The paper entitled “ZEKRO: Zero-Knowledge Proof of Integrity Conformance” has been accepted for presentation at the 2022 International Conference on Availability, Reliability and Security (ARES), that will be held in August 23-26, 2021 in Vienna and will be also published by the International Conference Proceedings Series published by ACM ICPS.
In this work, UBITECH’s Dr Thanassis Giannetsos (Head, Digital Security & Trusted Computing Research Group) and his co-authors proposes a general ZEro-Knowledge pRoof of cOnformance (ZEKRO) scheme, which considers mutually distrusting participants and enables a prover to convince an untrusted verifier about the correctness of its state in zero-knowledge by ensuring that the prover cannot cheat. In particular, ZEKRO uses trusted computing abstractions to overcome the barriers of configuration privacy and scalability. These abstractions provide another building block for constructing scalable services that seamlessly mix in multi-domain environments and are more resilient to integrity concerns.
The proposed design includes two crucial main innovations to overcome the limitations of existing TPM-based privacy-respecting remote attestation protocols. First, the ZEKRO scheme provides the trusted computing abstraction, called policy-restricted attestation key, that restricts a node’s attestation key (secured in its TPM) to policies chosen by an authorizing entity (e.g., a domain orchestrator) and ensures that the node can only use the key to sign challenges if its configuration satisfies a policy. Second, to control which of the already authorized policies a node can satisfy during attestation, we propose creating policies that additionally require explicit, time-limited authorization, called leases, to be satisfiable, which allows an authorizing entity to control which policy can temporarily be satisfied.