Property-Based Anonymous Attestation in Trusted Cloud Computing

In the remote attestation on Trusted Computer (TC) computing mode TCCP, the trusted computer TC has an excessive burden, and anonymity and platform configuration information security of computing nodes cannot be guaranteed. To overcome these defects, based on the research on and analysis of current schemes, we propose an anonymous proof protocol based on property certificate.Theplatformconfigurationinformationisconvertedbythematrixalgorithmintothepropertycertificate,andtheremote attestationisimplementedbytrustedringsignatureschemebasedonStrongRSAAssumption.Bythetrustedringsignaturescheme basedonpropertycertificate,weachievetheanonymityofcomputingnodesandpreventtheleakageofplatformconfiguration information.Bysimulation,weobtainthecomputationalefficiencyofthescheme.Wealsoexpandtheprotocolandobtainthe anonymousattestationbasedonECC.Byscenariocomparison,weobtainthetrustedringsignatureschemebasedonRSA,which hasadvantageswiththegrowthoftheringnumbers.


Introduction
With the development of information technology, cloud computing has been the important trend of the third revolution in information technology, after the personal computer and the Internet, and the focus of industry and, Science [1].Many cloud providers offer services at various layers of the cloud computing.Weather providers offer services of basic computational infrastructure and allow their customers to develop their own applications and effectively control their own computations and data, PaaS providers allow their costumers to develop cloud applications of their own, or SaaS providers allow their costumers to create their own documents using the applications and to get out of control of their computations and data.So the trustiness attestation to platforms becomes an important problem needed to be resolved in cloud computing [2].
A security scheme was supported in [3,4] based on the research on the potential security problems existing in current IasS.In this scheme, hardware, network connection, platform virtualization, software for cloud computing, utility computing, and service level agreement are enhanced in the IaaS.
Trusted computing was introduced into IaaS firstly and a concept called Trusted Cloud Computing Platform (TCCP) was proposed in [5,6].All virtual computing nodes are guaranteed to be trusted by configuration-based remote attestation.However, since the configuration of the latest restart of the platform is static, the dynamic attacks such as buffer overflow and DMA attack cannot be handled.Moreover, since the signature is carried out by the Endorsement Key of TPM, the leakage of privacy may be caused based on the fact that the usage of Endorsement Key can be tracked.
A remote attestation for virtual computing node was supported in [7,8].The following events such as changing, updating, and patching the configuration of virtual platform are updated in the attestation by TPM.However, this scheme is actually a static remote attestation based on configuration and it cannot attest the running states of virtual computing node.
The authors in [7,8] support remote attestation for virtual machine; virtual TPM is improved to update attestation by the means of the following events such as changing, updating, and patching the configuration of virtual platform.However, it is actually a static remote attestation based on configuration, while it cannot attest the running states of virtual platform.Additionally, this scheme only deals with the trust root based on software and lacks both trusted guarantee provided by TPM and attestation of physical platform on which the virtual machines are running.
The goal of trusted computing is to improve the security and trustworthiness of computing platforms [9][10][11][12], and the well-known group-TCG-has published many specifications, such as the Trusted Platform Module (TPM) [13,14] and library Trusted Software Stack (TSS) [15].
Remote attestation is one of the core technologies of trusted computing.In TCG1.1 specification, the attestation is designed with challenge information in plain text [16,17].In the process of the remote attestation, one platform sends a challenge information and random number to obtain one or more PCR values in order to validate the platform state.Each TPM has only an Endorsement Key (EK), issued by the TPM manufacturers, to identify the identity of the Trusted Platform.For security and privacy, EK does not directly support encryption or remote attestation.Instead, using the signature key AIK generated by EK and registered by PCA to achieve the remote attestation, the attestor signs the PCR with AIK and sends the signature and the corresponding measure attached log SML and AIK certificate to the challenger.Then, the challenger verifies the proof to guarantee the trust and security of the platform.
However, the proof protocol has some evident shortage.First, the protocol uses PCR to achieve the proof, which will expose the local platform configuration information (including hardware and software).Second, the proof protocol cannot guarantee the anonymity of attestor.
In recent years, Direct Anonymous Attestation (DAA) [18,19] has been proposed as the protocol of remote attestation between platforms.The protocol has become part of TCG1.2 specification.DAA protocol is based on three entities, that is, the TPM platform, DAA signatory, and DAA verifiers.The DAA protocol consists of two steps.First, the signatory validates TPM platform and generates the DAA certificate for the TPM platform.Second, the TPM platform interacts with verifiers using the DAA certificate.By zeroknowledge proof, verifiers verify the DAA certificate without violating the premise of the platform privacy.However, since the DAA protocol has many times of zero-knowledge proof, which induces very large computational complexity, the DAA protocol is difficult to be a viable protocol.
A property-based attestation for computing platforms was introduced in [20].A trusted third party converts the platform configuration information into the property certificates, which can avoid the leakage of information of platform.Based on [20], the paper in [21] proposed a protocol for property-based attestation.Property certificates corresponding to the platform configuration information are issued and managed by a trusted third-party CA; the protocol achieves anonymous proof by a series of complex interactions' agreement.However, lots of zero-knowledge proofs may induce a high complexity.Moreover, the trusted third party must know all of the platform status information, which is actually to transfer part of work of the verifiers to a trusted third party and to increase the burden of CA.
The paper [19] proposed an anonymous protocol of remote attestation based on property certificates.Due to involvement of lots of interactions, the computational complexity is very large.
Remote attestation based on the TCCP has many defects.First, every proof involves the operation of TC, which aggravates the burden of TC.Second, the remote attestation cannot guarantee the anonymity of platform.To overcome these defects, we introduce a protocol based on trusted ring signature.In the protocol, the signature of both the public and the private keys is replaced with TPM signature key, so that the security of remote attestation is guaranteed by TPM.The proof does not directly require TC, and TC only provides a series of TPM signature public keys, which reduces the burden on TC.Trusted ring signature can guarantee unconditional anonymity of the signature party and protect the privacy of the platform.

Protocol Description
In this paper, the process of remote attestation consists of two steps.First, TC converts the platform configuration information PCR of computing nodes into property certificate.Second, computing nodes provide the property certificate for verifier by remote attestation.Figure 1 shows the interactions of the protocol.

Property Certificate Issue. The Trusted Computer (TC)
is responsible for the issue of the property certificates of the corresponding computing nodes.TC has all of the property certificates of the platform, denoted as  = { 1 , . . .,   }.Let {PCR 1 , . . ., PCR  } denote all of the platform configuration information PCRs.We define the set  = { 1 , . . ..,   } as follows.
If the remote attestation of PCR  is verified as in [3,4], then   = 1.Otherwise,   = 0.The map between property certificates and corresponding platform configuration information is defined as follows: where   is 0 or 1 and   = ⋂   =1   .If   = ⋂   =1   , then TC issues a property certificate   , which identifies a platform that has the property   .Otherwise, TC issues the property certificate which indicates that the platform does not have the property   .For example, if the computing node  involves the property certificate   , then computing node  requires a series of remote attestations of {PCR  |   = 1}.Then, TC issues property certificate   in accordance with the above-described method and sends property certificate   to TPM  securely.
We simplify the process as follows.
(1) TPM N checks the current PCR to determine whether it needs to start the process of generating the property certificates.If the current PCR is not equal to the PCR used to generate the latest property certificate by TC, TPM N start the process of generating the property certificates.
(2) TC sends the challenge   PCRs to N.
(3) TPM N sends the result of the remote signature Sig{PCR,   }  , PCR, SML to TC. (4) TC uses PCR to generate the property certificates.

Anonymous Attestation Based on RSA
3.1.Attestation Execution.Before attestation, TPM generates a signature key (, );  is stored by TPM and  is registered by TC, so that TC stores all of the signature public keys of computing nodes in cloud computing.In the remote attestation, TC supports signature public keys required in the trusted ring signature.Let  : {0, 1} * → {0, 1}  be secure hash function.The process of remote attestation is as follows.
Let A be user and let B be cloud computing node; B provides remote attestation for A, and A verifies the attestation.
(5) A verifies the signature as follows: (6) A verifies the property certificate   and sends   to B.
(7) B verifies   to guarantee the success of the remote attestation.
Remark 1.Since  1 , . . .,   are different from each other, then, we can choose suitable   to overcome this aforementioned shortcoming, because the protocol has requirement that  1 , . . .,   have the same bits, for example, 2048 bits.

Correctness.
In the signature scheme, the signing and verifying are consistent with each other as follows:

Unconditional Anonymity.
Ring signature scheme is characterized by anonymity.Let  = { 1 , . . .,   } be a valid ring signature for message , and let   be a member of the ring.Then   can generate the ring signature.From the verification, we can obtain that the probability that the user distinguishes the signer is 1/.So the scheme is unconditional anonymous.

Security Analysis.
The security analysis is based on the Strong RSA Assumption.Strong RSA Assumption is a given RSA modulus, and a given random number  < .It is difficult to find , ( > 1,  < ), satisfying   = .The proof of security can be simplified as the following theorem.

Theorem 2. Assume that the attacker F with the ability of adaptive chosen message and identity can break our scheme by a nonnegligible probability 𝜀 within PPT time. Then, there exists an algorithm C, which can solve the problem of the Strong RSA
Assumption by a nonnegligible probability   = () within PPT time, where () represents () ≥ , and  is a constant not dependent on .
Proof.We assume that C is a challenger.The target of C is to obtain a solution of the Strong RSA Assumption by F.
It is easy to obtain that the probability that C successfully resolved the problem of Strong RSA Assumption is   = ().There is a question that  = ℎ − ∑  =2   had been asked before the signature.However, by a simple analysis, we can obtain that the probability is 1/2 √  , which can be omitted.So the probability that C successfully resolves the problem of Strong RSA Assumption is also   = ().

Efficiency.
In our trusted ring signature scheme, there are three operations that are involved, such as nonsymmetric encryption, nonsymmetric decryption, and hash operations.
Let E denote the nonsymmetric encryption operation, let D denote the nonasymmetric decryption operation, and let H denote hash operation.The efficiency of the signature is listed as follows.
In the remote attestation, the computing node conducts nonsymmetric encryption once, nonsymmetric decryption  many times, and hash operation once.Then, the total amount of calculation is  + ( − 1) + , see Table 1.
Since the hash operation can be omitted with respect to the nonsymmetric operation, the amount of calculation of computing node can be simply represented by the nonsymmetric encryption E. By calculation, the total amount of calculation is approximately  = (1 + 4/3).
Let A be user and let B be cloud computing node; B provides remote attestation for A, and A verifies the attestation.
(1) A sends request for remote attestation and   ∈  *  to B.
(5) A verifies the signature as follows: (6) A verifies the property certificate   .
This anonymous attestation is based on Boneh's ring signature scheme [20].We obtain the analysis of the scheme as follows.
4.2.Correctness.In the signature scheme, the signing and verifying are consistent with each other as follows: 4.3.Unconditional Anonymity.Similar with anonymous attestation based on ECC, we can easily obtain that the probability that the user distinguishes the signer is 1/.So the scheme is unconditional anonymous.

Security Analysis.
The security analysis is based on the CDHI problem.CDHI problem is a given   ( is unknown).It is difficult to calculate  1/ .Similar to Theorem 2, we can obtain the following theorem.Theorem 3. Assume that the attacker F with the ability of adaptive chosen message and identity can break our scheme by a nonnegligible probability  within PPT time.Then, there exists an algorithm C, which can solve the problem of the CDHI problem by a nonnegligible probability   = () within PPT time, where () represents () ≥ , and  is a constant not dependent on .4.5.Efficiency.In the remote attestation, the computing node conducts ECC 2 − 1 times and hash operation once.Then, the total amount of calculation is  = (2 − 1) Ẽ + , where Ẽ is the ECC encryption.

Formalized Proof of the Protocol
Here, we give the key exchange process of the protocol.Let  TC  be the shared key between TC and TPM B, and let  TC  be the shared key between TC and A; the target of this section is to obtain the shared key   between A and TPM B. The detailed process is listed as follows: To guarantee the anonymity of B, the shared key   is actually a shared key between CM and A. A does not know that B is the signer.
Here, we use the Ban Logic [21] to obtain the formalized proof of the protocol.
Target of the protocol is the following: |≡

Figure 1 :
Figure 1: The interactions of the remote attestation.