ZKASP: ZKP-based Attestation of Software Possession for Measuring Instruments
Luis Brandao, Carlos Galhardo, Rene Peralta
Software-controlled measuring instruments used in commercial transactions, such as fuel dispensers and smart meters, are sometimes subject to "memory replacement" attacks. Cybercriminals replace the approved software by a malicious one that then tampers with measurement results, inflicting a financial loss to customers and companies. To mitigate such attacks, legal metrology systems often require regular device attestation, where an auditor checks that the device possesses ("knows") the approved software. However, current attestation methods usually require the software to be known by the auditor, thus increasing the risk of inadvertent leakage or malicious theft of proprietary information, besides facilitating its malicious adulteration. We describe how this issue can be addressed in legal metrology systems by using zero-knowledge proofs of knowledge (ZKPoK). These proofs enable attestation of possession of approved software, while ensuring its confidentiality from the auditor. To further provide publicly verifiable evidence of freshness, each such proof can be related to a fresh random value from a public randomness beacon. This article presents the basic conceptual idea, while also discussing pitfalls that should be avoided.
, Galhardo, C.
and Peralta, R.
ZKASP: ZKP-based Attestation of Software Possession for Measuring Instruments, Measurement Science and Technology, [online], https://doi.org/10.1088/1361-6501/ac5438, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=932897
(Accessed August 9, 2022)