Published: March 9, 2022
Citation: Measurement Science and Technology vol. 33, no. 6, article no. 064001 (June 2022) pp. 1-11
Author(s)
Luís T. A. N. Brandão (NIST), Carlos Cardoso Galhardo (Inmetro), Rene Peralta (NIST)
Software-controlled measuring instruments used in commercial transactions, such as fuel dispensers and smart meters, are sometimes subject to “memory replacement” attacks. Cybercriminals replace the approved software by a malicious one that then tampers with measurement results, inflicting a financial loss to customers and companies. To mitigate such attacks, legal metrology systems often require regular device attestation, where an auditor checks that the device possesses (“knows”) the approved software. However, current attestation methods usually require the software to be known by the auditor, thus increasing the risk of inadvertent leakage or malicious theft of proprietary information, besides facilitating its malicious adulteration. We describe how this issue can be addressed in legal metrology systems by using zero-knowledge proofs of knowledge (ZKPoK). These proofs enable attestation of possession of approved software, while ensuring its confidentiality from the auditor. To further provide publicly verifiable evidence of freshness, each such proof can be related to a fresh random value from a public randomness beacon. This article presents the basic conceptual idea, while also discussing pitfalls that should be avoided.
Software-controlled measuring instruments used in commercial transactions, such as fuel dispensers and smart meters, are sometimes subject to “memory replacement” attacks. Cybercriminals replace the approved software by a malicious one that then tampers with measurement results, inflicting a...
See full abstract
Software-controlled measuring instruments used in commercial transactions, such as fuel dispensers and smart meters, are sometimes subject to “memory replacement” attacks. Cybercriminals replace the approved software by a malicious one that then tampers with measurement results, inflicting a financial loss to customers and companies. To mitigate such attacks, legal metrology systems often require regular device attestation, where an auditor checks that the device possesses (“knows”) the approved software. However, current attestation methods usually require the software to be known by the auditor, thus increasing the risk of inadvertent leakage or malicious theft of proprietary information, besides facilitating its malicious adulteration. We describe how this issue can be addressed in legal metrology systems by using zero-knowledge proofs of knowledge (ZKPoK). These proofs enable attestation of possession of approved software, while ensuring its confidentiality from the auditor. To further provide publicly verifiable evidence of freshness, each such proof can be related to a fresh random value from a public randomness beacon. This article presents the basic conceptual idea, while also discussing pitfalls that should be avoided.
Hide full abstract
Keywords
cryptography; device attestation; legal metrology; proof of knowledge; public auditability; randomness beacon zero-knowledge proof
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
