A C implementation of elliptic-curve-based Direct Anonymous Attestation (DAA) signatures. Created to support the Xaptum Edge Network Fabric, an IoT Network Solution.
The publication ia.cr/2017/639 is the most-up-to-date work on the DAA signature algorithm. The authors of this paper work closely with the TCG on specifications and with TPM manufacturers, so the changes the propose often (though not always) find their way into changes on the TPM. We can use this most-up-to-date algorithm with current TPMs, but if all the changes proposed in that paper are eventually accepted by the TCG, updating to support that new TPM spec will be easy (simply removing steps that we perform, in order to allow the TPM to do them). And software-vs-TPM signatures can be created/verified transparently (as their can now, as well).
Further, our current implementation is a bit of a hybrid of previous definitions, due to our chasing changing TPM specification. By updating to this particular algorithm, we will have a more solid description of which algorithm we're implementing (it also has a security proof).
Lastly, this algorithm is the one used by the most-recent FIDO spec. So, if we transition, that will put us into interop with them (though, their reference implementation hasn't been updated to reflect this most-recent spec).
The differences appear to be in the issuing process (the Camenisch-Lysyanskaya signature on the credential is a little different), and looks like it should be straightforward to implement.
The publication ia.cr/2017/639 is the most-up-to-date work on the DAA signature algorithm. The authors of this paper work closely with the TCG on specifications and with TPM manufacturers, so the changes the propose often (though not always) find their way into changes on the TPM. We can use this most-up-to-date algorithm with current TPMs, but if all the changes proposed in that paper are eventually accepted by the TCG, updating to support that new TPM spec will be easy (simply removing steps that we perform, in order to allow the TPM to do them). And software-vs-TPM signatures can be created/verified transparently (as their can now, as well).
Further, our current implementation is a bit of a hybrid of previous definitions, due to our chasing changing TPM specification. By updating to this particular algorithm, we will have a more solid description of which algorithm we're implementing (it also has a security proof).
Lastly, this algorithm is the one used by the most-recent FIDO spec. So, if we transition, that will put us into interop with them (though, their reference implementation hasn't been updated to reflect this most-recent spec).
The differences appear to be in the issuing process (the Camenisch-Lysyanskaya signature on the credential is a little different), and looks like it should be straightforward to implement.