Skip to product information
1 of 7

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0079-2020 English PDF (GMT0079-2020)

GM/T 0079-2020 English PDF (GMT0079-2020)

Regular price $555.00 USD
Regular price Sale price $555.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0079-2020 to get it for Purchase Approval, Bank TT...

GM/T 0079-2020: Direct anonymous attestation specification for trusted computing platform

This document specifies the functions, interfaces, data structure of the direct anonymous attestation protocol of the trusted computing platform. This document is applicable to the development of the direct anonymous certification protocol applications, anonymous certification services, anonymous certification systems of the trusted computing platform.
GM/T 0079-2020
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Direct anonymous attestation specification for trusted
computing platform
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: National Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Symbols and abbreviations ... 6
5 Cryptographic algorithm ... 7
6 Direct anonymous attestation function ... 8
7 Direct anonymous attestation interface ... 15
Appendix A (Normative) Data structure of direct anonymous attestation
interface ... 32
Appendix B (Informative) Direct anonymous attestation of elliptic curve parameters and auxiliary functions ... 37
References ... 38
Direct anonymous attestation specification for trusted
computing platform
1 Scope
This document specifies the functions, interfaces, data structure of the direct anonymous attestation protocol of the trusted computing platform.
This document is applicable to the development of the direct anonymous
certification protocol applications, anonymous certification services,
anonymous certification systems of the trusted computing platform.
2 Normative references
The provisions in following documents become the provisions of this Standard through reference in this Standard. For the dated references, the subsequent amendments (excluding corrections) or revisions do not apply to this Standard; however, parties who reach an agreement based on this Standard are
encouraged to study if the latest versions of these documents are applicable. For undated references, the latest edition of the referenced document applies. GB/T 32918-2016 (all parts) Information security techniques - Elliptic curve public-key cryptography
GM/T 0012 Trusted computing - Interface specification of trusted
cryptography module
GM/Z 4001 Cryptographic terms
3 Terms and definitions
The terms as defined in GM/Z 4001, as well as the following terms, apply to this document.
3.1
Trusted cryptography module; TCM
A basic hardware module, which construct the trusted computing platform. It provides cryptographic computing functions for the trusted computing
platform; has protected storage space.
for the trusted cryptographic module.
3.9
Verifier
In direct anonymous attestation, the participant who verifies the identity of the remote trusted cryptographic module.
4 Symbols and abbreviations
4.1 Symbols
The cryptographic symbols which are defined in GB/T 32918-2016 (all parts), as well as the following cryptographic symbols, apply to this document. 0: Integer 0, bit 0, or finite field addition identity element.
1: Integer 1, bit 1, or finite field multiplication identity element.
??, b: Elements in Fq, which define the elliptic curve E on Fq.
e: G1 X G2???GT: Bilinear mapping, which maps elements in (G1, G2) to
elements in GT.
exp(l, m): The mth power of the finite field element l, which is also recorded as lm.
E: An elliptic curve, which is defined by ?? and b on a finite field.
E(Fq): The set of all points in E whose coordinates belong to Fq (including the point at infinity O).
Fq: The q-order finite prime field.
Fqk: The qk-order finite field, an extension of q-order finite field.
Gn: A base point of the elliptic curve, whose order is a prime number; the subscript n is an integer, which is used to distinguish different base points. GT: A base point of a finite field, the order of which is a prime number. l + m: Field addition operation result of finite field elements l and m. l x m: The result of the field multiplication of the finite field element l and m, which is also recorded as lm, if it does not cause ambiguity.
P: P = (xp, yp) is a point on the elliptic curve excluding the zero point O, the application of TCM anonymous credentials AND the attestation of TCM anonymous identity. The prover platform drives TCM, to request anonymous identity credentials, from the credential issuer, by executing the
TCM_ECDAA_Join command and related host calculations. The prover
platform executes the TCM_ECDAA_Sign command and related host
calculations, to prove the TCM's digital identity anonymously, to the verifier platform.
The verifier platform mainly verifies the attestation data, which is provided by the prover platform, to certify the TCM identity of the prover platform; ensure that the prover platform does indeed use the security chip TCM as the identity of the platform. While verifying the anonymous identity of the TCM, it is necessary to request the issuer to verify whether the digital identity of the TCM has been revoked.
In the ECDAA system, the anonymous identity private key f of the TCM security chip is only allowed to be stored inside the TCM chip, AND is not allowed to be exported. There can be multiple anonymous identity private keys and
anonymous certification credentials for TCM; however, it is recommended to use only one anonymous identity private key and credentials. The TCM
anonymous certification process (including certification and verification) can only be performed by the TCM owner; meanwhile only the TCM owner can clear the insecure anonymous private key. TCM anonymous identity credentials can be stored in a host platform, which is outside the chip, OR in other storage devices.
The core computing functions of the prover platform are completed by the TCM_ECDAA_Join and TCM_ECDAA_Sign commands of TCM. Only higher
authority can execute these ECDAA commands. The ECDAA command is a
command, that consumes TCM and host computing resources very much. It
requires a large amount of internal resources of the TCM chip, to complete a series of computing operations. When the TCM security chip executes the ECDAA command, it is necessary to prohibit the execution of other TCM
command operations.
6.2.2 Basic process
The main communication process between the various participants of the
ECDAA system includes the following steps:
a) System initialization: Set the public parameters of the ECDAA system; generate a public-private key pair, which is used by the issuer to issue anonymous certificates.
b) Certificate issuance: The prover applies for and obtains an anonymous certificate from the issuer.
H3, H4, T1, T2, T3, Tw), the signature of issuer on the public parameter cre = signkn-1 (issuerSettings), the confidential information of the issuer isk = r.
c) Algorithm flow:
1) Prove the system parameters (q, ??, b, g1, g2, p) directly and
anonymously. Among them, ??, b and Fq jointly define the elliptic curve
E(Fq); g1, g2 are the base points of E(Fq) respectively; their order is a prime number p.
2) Select the bilinear mapping operation e: G1 x G2???GT. Among them,
G1, G2 are the cyclic group, with g1, g2 as generators; the order is
prime p. GT is the p-order cyclic group, with gT as the generator, on
the extended field Fqk; k is the embedding degree of the elliptic curve. Operation e shall satisfy the following properties:
- For all P ??? G1, Q ??? G2, all l, m ??? Zn, it satisfies: e(lP, mQ) =
e(P,Q)lm;
- There is P ??? G1, Q ??? G2, so that e(lP, mQ)???1GT;
- There is an effective algorithm to calculate e(P, Q).
3) Choose and h1???RG1, h2???RG1; calculate .
4) Select the hash function H1: {0, 1}* ???{0, 1}2l, H2: {0, 1}6?? ???Zp, H3: {0, 1}* ???G2, H4: {0, 1} * ???Zp.
5) Calculate the bilinear mapping T1 = e(g1, g2), T2 = e(h1, g2), T3 = e(h2, g2), Tw = e(h2, w).
6) Calculate the cryptographic hash value Hp = HASH (p), Hh1 = HASH
(h1) and Hk0 = HASH (k0). Generate the issuerSettings = (Hp, Hh1, Hk0)
of the TCM_ECDAA_ISSUER data structure (defined in Appendix A),
based on Hp, Hh1, Hk0. Use kn-1 to generate cre = signkn-1
(issuerSettings) for its signature.
7) Output system public parameters gpk = (q, ??, b, p, g1, g2, e, h1, h2, w, H1, H2, H3, H4, T1, T2, T3, Tw), for the signature cre = signkn-1
(issuerSettings) and the confidential information isk = r, of public
parameters.
6.3.2 System initialization 2
This algorithm is used by the prover host and TCM to set the public parameters the prover host;
4) The host calculates sr' = r2 + cr'(mod p); outputs aux = F and comm = (C, c, sf, sr', nT, nI); meanwhile sends comm to the issuer.
6.3.4 Credential issuance algorithm 2
This algorithm is used by the issuer to generate anonymous credentials for the prover. Its input, output and algorithm flow are as follows:
a) Input: the credential application comm = (C, c, sf, sr', nT, nI) generated by the prover, the confidential information of the issuer isk = r, the public parameter gpk.
b) Output: (part of) anonymous credentials (A, x, r').
c) Algorithm flow: The issuer first verifies whether the value of nI is generated by itself and is not replayed; then the issuer verifies whether the comm is valid. The verification method is: calculate
and c'h = H1(gpk, C, R'), verify nI, nT).
Then randomly select , calculate ,
send (A, x, r') to the prover host.
6.3.5 Certificate issuance algorithm 3
This algorithm is used by the prover to store anonymous credentials; its input, output and algorithm flow are as follows:
a) Input: (part of) anonymous credential cre = (A, x, r'), information required for verification aux, public parameter gpk, which are generated by the
issuer for the prover.
b) Output: If the anonymous credential is valid, output "valid"; otherwise, output "invalid".
c) Algorithm flow: The prover calculates r = r' + r'(mod p); verifies whether the is established. If it is established, store
cre = (A, x, r) in trust, meanwhile output "valid"; otherwise output
"invalid".
6.3.6 Attestation algorithm
This algorithm is used by the prover to perform anonymous attestation AND generate the information required for the anonymous attestation. Its input,

View full details