On 26 August 2015 at 13:26, Mike Hearn <[email protected]> wrote: > TXT lets you do dynamic roots of trust as well. It's somewhat similar to > SGX except that it relies on the TPM and doesn't have any kind of memory > encryption. But the software / documentation / support is extremely poor; > so far SGX is shaping up to have much better tooling and generally be TXT > done right. >
Yeah, that was the whole point of Flicker. (I actually used it in a side project at one point.) The thing is, the performance of the DRTM operations is *so* bad that actually trying to use the dynamism is basically pointless. Bootloading (and kexec-like operations, which are basically bootloading) is one of the few applications for which that performance issue doesn't kill you. > >> I'd be interested to know if the group sig scheme is the same, or >> substantially similar to the, one as used in Direct Anonymous Attestation. >> > > It's not the same. The presentation goes into the differences. > > The scheme is very clever. tl;dr summary: > > - Extension of BBS group signatures and Furukawa/Imai group signatures > - Single public key, many private keys. There are no certificates > involved, just a single group public key. > - Private key issuance is blinded: Intel themselves do not know the > private keys to the chips they manufacture. > - Signatures are unique and don't reveal the private key used to sign, > thus, anonymous. > - Despite that, signers can provide a "proof I did not create this > signature" and thus private keys can be anonymously revoked in the event > that the hardware security is beaten and a key is extracted. > - Relies on Strong DH assumption for security and Decisional DH > assumption for anonymity. > > Huh, very cool..
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
