying to use the dynamism is basically
pointless. Bootloading (and kexec-like operations, which are basically
bootloading) is one of the few applications for which that performance
issue doesn't kill you.
>> I'd be interested to know if the group sig scheme is the same, or
>> substantially similar to the, one as used in Direct Anonymous Attestation.
> It's not the same. The presentation goes into the differences.
> The scheme is very clever. tl;dr summary:
> - Extension of BBS group signatures and Furukawa/Imai group signatures
> - Single public key, many private keys. There are no certificates
> involved, just a single group public key.
> - Private key issuance is blinded: Intel themselves do not know the
> private keys to the chips they manufacture.
> - Signatures are unique and don't reveal the private key used to sign,
> thus, anonymous.
> - Despite that, signers can provide a "proof I did not create this
> signature" and thus private keys can be anonymously revoked in the event
> that the hardware security is beaten and a key is extracted.
> - Relies on Strong DH assumption for security and Decisional DH
> assumption for anonymity.
Huh, very cool..
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging