#### Abstract

In the remote attestation on Trusted Computer (TC) computing mode TCCP, the trusted computer TC has an excessive burden, and anonymity and platform configuration information security of computing nodes cannot be guaranteed. To overcome these defects, based on the research on and analysis of current schemes, we propose an anonymous proof protocol based on property certificate. The platform configuration information is converted by the matrix algorithm into the property certificate, and the remote attestation is implemented by trusted ring signature scheme based on Strong RSA Assumption. By the trusted ring signature scheme based on property certificate, we achieve the anonymity of computing nodes and prevent the leakage of platform configuration information. By simulation, we obtain the computational efficiency of the scheme. We also expand the protocol and obtain the anonymous attestation based on ECC. By scenario comparison, we obtain the trusted ring signature scheme based on RSA, which has advantages with the growth of the ring numbers.

#### 1. Introduction

With the development of information technology, cloud computing has been the important trend of the third revolution in information technology, after the personal computer and the Internet, and the focus of industry and, Science [1]. Many cloud providers offer services at various layers of the cloud computing. Weather providers offer services of basic computational infrastructure and allow their customers to develop their own applications and effectively control their own computations and data, PaaS providers allow their costumers to develop cloud applications of their own, or SaaS providers allow their costumers to create their own documents using the applications and to get out of control of their computations and data. So the trustiness attestation to platforms becomes an important problem needed to be resolved in cloud computing [2].

A security scheme was supported in [3, 4] based on the research on the potential security problems existing in current IasS. In this scheme, hardware, network connection, platform virtualization, software for cloud computing, utility computing, and service level agreement are enhanced in the IaaS.

Trusted computing was introduced into IaaS firstly and a concept called Trusted Cloud Computing Platform (TCCP) was proposed in [5, 6]. All virtual computing nodes are guaranteed to be trusted by configuration-based remote attestation. However, since the configuration of the latest restart of the platform is static, the dynamic attacks such as buffer overflow and DMA attack cannot be handled. Moreover, since the signature is carried out by the Endorsement Key of TPM, the leakage of privacy may be caused based on the fact that the usage of Endorsement Key can be tracked.

A remote attestation for virtual computing node was supported in [7, 8]. The following events such as changing, updating, and patching the configuration of virtual platform are updated in the attestation by TPM. However, this scheme is actually a static remote attestation based on configuration and it cannot attest the running states of virtual computing node.

The authors in [7, 8] support remote attestation for virtual machine; virtual TPM is improved to update attestation by the means of the following events such as changing, updating, and patching the configuration of virtual platform. However, it is actually a static remote attestation based on configuration, while it cannot attest the running states of virtual platform. Additionally, this scheme only deals with the trust root based on software and lacks both trusted guarantee provided by TPM and attestation of physical platform on which the virtual machines are running.

The goal of trusted computing is to improve the security and trustworthiness of computing platforms [9–12], and the well-known group—TCG—has published many specifications, such as the Trusted Platform Module (TPM) [13, 14] and library Trusted Software Stack (TSS) [15].

Remote attestation is one of the core technologies of trusted computing. In TCG1.1 specification, the attestation is designed with challenge information in plain text [16, 17]. In the process of the remote attestation, one platform sends a challenge information and random number to obtain one or more PCR values in order to validate the platform state. Each TPM has only an Endorsement Key (EK), issued by the TPM manufacturers, to identify the identity of the Trusted Platform. For security and privacy, EK does not directly support encryption or remote attestation. Instead, using the signature key AIK generated by EK and registered by PCA to achieve the remote attestation, the attestor signs the PCR with AIK and sends the signature and the corresponding measure attached log SML and AIK certificate to the challenger. Then, the challenger verifies the proof to guarantee the trust and security of the platform.

However, the proof protocol has some evident shortage. First, the protocol uses PCR to achieve the proof, which will expose the local platform configuration information (including hardware and software). Second, the proof protocol cannot guarantee the anonymity of attestor.

In recent years, Direct Anonymous Attestation (DAA) [18, 19] has been proposed as the protocol of remote attestation between platforms. The protocol has become part of TCG1.2 specification. DAA protocol is based on three entities, that is, the TPM platform, DAA signatory, and DAA verifiers. The DAA protocol consists of two steps. First, the signatory validates TPM platform and generates the DAA certificate for the TPM platform. Second, the TPM platform interacts with verifiers using the DAA certificate. By zero-knowledge proof, verifiers verify the DAA certificate without violating the premise of the platform privacy. However, since the DAA protocol has many times of zero-knowledge proof, which induces very large computational complexity, the DAA protocol is difficult to be a viable protocol.

A property-based attestation for computing platforms was introduced in [20]. A trusted third party converts the platform configuration information into the property certificates, which can avoid the leakage of information of platform. Based on [20], the paper in [21] proposed a protocol for property-based attestation. Property certificates corresponding to the platform configuration information are issued and managed by a trusted third-party CA; the protocol achieves anonymous proof by a series of complex interactions’ agreement. However, lots of zero-knowledge proofs may induce a high complexity. Moreover, the trusted third party must know all of the platform status information, which is actually to transfer part of work of the verifiers to a trusted third party and to increase the burden of CA. The paper [19] proposed an anonymous protocol of remote attestation based on property certificates. Due to involvement of lots of interactions, the computational complexity is very large.

Remote attestation based on the TCCP has many defects. First, every proof involves the operation of TC, which aggravates the burden of TC. Second, the remote attestation cannot guarantee the anonymity of platform. To overcome these defects, we introduce a protocol based on trusted ring signature. In the protocol, the signature of both the public and the private keys is replaced with TPM signature key, so that the security of remote attestation is guaranteed by TPM. The proof does not directly require TC, and TC only provides a series of TPM signature public keys, which reduces the burden on TC. Trusted ring signature can guarantee unconditional anonymity of the signature party and protect the privacy of the platform.

#### 2. Protocol Description

In this paper, the process of remote attestation consists of two steps. First, TC converts the platform configuration information PCR of computing nodes into property certificate. Second, computing nodes provide the property certificate for verifier by remote attestation. Figure 1 shows the interactions of the protocol.

##### 2.1. Property Certificate Issue

The Trusted Computer (TC) is responsible for the issue of the property certificates of the corresponding computing nodes. TC has all of the property certificates of the platform, denoted as . Let denote all of the platform configuration information PCRs. We define the set as follows.

If the remote attestation of is verified as in [3, 4], then . Otherwise, . The map between property certificates and corresponding platform configuration information is defined as follows: where is 0 or 1 and . If , then TC issues a property certificate , which identifies a platform that has the property . Otherwise, TC issues the property certificate which indicates that the platform does not have the property .

For example, if the computing nodeinvolves the property certificate , then computing noderequires a series of remote attestations of . Then, TC issues property certificate in accordance with the above-described method and sends property certificate to TPMsecurely.

We simplify the process as follows.(1)TPM* N* checks the current PCR to determine whether it needs to start the process of generating the property certificates. If the current PCR is not equal to the PCR used to generate the latest property certificate by TC, TPMstart the process of generating the property certificates.(2)TC sends the challenge PCRs to* N. *(3)TPM* N* sends the result of the remote signature ,, to TC.(4)TC uses PCR to generate the property certificates.

#### 3. Anonymous Attestation Based on RSA

##### 3.1. Attestation Execution

Before attestation, TPM generates a signature key ; is stored by TPM and is registered by TC, so that TC stores all of the signature public keys of computing nodes in cloud computing. In the remote attestation, TC supports signature public keys required in the trusted ring signature. Let be secure hash function. The process of remote attestation is as follows.

Let* A* be user and let* B* be cloud computing node;* B* provides remote attestation for* A*, and* A* verifies the attestation.(1)*A* sends request for remote attestation and to* B*.(2)TPM* B* obtains valid signature public keys from TC. We assume that TPM* B* has signature key .(3)TPM* B* generates the signature of with . Let denote decryption by* K,* and let denote encryption by* K;* TPM* B* chooses and generates the signature as follows:
(4)*B* sends , , to* A*.(5)*A* verifies the signature as follows:
(6)*A* verifies the property certificate and sendsto* B*.(7)*B* verifiesto guarantee the success of the remote attestation.

*Remark 1. *Since are different from each other, then, we can choose suitable to overcome this aforementioned shortcoming, because the protocol has requirement that have the same bits, for example, 2048 bits.

##### 3.2. Correctness

In the signature scheme, the signing and verifying are consistent with each other as follows:

##### 3.3. Unconditional Anonymity

Ring signature scheme is characterized by anonymity. Let be a valid ring signature for message , and let be a member of the ring. Then can generate the ring signature. From the verification, we can obtain that the probability that the user distinguishes the signer is . So the scheme is unconditional anonymous.

##### 3.4. Security Analysis

The security analysis is based on the Strong RSA Assumption. Strong RSA Assumption is a given RSA modulus, and a given random number . It is difficult to find , satisfying .

The proof of security can be simplified as the following theorem.

Theorem 2. *Assume that the attacker F with the ability of adaptive chosen message and identity can break our scheme by a nonnegligible probability within PPT time. Then, there exists an algorithm C, which can solve the problem of the Strong RSA Assumption by a nonnegligible probability within PPT time, where represents , andis a constant not dependent on .*

*Proof. *We assume that C is a challenger. The target of C is to obtain a solution of the Strong RSA Assumption by F.(1)*Setup*. C runs the setup algorithm. C maintains* t* signature public keys . Let , be two random oracles, and the construction of the machine , is listed as follows. C sends to the attacker F as public parameters.(2)*Inquiring *. C maintains a list containing the array . C chooses random numbers as answers. When F inquires -value of , C recovers from and sends to F.(3)*Inquiring *. C maintains a list of the array . C chooses random numbers as answers. When F inquires -value of , C recovers from and sends to F.(4)*Inquiring Signature*. C maintains a list of the array . When F inquires signature of , C checks whether is in . Then, C recovers and sends to F.

C simulates TPM, and the attacker F makes interaction with C. The output of C obeys the above strategy.

Then, F stops inquiring, and F generates a signature about ( has never been asked) by simulating TPM, which meets . C recovers from and recovers from . Letting , we have , which resolves the problem of Strong RSA Assumption.

It is easy to obtain that the probability that C successfully resolved the problem of Strong RSA Assumption is . There is a question that had been asked before the signature. However, by a simple analysis, we can obtain that the probability is , which can be omitted. So the probability that C successfully resolves the problem of Strong RSA Assumption is also .

##### 3.5. Efficiency

In our trusted ring signature scheme, there are three operations that are involved, such as nonsymmetric encryption, nonsymmetric decryption, and hash operations. Let* E* denote the nonsymmetric encryption operation, let* D* denote the nonasymmetric decryption operation, and let* H* denote hash operation. The efficiency of the signature is listed as follows.

In the remote attestation, the computing node conducts nonsymmetric encryption once, nonsymmetric decryptionmany times, and hash operation once. Then, the total amount of calculation is , see Table 1.

Since the hash operation can be omitted with respect to the nonsymmetric operation, the amount of calculation of computing node can be simply represented by the nonsymmetric encryption* E*. By calculation, the total amount of calculation is approximately .

#### 4. Anonymous Attestation Based on ECC

##### 4.1. Attestation Execution

Let , be defined as multiplicative group whose order is* p*, and is the generator of . Bilinear map is , where . Let be TPM signature private keys and let be the corresponding TPM signature public keys.

Let* A* be user and let* B* be cloud computing node;* B* provides remote attestation for* A*, and* A* verifies the attestation.(1)*A* sends request for remote attestation and to* B*.(2)TPM* B* obtains valid signature public keys from TC. We assume that TPM* B* has signature key .(3)TPM* B* generates the signature of with . TPM* B* chooses and generates the signature as follows:
(4)*B* sends , , to* A*.(5)*A* verifies the signature as follows:
(6)*A* verifies the property certificate .

This anonymous attestation is based on Boneh’s ring signature scheme [20]. We obtain the analysis of the scheme as follows.

##### 4.2. Correctness

In the signature scheme, the signing and verifying are consistent with each other as follows:

##### 4.3. Unconditional Anonymity

Similar with anonymous attestation based on ECC, we can easily obtain that the probability that the user distinguishes the signer is . So the scheme is unconditional anonymous.

##### 4.4. Security Analysis

The security analysis is based on the CDHI problem. CDHI problem is a given ( is unknown). It is difficult to calculate . Similar to Theorem 2, we can obtain the following theorem.

Theorem 3. *Assume that the attacker F with the ability of adaptive chosen message and identity can break our scheme by a nonnegligible probability within PPT time. Then, there exists an algorithm C, which can solve the problem of the CDHI problem by a nonnegligible probability within PPT time, where represents and is a constant not dependent on .*

##### 4.5. Efficiency

In the remote attestation, the computing node conducts ECC times and hash operation once. Then, the total amount of calculation is , where is the ECC encryption.

#### 5. Formalized Proof of the Protocol

Here, we give the key exchange process of the protocol. Let be the shared key between TC and TPM* B*, and let be the shared key between TC and* A*; the target of this section is to obtain the shared key between* A* and TPM* B*. The detailed process is listed as follows:

To guarantee the anonymity of* B*, the shared key is actually a shared key between CM and* A*.* A* does not know that* B* is the signer.

Here, we use the Ban Logic [21] to obtain the formalized proof of the protocol.

Detailed description of the protocol is the following:

Assumption is as follows:

The credibility of TC is given as follows:

Freshness of random numbers is given as follows:

Target of the protocol is the following:

Some rules of the Ban Logic applied in this paper are listed as follows:

*Proof. *From (9), we have
From (13) and (27), we obtain
It follows from (22) and (29) that
By (22) and (33), we obtain
By (18), (20), and (30), we have
Then, (25) holds true.

It follows from (10) that
By (13) and (27), we have
It follows from (21) and (29) that
By (18), (20), and (30), we obtain
By (17), (19), and (30), we have
Then, (24) holds true.

With (44) and (49), we have
It follows from (48) that
Then,
Then, (26) holds true.

From (10), we have
By (27) and (42), we obtain
Then, we have

#### 6. Scenario Comparison

Compared with anonymous attestation based on ECC, whose amount of calculation is , then we have

Then, . So it means that if , then which is hard to meet, since modern commercial ECC computing cannot have both a stronger security than RSA-2048 and a less calculation satisfying . So the anonymous attestation based on RSA has advantages with the growth of the ring numbers.

#### 7. Conclusion

In this paper, we studied the anonymous remote attestation based on property certificate. We obtained property certificates by matrix replacement algorithm from platform configuration information and designed a trusted ring signature based on RSA Strong Assumption. By an analysis, the scheme is effective to resolve the security of cloud computing nodes. By simulation, we obtained the computational efficiency of the scheme. We also expand the protocol to the anonymous attestation based on ECC and give the scenario comparison between two schemes. However, in this paper, we only use the operation and deduce the property value, which has some limitations. So it is the next work to expand the scheme and make it more applicable.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This work was partially supported by the program “Major Projects of the Wireless Mobile Communications” (2012ZX03002003), The Research Fund for the Doctoral Program (New Teachers), Ministry of Education of China (Grant no. 20121103120032), Humanity and Social Science Youth Foundation of Ministry of Education of China (Grant no. 13YJCZH065), Opening Project of Key Lab of Information Network Security of Ministry of Public Security (The Third Research Institute of Ministry of Public Security), China Postdoctoral Science Foundation, and General Program of Science and Technology Development Project of Beijing Municipal Education Commission of China.