PiTPM: Partially Interactive Signatures for Multi-Device TPM Operations

Trusted Platform Module (TPM) 2.0 devices provide efficient hardware-based cryptographic security through tamper-resistant key storage and computation, making them ideal building blocks for multi-party signature schemes in distributed systems. However, existing TPM-based multi-signature constructions suffer from a fundamental limitation, they require interactive protocols where all participants must coordinate during the commitment phase, before any signature can be computed. This interactive requirement creates several critical problems, such as synchronization bottlenecks, quadratic communication complexity, and aborted protocols as a result of participant failure. These limitations become particularly heightened for applications that require cross-device cryptographic operations. This paper presents PiTPM, an Aggregator Framework built upon Schnorr’s digital signature. Our protocol eliminates the interactive requirement using a hybrid trust architecture. The proposed framework uses pre-shared randomness seeds stored securely in an Aggregator, enabling deterministic computation of global commitments without inter-participant communication. The resulting signatures of the proposed framework are of constant size regardless of signer count. Our experimental results show a possible paradigm shift in TPM-based cryptographic system design, demonstrating that hybrid trust architectures can achieve significant performance improvements while maintaining rigorous security guarantees. We provide a comprehensive formal security analysis proving EU-CMA security under the discrete logarithm assumption in the random oracle model.

💡 Research Summary

The paper “PiTPM: Partially Interactive Signatures for Multi‑Device TPM Operations” addresses a fundamental scalability problem in TPM‑based multi‑signature schemes. Traditional Schnorr‑type multi‑signatures executed on TPM 2.0 require every participant to generate a fresh random nonce, exchange the corresponding commitments, and then jointly compute a challenge. This interactive commitment phase incurs O(n²) message complexity, forces all devices to be online simultaneously, and makes the protocol fragile in mobile or distributed environments where devices may be offline or experience poor connectivity.

PiTPM proposes a hybrid trust architecture that eliminates the need for any signer‑to‑signer communication after an initial setup phase. The core idea is to pre‑share a secret seed with each TPM (seed_i) and to store an aggregation seed (seed_agg) together with all per‑signer seeds inside a trusted Aggregator component. The Aggregator can be a dedicated TPM, a Trusted Execution Environment (TEE) such as Intel SGX or ARM TrustZone, or a secure multi‑party computation (MPC) enclave. During signing, each TPM deterministically derives its nonce w_i = PRF(seed_i, M‖ctr‖S) where M is the message, ctr is a global counter, and S is the ordered list of participating signers. The Aggregator, using the same PRF inputs, computes the individual commitments R_i = g^{w_i} and aggregates them into a global commitment R = ∏_i R_i. Because the PRF is deterministic, all signers can independently verify that the received R matches the product of the commitments they would compute themselves, removing the need for a broadcast of R_i.

Key aggregation follows a similar deterministic pattern. Each signer’s public key pk_i is combined with the ordered key list L to form k_i = pk_i‖L. The Aggregator computes an aggregation coefficient a_i = PRF(seed_agg, k_i) and then derives the aggregated public key apk = Σ_i a_i·pk_i. This PRF‑based weighting prevents rogue‑key attacks: a malicious signer cannot influence a_i without knowing seed_agg, which is sealed inside the Aggregator and never disclosed.

Signature generation proceeds in two phases:

1. Global Commitment Request – Signers send (M, ctr, ordered S, their identifier) to the Aggregator. The Aggregator verifies authenticity, computes w_i for each participant, forms R_i, and returns the aggregated commitment R.

2. Local Signature Share Computation – Each signer locally recomputes w_i, verifies that R matches the product of all R_i, computes the challenge c = H(R‖apk‖M‖S‖ctr), and produces its share s_i = w_i + c·a_i·x_i (mod p), where x_i is the TPM‑protected private key. The shares are sent back to the Aggregator (or any collector) and summed to obtain the final scalar s = Σ_i s_i (mod p). The final signature is σ = (R, c, s, ctr, S).

Verification simply recomputes apk and the challenge, checks that g^{s} = R·apk^{c}, and validates counter freshness. The signature size is constant (R, c, s) regardless of the number of signers.

Security is proved in the random‑oracle model under the discrete logarithm assumption. The authors show EU‑CMA security by reducing any successful forgery to solving the discrete log problem. The proof hinges on the unpredictability of the PRF outputs (which act as deterministic nonces) and the secrecy of the TPM‑bound private keys. Because the Aggregator never learns x_i or w_i, even a fully compromised Aggregator cannot forge signatures or bias the outcome. The scheme also includes a formal argument against rogue‑key attacks, leveraging the secret seed_agg that only the Aggregator can access.

Performance evaluation is conducted on a testbed comprising TPM‑enabled x86 machines and an SGX enclave acting as the Aggregator. Experiments with 2, 4, 8, 16, and 32 signers show that PiTPM reduces total signing latency by roughly 30‑35 % compared with the classic interactive protocol, while communication overhead drops from O(n²) to O(n) messages (one request and one response per signer). Signature generation time scales linearly with the number of signers, but the constant‑size signature makes verification cheap and independent of n. The authors also discuss the trade‑off introduced by the Aggregator: it becomes a single point of availability, but can be hardened through replication, TPM‑based sealing, or MPC techniques.

The paper concludes that PiTPM bridges the gap between the strong hardware‑rooted security of TPMs and the scalability demands of modern distributed applications such as cross‑device payments, cryptocurrency multi‑signature wallets, and enterprise approval workflows. Future work includes exploring fully decentralized aggregator designs, post‑quantum‑secure PRFs, and integration with emerging TPM 2.1 specifications.