We're excited to announce the open source trustless attestation verification project. With the help of zero-knowledge proofs, our innovative solution gets rid of the trust assumption on remote attestation verification for Trusted Execution Environtments (TEEs).

What is Trusted Execution Environment?

Confidential computing is revolutionizing the way sensitive data is processed and shared in the digital era, enabling applications like secure multi-party data collaboration, data in-use protection, and verifiable software transparency. At its core, Trusted Execution Environments (TEEs) create isolated computational areas protected from host operating systems and privileged attackers through robust hardware-based safeguards. This innovative technology has been embraced by leading cloud service providers (e.g., Google Cloud, AWS and Azure) who now offer confidential computing cloud instances for both businesses and individuals with high data privacy requirements.

In this scenario, users with sensitive data (referred to as "relying parties" throughout this document) send their data to TEE instances hosted by cloud service providers. The TEE then performs computations within the enclave to guarantee the privacy of the inputs and all the intermediate results. Before transmitting data, relying parties must ensure that the TEE they are engaging with is in proper condition (e.g., it is a legitimate TEE produced by an authorized hardware vendor and has the latest firmware version). To assist in this verification, the TEE generates various pieces of evidence, such as certificates signed by the hardware vendor, firmware versions, and hash digests of the software stack, that any party can inspect to confirm the TEE's validity.

However, this verification process can be burdensome for relying parties, especially if they are typical users without deep expertise in TEEs. Additionally, maintaining the most recent reference values requires significant effort, since relying parties may need to monitor the hardware vendor's updates in real time. Therefore, Remote Attestation (RA) emerges as a key solution in this scenario. Typically hosted by cloud service providers, the RA service takes responsibility for maintaining reference values and verifying evidence on behalf of the relying parties. This seamless transfer of workload from the relying parties to the service provider creates a more efficient and user-friendly environment.

Why We Need Trustless Attestation Verification for TEEs

Although the Remote Attestation (RA) service addresses issues on the user side, it introduces a new problem by expanding the trust boundary of the TEE. Ideally, relying parties would only need to trust hardware vendors to correctly implement the TEE. However, they now must also trust the remote attestation service. While this may not be a significant issue most of the time—since RA service providers like cloud service providers are generally trustworthy—edge cases can still occur. For instance, the remote attestation service might become buggy after a version update. Additionally, attackers now have a broader attack surface.

Meanwhile, larger trust boundaries give attackers larger attack surfaces, making TEEs potentially more vulnerable. This is where zero-knowledge proofs come in.

Zero-Knowledge Proofs (ZKP) for Trustless Attestation Verification

This project aims to eliminate the need for a trusted third party by utilizing zero-knowledge proofs (ZKP) to create a trustless attestation framework. By leveraging zero-knowledge proofs, the attestation service can demonstrate to relying parties that the attestation process is correctly executed. This ensures the integrity of the attestation process, reduces the attack surface, and maintains a minimal trust boundary.

The figure below (Figure 1) illustrates our system model. In this approach, the attestation algorithm and its corresponding reference values are represented as arithmetic circuits. Subsequently, the zero-knowledge proof (ZKP) engine produces a proving key and a verification key for the circuit. This process can be performed by a consortium to ensure the integrity of the system, with the consortium responsible for auditing the circuit’s correctness. The proving key is then provided to the remote attestation verifier, while the verification key is distributed to the relying parties. As a result, the remote attestation verifier can generate zero-knowledge proofs when verifying the attestation report, and the relying parties can validate these proofs to confirm correct execution.

Figure 1. System Model

In particular, we implemented a prototype using ZK-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of knowledge), which are cryptographic methods that allow a prover to efficiently prove an arbitrary computation was correctly executed using a short proof. In our first release, the implementation is based on Circom, a domain-specific language for defining arithmetic circuits that can be used to generate zero-knowledge proofs. We also documented an end-to-end process of compiling Circom circuits, generating witnesses and proofs, and verifying those proofs.

Collaboration from the Community

We warmly welcome collaboration from the community. Feel free to share your valuable feedback through GitHub issues or contact us directly.

And, check out our open source repositories to learn more about the project:

• Main repo:
• This repository serves as the main entry of the project. In the future, we plan to include more implementations with different ZKP backends. They will be managed through the main repo.
• https://github.com/tiktok-privacy-innovation/trustless-attestation-verification
• Circom implementation:
• This repository contains our implementations with Circom, a circuit-based ZKP backend supporting various protocols such as Groth16 and PLONK. As of now, this repo provides arithmetic circuit files to verify the certificate chain of the attestation report.
• https://github.com/tiktok-privacy-innovation/trustless-attestation-verification-circom