The signature algorithm is that of Camenisch et al., 2016, with two exceptions:
- The "fix by Xi et al." discussed in Section 5.2 is NOT used when creating TPM-enabled signatures (the current TPM2.0 specification doesn't allow such signatures to be created).
- During signing, a random nonce is included in the message hash, as discussed in section 5.2.2 of Camenisch et al., 2017.
This implementation is also compatible with Version 1.1 Release Draft of the FIDO ECDAA specification, with the following exception:
- TPM-based signatures in this implementation do not use the
TPM2_Certifyfunction- Instead, this implementation uses
TPM2_signand thus is generic, in the sense that it can be used to sign any message, not just a TPM-generated public key.
- Instead, this implementation uses